WordPress is one of the most popular CMS (Content Management System) on the internet these days. Around 26.6% of the websites are made in WordPress.
WordPress is known for being a very secure CMS and the software usually pushes updates to patch all the known vulnerabilities. However, third party themes and plugins make WordPress vulnerable. Sometimes hackers also find vulnerabilities in WordPress that allow them to hack the whole server.
Unfortunately, it is precisely its popularity that makes it such an appealing target.
Based on the recent report made by Sucuri, 78% of the hacked websites use WordPress CMS.
How is this possible?
Most site owners don’t know that the biggest risk comes from the installed plugins and themes.
Plugins play a big part in making WordPress as notorious as it is today.
There are over 46,000 plugins available for download in the official WordPress directory. You obviously need to be careful with them, as plugin vulnerabilities represented 55.9% of the known entry points reported by respondents.
How do hackers get into my website through plugins and themes?
There are some well-known methods used by hackers bots to break a WordPress site:
- Brute Force Attacks
The most common way that hackers use to attack WordPress sites is with brute force attacks or HTTP requests.
Brute-force hackers use software to try to gain access to your website by guessing at your password until they get lucky and break in. Often, simple countermeasures like requiring CAPTCHA or 2-step verification on login can easily stop brute force login attempts in their tracks.
- Path Traversal (know as “dot dot slash attack”)
This vulnerability allows an attacker to download any file from a WordPress server, including the wp-config.php file.
That data includes database credentials for the website and other information that could potentially enable an attacker to gain full control of the site.
The calls are usually like this:
GET /wp-config.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../wp-config.php
- Script insertion
Another common category of hacker attacks is specially-crafted HTTP requests sent to your server.
These requests are designed to exploit specific vulnerabilities which are often caused by outdated or insecure software, themes, or plugins.
Anything contained in your wp-content directory, whether active or inactive, can potentially introduce security vulnerabilities to your website. Knowledgeable hackers can exploit such vulnerabilities to disable or gain access to your blog.
What are the options to protect my website?
If you’re not an expert in WordPress, we recommend you to install a safe/fast security plugin. To be sure you get support and updates, you should look for a premium plugin. There are some great WordPress security plugins on the market, and the prices are affordable.
To help you, we did the hard work, and we’ve tested many WordPress plugins this year (2017).
To make it even easier, all the plugins are tested and scored by security, speed, user experience, price, support and you can just select the ones that are suitable for your website.
Note: There are more security plugins in queue. We check each plugin for an entire week before we post them in this article. Get back next week for more reviews.
I have over 10 years experience in building plugins and themes for WordPress and other platforms.
Contact me if you have plugins that you want me to check before you insert them in your website. I will be happy to check them for security and speed.
Latest posts by John Darrel
- WordPress Security Statistics 2018 - April 17, 2018
- 10 Free WordPress Vulnerabilities Detectors Online - March 23, 2018
- How to Initiate a Brute Force Attack Prevention Process - March 6, 2018