WordPress is the secret sauce that drives an increasingly large part of the internet. A free, open-source content management system (CMS), WordPress makes it easy for anyone to build and maintain a website, providing them with all the tools and templates they need to build and edit their site. Today, WordPress is employed by 63.6% of websites which use content management systems, or approximately 38.5% of all websites. That’s pretty impressive, making it by far the most popular tool for building websites.
But the news is not all good. There are challenges that exist with WordPress cyber security. Given the large number of websites that rely on it, this poses some big potential problems. Every year hundreds of thousands of WordPress sites without the proper cyber security precautions are hacked.
Not all good news
One of the big issues involves the plugins used on WordPress sites. A major draw of WordPress is the enormous number of plugins and themes that are available. A plugin is a bit of software that adds certain functionality to a website. They are written in PHP language and seamlessly integrate with WordPress. Many plugins are free to the public and are developed by volunteers. Functions vary from Search Engine Optimization (SEO) tools to backup services to commenting tools for users to fluid video embeds. That’s just scratching the surface of the plugins available, which are thought to number more than 55,000 in total.
Plugins are, for the most part, great. But they also open up the door to potential vulnerabilities. While it’s not an exact analogy, think of plugins like giving out keys to your home. Giving out a key to your neighbors could be an excellent decision, since it means they can come in and feed your pet while you’re on vacation. Giving a key to, say, a gardener or cleaner (if you’re lucky enough to have either) means that they can come into your home and do work while you’re not there. But every key you hand out increases the level of risk you’re opening yourself to if they fall into the wrong hands.
Vulnerabilities involving plugins and themes can allow hackers to carry out malicious actions such as the placement of harmful code on to WordPress sites, to vandalize pages, steal information, and more.
Vulnerable themes and plugins
Such vulnerabilities are discovered all the time. For example, in September 2020, a new vulnerability was discovered as being “actively exploited” involving File Manager, a plugin that lets WordPress administrators more easily manage files on their websites using a simple file management interface. The plugin in question was installed on about 700,000 WordPress sites. The vulnerability meant that users other than the legitimate owner of the website were able to execute commands and upload files. The makers of the plugin rushed to release a patch for the flaw, and urged users to upgrade to the latest version, thereby protecting them.
But while WordPress and the third-party developers who create plugins regularly do a solid job of plugging security vulnerabilities when they are uncovered (as was the case here), this still relies on users ensuring that they have updated to the latest version of WordPress. Large numbers of people do not.
In some cases, vulnerabilities may be no accident. Although such attacks may be infrequent, there have been known occasions in why so-called supply chain attacks see hackers buy up once high quality plugins on WordPress, and then add backdoors. allowing them to inject malicious code onto websites. Unlike the previous examples, these exploits are particularly malicious because. by keeping the plugins updated (which users are advised to do), they actually risk opening up security flaws that were not present before. Thankfully such attacks are rare — although they do happen.
Not all WordPress vulnerabilities involve out-of-date themes and plugins. For instance, brute force attacks are sometimes used to try and hack into accounts. Because WordPress doesn’t limit login attempts, and login pages are frequently easy to find, hackers can try and brute force entry into your website, therefore giving themselves administrative or other access. These attacks may also slow down your website while they are in process.
Safeguarding your WordPress site
So what’s the answer? As with many cyber security cases, some of the steps that can be taken are straightforward, while others are a bit more complex. Choosing strong passwords, avoiding using the name “admin” as your login and changing your standard WordPress login URL can reduce brute-forcing attacks. Despite the example of supply chain attacks, you’re also far better off ensuring that plugins and themes are up to date. Similarly, select plugins and themes carefully and only from reputable developers.
To take your WordPress cyber security setup to the next level, you may also want to employ a strong Web Application Firewall (WAF). A WAF is deployed on your network edge to inspect incoming and outbound HTTP/S traffic to a web application. It uses complex intelligence systems to identify attack patterns and figure out — and, importantly, filter out — malicious traffic.
If you’re running a website, there’s a good chance that it takes up a large amount of your time. Whether you’re selling items online, advertising your business, researching news stories or whatever else, many people simply don’t have time to worry about the cyber security component of their webpages. The fact that people want plug-and-play technology that “just works” is, after all, why simple website builders like WordPress and tools like plugins have gained such popularity.
If that describes you, you may be better off bringing in the experts to help protect you. When the risks of not doing so are this high, it’s a worthy investment to make.