Today I wanted to discuss WordPress vulnerabilities, what is the root cause and how you can be diligent about not damaging your website or your business reputation. It is estimated that there are over 1.3 billion active websites in the world. Nearly 20% of those use WordPress. That’s well over 450 million sites – just so you don’t have to get your calculator spun up. There are over 4,000 free themes in the WordPress directory and ThemeForest has over 47,000 themes for sale. If you’re looking for plugins, there are well over 54,000 free ones available and well over 8,000 for sale. Additionally, over 30% of e-commerce websites run WooCommerce which runs on WordPress.
The Potential for Exploitation
Let’s assume that each of those 450 million sites has at least 10 plugins installed, 1 active theme plus 3 inactive themes on top of the WordPress core. That’s a potential attack surface of 6.8 billion points. The WordPress core, themes, and plugins are all written in PHP. If a developer isn’t careful, then hackers and other bad actors can use code vulnerabilities to exploit a system. According to Wordfence, one of our favorite security plugins, bots that try to exploit vulnerabilities in your website PHP code are the most common form of attack targeting WordPress websites. One of the areas we patched in February had to do with bots trying to “guess” usernames so that they could conduct a brute force login attack.
Mitigate the Risk
Don’t panic. We have a set of common-sense guidelines for you to follow to mitigate the risk of WordPress vulnerabilities. First and foremost, always keep your WordPress installation, including all your themes and plugins, up to date.
- Never, ever use the default username of admin.
- Don’t use your email address or any combination of your name as your login username. Use a random sequence of characters and inside WordPress, set your display name to be your real name. Check out the username generator at LastPass (another tool we recommend.)
- Don’t use a simple password. And, don’t participate in those silly social media quizzes that ask your favorite food or color. You’re supplying social engineering information to a would-be hacker. Instead, use a password manager to remember complex passwords. Our friends over at Safety Detectives offer a tool to check the strength of your passwords and to generate a random password.
- Use a security plugin inside of WordPress. We recommend WordFence or Sucuri if your web hosting company doesn’t offer a Web Application Firewall (WAF).
- Enable two-factor authentication for your admin user.
- Make sure that your web hosting company keeps your server PHP version up to date.
- Look for site health issues in your Admin Dashboard. This option is found under Tool -> Site Health
- Keep your WordPress site up-to-date.
Close the Loop on WordPress Vulnerabilities
Now you understand the nature of the risk and how to avoid having your website compromised. I realize that this can be a daunting task for a small business owner. Not only do you have to worry about your business from day to day, but now you need to stay on top of your website and ensure its integrity. Veracity Technologies wants to help you. Contact us today for a free no-obligation quote on how we can maintain the security and integrity of your WordPress website.