WordPress is arguably the most popular CMS preferred by website owners. Thus, with widespread popularity comes higher levels of security risks. Hackers and cybercriminals are very aware of the multitude of websites that are powered and managed by self-hosted WordPress on WordPress.org. So, How do you secure your WordPress site from them? If you’re reading this, you’re probably one of the millions of users that choose to build your website out with WordPress. There are many security risks to consider when launching your WordPress website.
WordPress Security top of the agenda
While a great hosting provider ensures that you have the necessary tools to secure your website like built-in DDOS protection, exceptional add-ons like SSL certificates, automated website monitoring, solid cloud-based backup solutions, your WordPress site can still be vulnerable due to the very nature of WordPress, simply because WordPress is Open source. For example, Windows users are constantly vulnerable to attacks, thus, anti-virus software is needed for any computer running windows. This has much to do with the nature of Windows as it has to do with the prevalence of use. WordPress is much like Windows in this regard and hackers are constantly inventing new ways to thwart security measures and exploit WordPress sites. In this article, we’re going to outline the biggest threats facing WordPress powered websites and how you can better secure your site.
WordPress Security Failures
As aforementioned the popularity and high rate of usage make WordPress a prime target for hackers. In 2018 an employee of a well-known apparel brand took his company laptop out of the secure confines of the building to a coffee shop. He opened an email that had a phishing scam that allowed a hacker to bring down the entire network of the global brand. The phishing scam had malware that was specifically coded to affect WordPress and Joomla powered websites. The security breach was covered in a cyber intrusion report. Similarly, in November 2018, an antivirus software developer, Sophos, discovered and reported a WordPress plugin developed specifically to comply with GDPR was hacked by admin-ajax.php. This plugin exploitation enabled hackers to inject malware and create WordPress admin accounts and gain full backend access to websites. While the internet developers roll out more effective applications to make web building and hosting easier, cybercriminals and hackers are doing the same to gain access to websites, destroy them, gain access and gain financially through ransom.
Secure WordPress Site from Vulnerabilities
Today, WordPress developers and administrators should remain mindful and hyper-vigilant of potential security risks. Hackers continue to adapt and evolve to new updates and as such new vulnerabilities will always arise. Therefore, it is tantamount that administrators ensure that their sites are safeguarded against any security breaches.
Tactics Used by Cybercriminals
1. WordPress SEO Spy Plugin
Plugins have been a known source of security vulnerabilities for WordPress users. Hackers can exploit outdated plugins and use them as a backdoor to breach WordPress sites. Sometimes a plugin can be a source of a potential security risk because of an outdated aspect of the plugin itself. One such plugin is the WP SEO Spy Plugin. The plugin uses flash, which is hardly used by developers any longer because of the security risk it poses. This plugin has an outdated flash library from 2009. The makers of this plugin haven’t updated it since and thus it is an outdated plugin that poses security risks. Do no download and install this plugin and if you do have it, get rid of it as it can be a potential invitation to a hacker seeking to exploit your WordPress site. In fact, it’s best to ensure that all plugins you use are continuously updated and whenever you stop using a plugin uninstall all the files associated with them. As a rule of thumb, uninstalling unused plugins is one of the first steps you should take when you secure your WordPress site.
2. GandCrab Ransomware
Ransomware attacks have become more prevalent in the last 2 years and have made headlines and naturally, attacks will continue because cybercriminals are the best at adapting and evolving in order to circumvent new security measures. GandCrab ransomware is one of those evolutions, first detected summer of 2018 and was found to target and infect WordPress powered websites. Many attacks using GandCrab were traced back to Russian cybercrime groups. These cybercriminals issued invalid keys as a means of rerouting file encryption once ransom payments were received. In order to protect your WordPress website against GandCrab ransomware attack is to have a solid reliable cloud-based backup strategy and software.
3. PHP Object Injections
PHP object injections are a direct result of a few vulnerabilities. These attacks are serialized through authentication and are usually attached to online forms. One such example was a Google Forms plugin injected with malicious PHP code. The good news is that this was identified quickly and addressed before the update of WordPress (version 5.0.1) was released late 2018. In order to protect your WordPress site against malicious PHP object injections is to ensure that you are always running the latest version of WordPress. Luckily, if you 1-click installed your WordPress via Softaculous in cPanel then your updated version of WordPress is automated.
4. PHPMailer Remote Code Execution
When it boils down to it, most of the security risk posed to WordPress websites can be mitigated or avoided by using the most up to date version of the CMS, in addition to, ensuring that all plugins are updated regularly. For example, back in 2016, PHPMailer had an exposed security vulnerability that impacted thousands of WordPress sites. Many of the security loopholes have been patched, however, other WP plugins that are stronger PHPMailer that are given rave reviews by users and so it would be better to avoid this plugin that has had so many security problems in the past.
5. Hacked WP Login Credentials
This is a security risk that is a result of poor security practices by administrators, website owners and content creators. We cannot stress this enough; hackers continuously probe websites powered by WordPress to exploit security vulnerabilities, and they carry this out by monitoring public connections and private Wi-Fi networks. When managing your site’s backend CMS from your personal computer/network, or a company network, traffic should be encrypted so that your connection isn’t left open to rudimentary cyberattacks, and hackers are unable to gain access to your CMS like WordPress.
6. Pike Firewall
When not configured properly, this plugin poses a known security risk. At a base level, there are no issues with Pike Firewall in terms of its source code, however, problems begin to service when users mistakenly modify settings to permit anonymous traffic to have access to the administrative panel. Do not allow a WordPress firewall to function as a replacement for a standard server firewall. As a matter of fact, for firewalls to be applied to your server you should contact your hosting provider’s technical support to discuss the options available to you. While Pike Firewall is useful as a means to block unwanted traffic, in order to function properly and not pose a potential security risk they need to be adequately configured to achieve their primary function.
In the End
While WordPress may see to pose a lot of security issues this is mainly due to its overall popularity and outstanding performance as a Content Management System. There are various ways you can safeguard your WordPress site, by first ensuring that you are always operating the latest version of the CMS and all site plugins are up to date. Constantly delete unused and outdated plugins, discuss security measures with your hosting provider, and use website backup and restore options. Finally, you want to opt for site-monitoring from your hosting provider as soon as you launch your website.
