WordPress Vulnerabilities

Today I wanted to discuss WordPress vulnerabilities, what is the root cause and how you can be diligent about not damaging your website or your business reputation. It is estimated that there are over 1.3 billion active websites in the world. Nearly 20% of those use WordPress. That’s well over 450 million sites – just so you don’t have to get your calculator spun up. There are over 4,000 free themes in the WordPress directory and ThemeForest has over 47,000 themes for sale. If you’re looking for plugins, there are well over 54,000 free ones available and well over 8,000 for sale. Additionally, over 30% of e-commerce websites run WooCommerce which runs on WordPress.

The Potential for Exploitation

Let’s assume that each of those 450 million sites has at least 10 plugins installed, 1 active theme plus 3 inactive themes on top of the WordPress core. That’s a potential attack surface of 6.8 billion points. The WordPress core, themes, and plugins are all written in PHP. If a developer isn’t careful, then hackers and other bad actors can use code vulnerabilities to exploit a system. According to Wordfence, one of our favorite security plugins, bots that try to exploit vulnerabilities in your website PHP code are the most common form of attack targeting WordPress websites. One of the areas we patched in February had to do with bots trying to “guess” usernames so that they could conduct a brute force login attack.

Mitigate the Risk

Don’t panic. We have a set of common-sense guidelines for you to follow to mitigate the risk of WordPress vulnerabilities. First and foremost, always keep your WordPress installation, including all your themes and plugins, up to date.

• Never, ever use the default username of admin.
• Don’t use your email address or any combination of your name as your login username. Use a random sequence of characters and inside WordPress, set your display name to be your real name. Check out the username generator at LastPass (another tool we recommend.)
• Don’t use a simple password. And, don’t participate in those silly social media quizzes that ask your favorite food or color. You’re supplying social engineering information to a would-be hacker. Instead, use a password manager to remember complex passwords. Our friends over at Safety Detectives offer a tool to check the strength of your passwords and to generate a random password.
• Use a security plugin inside of WordPress. We recommend WordFence or Sucuri if your web hosting company doesn’t offer a Web Application Firewall (WAF). 
• Enable two-factor authentication for your admin user. 
• Make sure that your web hosting company keeps your server PHP version up to date.
• Look for site health issues in your Admin Dashboard. This option is found under Tool -> Site Health
• Keep your WordPress site up-to-date.