Reading Time: ~3 min.
The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a price. The easy-to-use interface has given even users who are not particularly cybersecurity-savvy a presence on the web, drawing cyber-criminals out of the woodwork to look for easy prey through WordPress vulnerabilities in the process.
Here are some of these common vulnerabilities, and how can you prepare your website to protect against them.
WordPress Plugins
The WordPress Plugin Directory is a treasure
trove of helpful website widgets that unlock a variety of convenient functions.
The breadth of its offerings is thanks to an open submission policy, meaning anyone
with the skill to develop a plugin can submit it to the directory. WordPress
reviews every plugin before listing it, but clever hackers have been known to
exploit flaws in approved widgets.
The problem is so prevalent that, of the known 3,010 unique WordPress vulnerabilities, 1,691 are from WordPress plugins. You can do a few things to impede your site from being exploited through a plugin. Only download plugins from reputable sources, and be sure to clean out any extraneous plugins you are no longer using. It’s also important to keep your WordPress plugins up-to-date, as outdated code is the best way for a hacker to inject malware into your site.
Phishing Attacks
Phishing remains a favored attack form for
hackers across all platforms, and WordPress is no exception. Keep your eyes out
for phishing attacks in the comments section, and only click on links from
trusted sources. In particular, WordPress admins need to be on alert for attackers
looking to gain administrative access to the site. These phishing attacks may
appear to be legitimate emails from WordPress prompting you to click a link, as
was seen with a recent attack targeting admins to update their
WordPress database. If you receive an email prompting you to update your WordPress
version, do a quick Google search to check that the update is legitimate. Even
then, it’s best to use the update link from the WordPress website itself, not an
email.
Weak Administrative Practices
An often overlooked fact about WordPress security: Your account is only as secure as your administrator’s. In the hubbub of getting a website started, it can be easy to create an account and immediately get busy populating content. But hastily creating administrator credentials are a weak link in your cybersecurity, and something an opportunistic hacker will seize upon quickly. Implementing administrative best practices is the best way to increase your WordPress security.
WordPress automatically creates an
administrator with the username of “admin” whenever a new account is created.
Never leave this default in place; it’s the equivalent of using “password” as
your password. Instead, create a new account and grant it administrative
privileges before deleting the default administrator account. You’ll also need to
change the easily-located and often-targeted administrator url from the default
of “wp-admin” to something more ambiguous of your own choosing.
One of the most important practices for any
WordPress administrator is keeping the WordPress version up-to-date. An ignored
version update can easily become a weak point for hackers to exploit. The more
out-of-date your version, the more likely you are to be targeted by an attack. According
to WordPress, 42.6% of users are using outdated versions. Don’t
be one of them.
Additional Security Practices
The use of reputable security plugins like
WordFence or Sucuri Security can add an additional layer of protection to your
site, especially against SQL injections and malware attacks. Research any
security plugins before you install them, as we’ve previously seen malware
masquerading as WordPress security plugins. If your security plugin doesn’t offer
two-factor authentication, you’ll still need to install a secure two-factor
authentication plugin to stop brute force attacks. Keeping your data safe and
encrypted behind a trusted VPN is also key to WordPress security,
especially for those who find themselves working on their WordPress site from
public WiFi networks.
WordPress is a powerful platform, but it’s
only as secure as you keep it. Keep your website and your users secure with
these tips on enhancing WordPress security, and check back here often for
updates on all things cybersecurity.
The post Common WordPress Vulnerabilities & How to Protect Against Them appeared first on Webroot Blog.