January 5, 2021 by Agnes Talalaev
Why do you need to protect WordPress sites from hackers? There actually is a simple answer to that. It’s because there is a war going on on the internet right now. And the target is not you, specifically, but your resources – the data you have, your server resource, and more.
For that, hackers have built automated tools. They are developers like you, but their aim is to build tools to break not to create. And in many cases, unfortunately, they are successful. When they are successful – it means that you suffer from reputation loss, money loss, and time loss.
To make their lives harder and ultimately block their success we have invested into making a tool to protect WordPress sites from hackers.
This article will go over and give you some statistics to shed a light on the current situation in the market. It will explain the biggest problem in WordPress security, how to tackle that problem, and what do you need to do to prevent bad things like malware infection away from the sites you manage.
Preparing for cybersecurity breaches is part of having or managing a website, no matter what business you’re running. The latest Cyber Readiness Report found that small and medium-sized companies were likely to suffer multiple attacks. What’s more – 59% of small and medium firms surveyed already had faced an attack.
There’s some more worrisome information. Nearly half, 47%, of small businesses were attacked in 2019, up from 33% in 2018. The average cost of an attack for small businesses was $14,000, depending on the severity and type of attack.
Despite this, only 14% of small businesses had a plan in place to fight off cyber attacks.
Here’s a bit of context on how attacks happen. The 2020 Data Breach Investigations Report found that web applications were a major reason why websites were hacked. It’s a big problem for WordPress websites in particular. Estimates show that 98% of WordPress vulnerabilities are related to plugins.
This should you a good idea about just how important security is for you, especially if you’re using WordPress as your content management system.
And most problems you’re likely to face will come from plugins and themes because these applications are built by third-party developers.
Right now, you have an opportunity to choose from over 58,000 plugins on the WordPress repository and the plugin review team approves each one.
They approve the plugin when it is first listed on the WordPress plugin repository. What they do is they ensure that the plugin works as it is intended, and follows WordPress’s security guidelines.
However, that’s not enough to keep you safe. Even the most efficient review team can’t guarantee that all applications are safe.
For example, look at the App Store or Google’s Play Store. Despite being heavily-guarded marketplaces, reports of breaches are more common than you would think. In April 2020, researchers claimed that Apple’s default email app for the iPhone has a security flaw that has existed for over 10 years.
Then there are the dangers of being an open-source platform. WordPress’s success as a CMS is because of how popular it is with individual developers. Every single plugin and theme is built by developers because they see value in making a service available to WordPress users.
It has all worked well. WordPress is the most popular CMS in the world. It’s estimated that 40 percent of all websites globally run on WordPress. In fact, it’s such a trusted product that almost 40 percent of the top one million sites use WordPress.
This leads us to the next big question. Does this mean WordPress is a vulnerable platform? The answer is no. The problem does not lie in the WordPress core.
Well, it’s not WordPress itself. The CMS is developed constantly and the few vulnerabilities are patched up quickly. As we said before, it’s usually plugins and themes that make websites vulnerable.
However, using older versions of WordPress can leave your website open to attacks as well. According to WordPress, only 24.2 percent of users have updated to version 5.5, their latest.
At least 79.2 percent have updated to version 5 or newer. That still leaves millions of websites running older versions. In 2012, it was reported that Reuters was using an outdated version of WordPress when the site was hacked. That’s a big mistake at a big company.
Users often prefer not to update their CMS because they worry it could break their website or change their current workflow. The same is true for updating plugins and themes. You should never run older versions of plugins and themes. In fact, outdated plugins and themes are also the number one reason for websites getting hacked.
Imagine a process or a fresh plugin coming out from development. The plugin developer wants the plugin to be added to the WordPress repository, the WordPress security team will review it, point out problems and after fixes, the plugin is allowed to the WordPress repository.
Now the problem arises when the plugins get updates because these updates are not reviewed by any security teams anymore and this is usually how vulnerabilities end up in plugins. Should you not update the plugins then? Not that. Updates can also mean security fixes of vulnerabilities that have been found.
Now that you know that even your website can be a target and how you’re likely to be targeted, you should do something about it. Here are some basic steps you should take to protect WordPress sites from hackers. It doesn’t require too much technical expertise:
We have already stressed how important it is to keep all software up to date. Don’t worry about how your website will change with an update as there’s always a way to fix anything that might break.
In fact, you should ensure all software is updated. Like your web server, PHP, and your database (like MySQL) if you’re administering it yourself. PHP is often overlooked when it comes to website security, but it is an integral part of your WordPress site and having the latest version is good web development in general.
It’s probably a bit late if your website is already up and running. But hosts offer some security and it’s a good idea to research any concerns you might have about the hosting service of your choice.
You should check for two things. One, check if your host provides the latest updated stable versions of all server software. Two, there needs to be a reliable way to backup and recover your website.
Passwords, like for every digital service, is the first line of defense for your WordPress website. A weak password can give someone admin privileges. It might seem silly, but far too many people use weak passwords.
This applies to the WordPress admin, your hosting account, and any email addresses attached to your domain. Learn more about password management and how to make managing passwords 10 times easier here.
Make sure your’s in not on this top ten most frequently used passwords list:
Try a plugin to set up WordPress two-factor authentication. It adds a second layer of security, usually a text (SMS) message, a phone call, or a one-time password (OTP).
This will let you know when someone is trying an unauthorized login attempt, and you can get more information from your WordPress activity logs.
Learn how to set up two-factor authentication here.
It’s a simple but useful practice. An activity log will have all major changes on your website. Take a quick look at it every time you log in. You’ll have to install an activity log plugin or use WebARX.
There are tutorials available on analyzing raw logs. Once you get comfortable doing it, you’ll know when theme and plugin editors are being used, when widgets are updated and when posts or pages are added. You can identify the IP addresses of attackers and block them.
An SSL certificate, often available for free, allows a secure connection between a browser and a website over HTTPS (HyperText Transfer Protocol Secure). Small website owners sometimes ignore it because they don’t ask for payment information.
Well, a credit card number is not the only thing that needs to be kept safe. You also get the benefit of greater user trust and some SEO gains.
You should have noticed this. By default your WordPress site’s login URL is yourdomain.com/wp-admin. Even if a hacker can’t get your login credentials right, why take the chance? You can use a plugin to do this, and it’s not difficult to do.
Backups allow you to restore your site in case something happens. Once again, there are plugins to do this. It’s best to back up to a cloud service like Amazon or Dropbox if you can bear the extra cost.
This is a big step in assuring increased security. It’s an investment that’s worth it because a WAF adds a level of sophistication and expertise to your website’s defense system.
A simple example of what a firewall does is limit login attempts by a user. This protects you from brute force attacks. A web application firewall does a lot more – read more about it here.
It’s a great tool to have if you’re serious about your website, no matter what business you’re building.
Well, hackers always find new and improved ways to target websites, often through WordPress plugins.
To protect WordPress sites from hackers you need to work proactively while keeping an eye on the security of your sites as well. There are many myths about WordPress security which are covered here.
You should also choose a managed WAF because cybersecurity needs round-the-clock monitoring and management. Inadequate maintenance can result in spam content on your website or backdoor access that results in data theft.
You might not even be aware of it unless you know what to look for. A managed WAF can do a number of things to prevent attacks and let you know you’re vulnerable.
Here are some benefits:
In short, the best way to protect WordPress sites from hackers is through a combination of things. You need to apply the best security practices and then add a layer of expertise in the form of a web application firewall.
When it comes to cybersecurity, there are no guarantees, and it’s about being prepared rather than trying to recover from a hack.
Protect your websites from malicious traffic - set-up in under 3 minutes.
WebARX is compatible with the following platforms: