Blog

WordPress Security

WordPress Security

The most popular web publishing platform on the internet, WordPress, is a popular target for hackers and spammers. It's known for being one of the most user-friendly website platforms available online, but out of the box WordPress is terribly vulnerable to attacks.

According to WordPress White Security, more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was a whopping 170,000. This figure is growing every year.

Blab Solutions Web Design Malta

You may be wondering why anyone would want to attack your website, particularly if you have a low traffic website. However the vast majority of hackers are not looking to steal your data or delete important files. What they want to do is use your server to send spam emails.

When it comes to website security, it pays to be proactive rather than reactive. Do not assume your website is secure because you have not been hacked in the past.

 

How Do Hackers Compromise Your Website?

It is important to understand how hackers gain entry into a WordPress website and have their wicked way. Although there are many different ways in which a hacker can break into a WordPress website, the main techniques can be grouped together into four categories.

Blab Solutions Web Design Malta

WordPress White Security reports the following statistics about hacked websites:

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress Theme they were using
  • 22% were hacked via a security issue in the WordPress Plugins they were using
  • 8% were hacked because they had a weak password

Blab Solutions Web Design Malta

As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change data (e.g. your password), retrieve data, or delete data (i.e. delete all your posts and pages).

A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam). They may also leave a backdoor somewhere on your website. This is a technique they use to get access to your website in the future, even when you believe you have deleted all malicious files.

Last on the list is a weak password. Hackers continue to gain access in this way by using automated scripts that continually guess passwords until they gain entry; a technique that is known as brute force.

 

WordPress Security Best Practices

Use good hosting

Use security keys

Change table prefix

Keep WordPress updated

Use only trusted plugins and themes, keep them updated and remove any unused.

Use correct file permissions

Turn off error reporting

Protect WordPress using .htaccess

Disable XML-RPC

Stronger login information

Remove the admin user

Limit login attempts

Adapt a two-step authentication solution

Hide your login page

Remove the WordPress version number

Do not login to your website on unsecured networks

Backup often

Scan your website

Blab Solutions Web Design Malta