According to the CMS (Content Managment System) Usage Statistics, WordPress now powers around 43% of websites.
83% of CMS based websites, which are hacked, are built on WordPress.
There are almost 90,000 attacks per minute on WordPress websites. In one study, it was found there are 3,972 known WordPress vulnerabilities. Out of which, 52% are from WordPress plugins, 37% are due to core WordPress files & 11% are from WordPress Themes.
Patchstack estimates that 99.32% of all security bugs are in components – WordPress plugins and themes. Themes had the most critical vulnerabilities. They found that 12.5% of vulnerabilities reported in themes had a critical CVSS (Common Vulnerability Scoring System) score of 9.0-10.0. Arbitrary file upload vulnerabilities were the most common.
Plugins had a total of 35 critical security issues. This is fewer critical vulnerabilities compared to themes, but 29% of these received no public patch.
Cyberattacks not only compromise your information but also all the data on your site, including your customer’s data.
Inc.comreports that almost 60% of small businesses, which get hacked, go bankrupt within 6 months.
According to WebsiteBuilder, every week Google blacklists over 70,000 websites due to security issues. From the blacklisted sites, about 50,000 are because of phishing while the rest are for malware issues.
What’s a Security Vulnerability?
Security vulnerabilities are a major cause for concern when it comes to web applications written in the PHP language because successful exploitation of such safety defects may lead to several regularly exploited attacks.
A vulnerability is simply a failure to meet some security requirement. Typically, vulnerabilities are unintentional, but vulnerabilities can be intentional.
For example, someone may have intentionally inserted malicious code in your WordPress installation, such as a backdoor (a way to gain unauthorized access) or a logic bomb (code that performs a malicious function when specified conditions are met).
Many vulnerabilities are easy to fix, but finding them in large code bases can be challenging without the right tools. So to find these major security flaws we’ve developed a powerful automated script.
How do WordPress sites get hacked?
Malicious users using bots crawl the internet looking for vulnerable WordPress sites to hack. If your website is not protected with a WordPress firewall and if you don’t follow WordPress security best practices, your website can become a victim.
Core WordPress files, vulnerable plugins and themes are the primary reason WordPress websites get hacked.
“Vulnerabilities from plugins and themes are one of the biggest threats to websites built on WordPress."
WordPress sites support installing extensions that are separately developed and maintained from the “core” WordPress files (Usually by different developers). Extensions need to be separately evaluated before installing them. The core system may be relatively secure, but that doesn’t mean all its extensions are secure, and often the biggest risks are from the extensions. These extensions may be called many names including extensions, plug-ins, add-ons, themes, components, or packages. No matter what they’re called, they need to be evaluated for potential security vulnerabilities.
WordPress attack vectors include:
- Database Injections
- Upload Exploitation
- Cross-Site Request
- Authentication Bypass
- Denial of Service
- Full Path Disclosure
You don’t need to risk your business
Your options include converting your WordPress site to a static website. With a static website you don’t suffer from the security vulnerabilities of a WordPress site or having to constantly update WordPress Core files, plugins and themes.
A static website gives you the added benefits of better performance and improved search engine ranking.
Your static website can have all of the same features and functionality that your WordPress site had without any of the security vulnerabilities or performance issues.
If you don’t do a lot of blogging or require frequent modifications to your website, then you’re done. The one time cost of conversion is minimal.
If you do a lot of blogging or require frequent additions and changes of your content, you can still have a static website and enjoy the same security and performance benefits. By using a static site generator such as Hugo. Static site generators typically use a simplified method of content creation known as Markdown. Which is lightweight markup language for creating formatted text using a plain-text editor. It’s easier to use than HTML. See the MarkDown Quick Reference at WordPress.com
In case you would prefer to use a WYSIWYG (What You See is What You Get) interface, we’ve created a tool that enables you to add and edit your content with ease.
There are many free high quality templates that can be used for static sites and modifying them is easy.
Hugo Themes is a listing of some of the many free themes. Just about any theme, WordPress or other can easily be made into a static site template.
A static site can be zipped up and hosted anywhere, no database connection or PHP necessary. Also you can work on your site locally without even being connected to the Internet and upload you pages when you are ready.
How to Secure Your WordPress Website
If for some reason you absolutely have to use WordPress, you should take the following steps to secure your WordPress site.
Update Out-of-Date WordPress Core files, plugins and themes.
Before installing any plugin, you should ensure it’s from a reliable source, up to date, contains no malicious or vulnerable code and is compatible with the latest WordPress version.
Eight WordPress Website Best Practices
- Use a firewall for your WordPress installation
- Use the latest version of WordPress, plugins, themes and third-party services
- Enforce strong password requirements
- Only grant the type of access that someone needs
- Isolate each WordPress website
- Implement 2FA (Two Factor Authentication) on the WordPress login page
- Limit Login attempts on wp-admin
- Leverage IP access restrictions for the WordPress dashboard
If your WordPress site has been compromised
Hopefully you have a recent backup ready to overwrite the corrupted files.
Check Core WordPress File Integrity
WordPress is made up of many files that all work together to create a functional website. Most of these files are core files, which are consistent across installations of the same version.
If the infection is in your core files, you can fix the malware manually by downloading a fresh installation from the official WordPress site and replacing each compromised file with clean copies. Just don’t overwrite your wp-config.php file or wp-content folder and be sure to make a full backup beforehand.
Remove Hidden Backdoors in Your WordPress Site
Hackers may leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked WordPress sites.
Often backdoors are embedded in files named similar to WordPress core files but located in the wrong directories. Attackers can also inject backdoors into files like wp-config.php and directories like wp-content/themes, wp-content/plugins, and wp-content/uploads.
Backdoors commonly include the following PHP functions:
- preg_replace (with /e/)
These functions can also be used legitimately by plugins, so be sure to test any changes because you could break your site by removing benign functions or by not removing all of the malicious code.
The majority of malicious code we see in WordPress sites uses some form of encoding to prevent detection. Aside from premium components that use encoding to protect their authentication mechanism, it’s very rare to see encoding in the official WordPress repository.
It’s critical that all backdoors are closed to successfully stop a WordPress hack, otherwise your site will be reinfected quickly.
Set Backups for your WordPress Site
Having a known good backup is the quickest way to ensure you can recover from a compromised WordPress site.
Store your backups at an off-site location. Never store backups or old versions on your server, as these can be utilized as entry points for attackers, if not maintained properly. It is important to keep working backups in many different locations, as you never know what can go wrong.
Your backups should run automatically at a frequency that suits the needs of your website. For example, if your website is a news based site that is updated frequently, your backups should run frequently as well.
This is a strategy used to ensure there are emergency backups of critical data if something catastrophic were to occur. Make sure to have working backups and then make copies of those working backups.
You have options. You can avoid the risk of losing customers and the cost of a potential breach of your WordPress website by having your site converted to a better performing, easy to manage static site or by diligently inspecting and monitoring your WordPress installation for vulnerabilities. For us, the choice is simple. This site and all of our other websites are static sites.
Contact us to see how you can free yourself from the endless hassle of dealing with WordPress issues and get a better performing website in the process.