The most common WordPress security myth is that it is an insecure platform. WordPress is as secure as any other content management system or website platform. However, like any other platform, it has some security risks that must be addressed.
There are three main types of security:
- security by design,
- security by openness,
- and security by obscurity.
Two first have a proven record of being effective. Security by obscurity is not an effective way of securing the website (or anything else). WordPress is based on the Open Design concept (GPL). The GNU General Public License is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. It means all WordPress elements, including plugins, should be designed similarly.
What are the most common WordPress security myths?
Myth 1 – Themes are not dangerous; you don’t need to update them.
Nonsense, every line of code can be dangerous. Check this article on 360WebRescue, “Flexible Checkout Fields – what we can learn from this plugin vulnerability?” to see how one line of code can create a huge vulnerability.
Myth 2. My website is small, so it is not a hacker’s target.
Unfortunately, cybercriminals are just as targeted by small business websites as large corporations. And because small business websites are often not as concerned with major security breaches, their websites are left more vulnerable and open to attack.
Myth 3. Hiding the WP version does the trick because no one will know if our WP is vulnerable.
Nonsense – nobody is interested in the WordPress (or plugin) version, and the vulnerability is checked immediately. Hackers usually don’t waste time checking. They are attacking for known vulnerabilities. We wrote an article about WordPress login hiding, which explains the general problem with security by obscurity.
Myth 4. Popular plugins are used by millions, so they are safe
Another nonsense check is the latest vulnerabilities of popular plugins like RevSlider, Woo, WPML, Yoast, AIOSEO, and GTM4WP. On the other hand, popular plugins deal with vulnerabilities better and fix the problems faster, but it doesn’t solve the problem when you do not maintain your website regularly.
What are the most common ways of attacks on WordPress websites?
- brute force attacks
- use of vulnerabilities in themes and plugins
- use of weak or revealed passwords
- an outdated software, theme, plugin or WordPress core
- an unsecured hosting environments
Brute force attacks aiming at breaking the login and password are often not carried out through the login screen. Hackers usually use a much faster and more remote procedure called the XML-RPC mechanism. The rest API mechanism can also be used to negotiate the password. The best way to deal with the problem is to block/restrict access to wp-admin (if you can, by IP or even with BasicAuth). Don’t use login hiding; we explained why in the article ” Why is login hiding weak security in WordPress?
Insecure themes have been created without considering the security risks involved in using them. Lack of security updates means that WordPress sites must be updated with the latest security patches, leaving them vulnerable to attack.
Another common WordPress security risk is weak passwords. You probably heard about the popular login “admin” and password “admin” on the WordPress website. Users’ and admins’ negligence is the second most common WordPress security risk. Additionally, be careful with sending passwords via email or other insecure ways of communication.
Another common vulnerability is directory traversal, which allows hackers to access files and folders they should not be able to access. Hackers can also insert malicious code into websites through infected files or compromised servers. A good way to avoid this is to set up appropriate file permissions for read (R), write (W) and execute (E). Check the WordPress documentation for it https://wordpress.org/documentation/article/changing-file-permissions/.
Non-secure and shared hosting environments with account separation can also be a common WordPress security risk. In this case, when one website is infected, hackers can take over control of all the websites sharing the same server. As a result, all websites can be infected and hacked.
How can I secure my WordPress site?
There are a few key things you can do to secure your WordPress site:
- Use a strong password for your database and user account,
- Use two-factor authentication for login,
- Keep your WordPress software up to date,
- Install only trusted themes and plugins,
- Configure file permissions and ownership,
- Backup your site regularly,
- Use SSL/TLS protocols,
- Use web application firewalls.
If WordPress is safe, why is there news of hacks every other day?
WordPress technology is not vulnerable in itself. However, its widespread adoption and huge popularity make it a target for hackers. Any software that is widely used is going to be targeted by hackers.
WordPress is the world’s most popular content management system (CMS), and over 30% of websites use it. BuiltWith data shows over 60% of all CMS-based websites are WordPress. It is the most popular CMS, and because of its popularity, it is the biggest target for hackers.
Whether you are a high-profile WordPress site or a small business website doesn’t matter. Sooner or later, you can be a hacker’s target. The number of WordPress sites hacked is a small percentage compared to the overall number of WordPress installs.
A single vulnerability of WordPress or a plugin allows hackers to target many vulnerable websites. It makes it very easy and attracts hackers, and that’s why we see many WordPress hack information in the news.
The best way of WordPress management to avoid risks.
Security loopholes are part of the software lifecycle. They are discovered and patched all the time. You should update WordPress once a new version is released. Major releases are typically security updates, so keeping your site up-to-date is essential. Remember to back up your site before updating if something goes wrong.
To learn more about WordPress updates, read the article “Update, wait, ignore?” on 360webcare.com. If your website has been infected, read the article on our 360WebRescue.com blog, “Your website has been infected. What’s next?“. It provides the best advice on what to do and what not to do when you already have a website infected and steps to recover from the infection.
Questions and answers about WordPress security.
The following factors contribute to the perceived insecurity of WordPress:
Vulnerabilities in themes and plugins: Insecure code in themes and plugins can be exploited by hackers. This is often due to outdated plugins and themes. Read how to update your WordPress in the article Update, wait, ignore
Weak passwords: Weak passwords, such as “admin”, can make a WordPress site easy to breach.
Outdated software: Not keeping WordPress software up-to-date can leave a site vulnerable to attacks, as security patches are often included in updates.
Unsecured hosting environments: Shared hosting environments can pose a risk as if one website is infected, hackers can potentially gain control of all websites on the same server.
It’s important to note that WordPress itself is not insecure. However, its popularity makes it a popular target for hackers. Regular updates, strong passwords, and carefully managing themes and plugins can significantly enhance WordPress security.
No, it’s not true. WordPress is as safe as any other content management system or website platform. However, like any other platform can be insecure in specific circumstances. Security risks must be addressed and managed continuously to avoid problems.
The size of a website doesn’t necessarily correlate with its risk of being targeted by hackers. Many hacking attempts are automated, exploiting known software vulnerabilities regardless of a site’s size.
Small websites can also be used as a launchpad for attacks on larger sites, especially on the same server in the shared hosting environment. Small websites can be used for marketing spam or cryptocurrency mining. That’s why all website owners must take appropriate security measures, regardless of size.