The DevTeam Alpha News Aggregation service has sourced the following article originally published on WP Arena:

Did you know that out of the top 10 million websites, WordPress is used by nearly a third of all sites? It has nearly 60% market share among content management systems. The customizability and functionality of WordPress make it the preferred platform for many website owners or developers.

Unfortunately, its growing popularity also makes it a target for many hackers across the globe. Here’s an eye-opening statistic for 2018: Every minute, nearly 100,000 websites are being attacked by hackers across the globe!

Don’t panic yet, there is some good news. The Core WordPress platform is indeed very secure owing to the periodic updates released by the WordPress team. These updates contain new improvements that fix security-related vulnerabilities. Popular third party plugin and theme developers also ensure that their software is updated and in compliance with the latest WordPress version. Most of the successful hacks happen due to other issues that can be easily prevented through appropriate measures.

Let’s take a look at what issues are causing the majority of these website hacks.

Vulnerabilities that cause website hacks

1. Outdated Software

In 2018, over 60% of all hacked websites were found to be running on outdated software. This percentage has seen a significant increase in the last 3 years. By outdated software, we are referring to outdated WordPress versions, outdated plugins, and obsolete themes.

WordPress version 4.7.1 which released on December 2016, had the infamous WordPress REST API vulnerability. This was exploited by hackers to deface thousands of websites. Following this issue, WordPress version 4.7.2 was released in January 2017 to fix the security issues that were causing this vulnerability. Those website owners who upgraded to this latest version were able to avoid this security loophole. However, those who didn’t upgrade, are facing issues even now!

Screenshot of Plugins page in WordPress

How can you resolve this issue?

  • Always keep your WordPress website running on the latest released version (example, version 5.2 released on May 2019).
  • Along with the core WordPress, review your installed WordPress plugins/themes and update them to the latest version.
  • As a safety practice, download all your plugins/themes from a trusted source such as the WordPress repository.
  • Delete (or replace) all abandoned plugins/themes that are not being actively upgraded by their respective developers or companies.
  • Updating multiple plugins/themes across numerous websites can be a long and cumbersome process for WordPress administrators. You can make use of WordPress backup plugins like BlogVault that let you easily manage updates for all your installed plugins/themes across websites from a single, centralized dashboard.

2. Web Host Problems

The choice of your web host is a leading factor in determining website security but unfortunately most people do not realize its importance. Vulnerabilities in hosting platforms account for nearly 41% of WordPress website hacks. For millions of new business owners or startups, hosting their website on a shared web host may seem like a logical step, as it is cost-effective and sufficient to handle initial web traffic. However, this has its own complications.

A shared web host is home to multiple WordPress websites belonging to different owners. If a hacker manages to hack even one of these sites, they can compromise all the other websites. On the other hand, a managed web host is like having a dedicated web server only for your website, although it is more expensive. Managed hosting is more secure with built-in features like firewall protection, SSL certification, malware scanning tools, and blocking of bad IP addresses.

How can you resolve this issue?

  • Choose (or switch to) the better web host provider that provides website security functions and customer support.
  • If your WordPress website is currently hosted on a shared web host, consider switching to a managed web host for added security.
  • If neither of the above options is feasible to implement, consider migrating your WordPress website to another web host provider or URL. For a smooth and efficient website migration, use a migration plugin like Duplicator or Migrate Guru.

3. Compromised Login Credentials

Hackers gaining information about your WordPress login credentials are similar to thieves obtaining the keys to the front door of your house. In both cases, your property can be compromised and damaged!

Brute force attacks are widely used by hackers to gain access to your login page account. Unfortunately, in many cases, WordPress users themselves make this much easier for hackers by opting for weak login credentials. For example, many websites still have the default “admin” username for users with admin rights. Similarly, users continue to use weak passwords such as “password” and “123456.” Brute force attacks deploy smart and automated bots that can easily decipher these weak credentials and gain entry to your backend website files.

Change password screen

How can you resolve this issue?

  • Enforce the practice of strong passwords that comprise of at least 8 characters which are a combination of lowercase & uppercase characters, numbers, and special characters.
  • Enforce the use of strong usernames that are unique to each user.
  • Ensure that every user periodically changes their account passwords.
  • Implement the use of two-factor authentication (or 2FA) for securing user logins.
  • Restrict the number of failed login attempts to 3.
  • Deploy the industry-standard CAPTCHA tool for distinguishing between a human user and an automated bot.
  • Change the default URL of your website’s login page (example, www.<YourSiteURL>/wp-admin) to a different address (example, www.<YourSiteURL>/welcome).
  • If you are using an FTP tool, opt for the security of a device using SSH File Transfer Protocol (or SFTP).

4. Too Many Admin Users

Every WordPress website requires users with administrative rights to manage various like updating plugins/themes, executing website backups, or adding other users. However, a common error is to create too many users, all with “admin” rights. If a hacker gets access to even one of these user accounts, it can be used to inflict maximum damage on the backend files.

There are six types of WordPress users with a decreasing level of authority and permissions, mainly:

  • “Super Admin” user who has the most privileges and control over multiple websites.
  • “Admin” user who has all the privileges to manage a single website.
  • “Editor” user who can only manage and publish all submitted posts on the website, but not beyond that.
  • “Author” user who can manage and publish their posts on the website.
  • “Contributor” user who can draft their posts but lack the right to “publish” them on the website.
  • “Subscriber” user who can only create and manage their profile or account, and has the least privileges.

How can you resolve this issue?

  • Assign and manage user roles and privileges based on the requirements and responsibilities of each user.
  • Use strong passwords and change them regularly.
  • Give only one user “super admin” privileges, ideally the website owner.
  • Assign “admin” privileges to trustworthy and reliable users only.

5. Non-SSL Certified Websites

Any website URL beginning with “https://” sign along with the “padlock” sign is an SSL-certified website. SSL is short for “Secure Socket Layer”- a security protocol for websites necessary for those that store or transfer confidential data. The SSL protocol encrypts the communication between the user’s browser and the website server. This ensures that sensitive information is delivered to the right user and not intercepted by any hacker.

Starting from 2017, WordPress made it mandatory for its websites to be SSL-certified to keep them safe and secure. However, according to a Whynohttps study, 20% of the 100 largest websites have still not switched to the “https” protocol.

How can you resolve this issue?

  • If your WordPress website is not SSL-certified, obtain the SSL certificate from your hosting provider. To do this, you need to login to your web host account and search for installing the SSL certificate.
  • Most of the popular WordPress hosts like SiteGround and WPX Hosting include SSL certification in their offered plans. Use a hosting plan that provides for SSL certification.
  • If your current web host does not offer SSL certification, you can obtain one from third-party websites like GoDaddy or DigiCert that sell SSL certificates.

Conclusion

WordPress by itself has efficient security measures faces a lot of hacks due to non-adherence to basic security steps and other external reasons. We hope this article helped you understand the basic fixes you can adopt to improve your WordPress security. Let’s quickly recap what we learnt.

To improve WordPress Website’s security:

  • Keep the core files, themes and plugins updated to their latest versions.
  • Choose a web host that has security measures in place.
  • Use strong passwords and employ 2-factor authentication for Login Protection.
  • Evaluate and assign user roles and credentials carefully.
  • Ensure your website data is protected by an SSL certificate.

These measures will only serve as an additional level of security. It is imperative to use security plugins that can regularly scan and remove malware and also protect against Brute Force Attacks, DDOS attacks, and bots. Popular plugins for scanning include Sucuri and WordFence. For efficient malware removal, use a plugin like MalCare to find and clean complex malware.

That’s it folks! What security measures have you implemented for your website? Let us know in the comments!

Learn more about WP Arena by visiting their website.