WordPress is a popular platform for websites to use, powering 40% of all websites! It’s a platform that people have heard of and it markets itself as the ultimate solution for websites of any size.

In reality, whilst WordPress does have its pluses, it has one particular element that makes it a hindrance to your business.

That hindrance is security.

WordPress is an open-sourced platform, it's that open sourced collaborative nature that allows a scalable module like approach to websites. You can add and remove features as and when needed – sometimes by yourself and other times you need a WordPress developer to step in.

*Note:- ‘Open Sourced’ content management systems (CMSs) describes a system whereby the code is public. This means that individuals can create and submit their own features to the WordPress system for people to use.

Unfortunately, as anyone can create and submit a feature to WordPress it means that it is vulnerable to individuals taking advantage of this for illegal or morally wrong activities. Trojan horses, backdoors and malware attacks are a common occurrence and something that WordPress users have to stay alert for.

Search Engine Journal has stated that there are three major threats that WordPress websites face and they fall into the following three categories.

The exploitation of WordPress vulnerabilities

Wordfence, a WordPress security firm, stated that in 2020 there were 4.3 billion attempts to exploit vulnerabilities within WordPress sites from 9.7 million unique IP addresses.

Attempts that focused on…

  • Accessing restricted files or directories to execute commands that are external to the web server’s root directory.
  • Embedding malicious code into a weak application so that it is passed into the website’s database. This code will then make the database produce actions that should have never been executed.
  • Uploading a virus or other malicious software to the server or platform which when executed can allow them to gain access or control of the website/server.
  • By injecting data into the website which allows the hacker to change the behaviour or appearance of the website.
  • Taking advantage of unprotected files to gain access to the remainder of the website.

How do you protect your WordPress Sites from being exploited?

Step one in protecting your WordPress site from being exploited is first to minimise the vulnerabilities of the website. Ensure that the website is password protected and that potential weaknesses are removed as much as possible, a trusted WordPress developer should be sought for this.

Step two is to ensure that your website has a firewall installed such as Wordfence or Sucuri that can monitor your website to prevent these types of attacks.

The final step is to keep on top of your WordPress security.

Malicious login attempts

One WordPress security firm, Wordfence, detected and blocked over 90 billion malicious login attempts from over 57 million different IP addresses. This meant that they detected and blocked 2,800 attacks every second on WordPress sites!

That is a huge number!

These malicious login attempts aim to find and exploit weak WordPress sites. Whether that is to steal data, hold to ransom or even to use the site for their own illegal purposes.

How to Protect your WordPress site from Malicious login attempts?

The easiest way to protect your WordPress site from these login attempts is to set up multi-factor authentication. This will add an extra layer of security to your login process, requiring a password and a code that is sent to a set phone number.

Good password security will also assist you here. Ensure that your password features a combination of letters, numbers and special characters.

Malware from pirated themes and plugins installed

When a plugin or theme is pirated it removes the license checking feature which makes it easier for hackers to gain access to your WordPress website via a back door.

The most common malware threat is the WP-VCD malware, affecting 154,928 (13%) of affected sites in 2020.

How to Protect Your WordPress Site from Malware?

The quickest and simplest way to protect your website from this kind of malware is to purchase any themes and plugins legitimately and keep them up to date. This often means an annual licensing fee for each of the themes/plugins that you use on your WordPress website.

If you do use any free themes or plugins then ensure that you only purchase these ‘free’ versions from reputation WordPress providers. Check reviews and seek a trusted developer’s opinion if you are unsure.

Also, keep an eye on the plugins that you do use to ensure that they have not been abandoned by their developer. Some plugins can continue to work after they have been abandoned by their developer, unfortunately, these old plugins are often the most vulnerable to misuse by hackers who buy them and update them with malware and viruses.

No One Would Hack My Site!

A common belief. However, 99.9% of hacks are not personal.

Most hacks are conducted by bots that crawl through thousands of websites hundreds of times a day looking for flaws that they can take advantage of. They don’t care whether you are a small website selling birdhouses or a huge multinational with endless funds.

If these bots find a weakness, then they are sometimes pre-instructed to carry out a particular type of attack. Otherwise, they report back to the hacker who will then decide what they want to do. Some hackers love the drama that they cause, otherwise have ulterior motives for conducting such attacks.

And Should the Worst Happen

Should the worst happen and your WordPress website falls foul of hackers then providing you have a back up of your website you can recover what you have lost relatively quickly.

This is why it is incredibly important that you create a regular back up of your website. Whether this backup should be taken daily, weekly or monthly all depends on how much your website is used and how often its content changes.

Generally speaking, if you have an ecommerce site then the backups should happen daily as your website changes frequently especially at a stock level. If you are particularly big/busy ecommerce site then a backup should be taken multiple times a day. If your website is purely a brochure website that perhaps gets a new blog post uploaded once a month then you will most likely be fine with just a monthly back up.

These backups will also help you should you make a boo boo when updating your WordPress website.

Update your WordPress Site!

WordPress is aware of this weakness in their platform/websites and is trying to battle it.

WordPress maintain that the easiest way to protect WordPress websites is to ensure that all plugins and themes are up to date. WordPress also issue various security updates aimed at tackling specific known threats as and when needed so these should also be implemented.

If you have a WordPress website then you MUST ensure that all updates are installed promptly. Not doing so will put your WordPress website at risk.

You can read more about WordPress security vulnerabilities and look at what themes/plugins are the common offenders with this WP White Security blog post.

Want to learn more about WordPress and see some pretty sobering statistics from January 2021 then why don’t you check out the ‘Wild and Interesting WordPress Statistics and Facts (2021)’ blog post from Kinsta here.

If you have a WordPress website and you aren’t sure whether it has been updated lately then contact the team at Digital Nachos. We can take a look and advise what security updates are needed.

Published: 2nd Feb 2021

« Back