How WordPress are being hacked?
WordPress is the most popular CMS in the market. Starting from an individual blogger to small and medium enterprises, everyone uses WordPress, and unfortunately, WordPress has vulnerabilities too. Did you know, more than half of the websites are not secure? There are millions of attacks happening on the internet every single day. Among them, many are targeted at WordPress itself.
We are going to see here an in-depth comparison of how WordPress websites are being hacked and we will also see a couple of interesting things that you probably didn’t know about.
So, let’s start with the first question you might be having.
Share this infographic on your website:
<a href="https://www.wpaos.com/2020/05/08/how-wordpress-websites-are-being-hacked/" target="_self"><img src="https://www.wpaos.com/wp-content/uploads/2020/05/WordPress-Hacked.png" alt="WordPress Website Hacked" height="6079" width="1240"></a>
Isn’t WordPress the most secure CMS?
When you are comparing different CMS or comparing CMS with core websites, you might have read that WordPress is the most secure CMS. So, the point is that if it is the most secure software, how can it be hacked?
Well, WordPress's core files are secure enough to stop most of the attacks. However, as there are many new vulnerabilities found regularly, there is no software/script on the entire internet that is fully secured. Everything can vulnerable at some point.
However, the WordPress community is active and whenever such things happen, they provide a security update to secure it.
But that’s not the reason why WordPress websites are being hacked. No doubt, core files are secure but what about the themes and plugins you use? All the themes and plugins are provided by third-party developers or companies. Attackers usually target WordPress plugins and themes to compromise the entire website.
Most of the websites get compromised due to the vulnerability in the plugin or theme. Let’s understand it more about it by breaking it down.
We will first see the biggest treats of WordPress where we will cover the main reason on WordPress websites being hacked. Later on, we will proceed to the next section.
How WordPress websites are hacked?
The biggest threats to WordPress websites do not core files and not even hosting provider. It’s plugins that are the biggest threats to the website.
Let’s break down the graph to see the biggest threats of WordPress. These are the primary reasons on how WordPress websites are being hacked. We will also see how you can stop this from happening.
The list is ranked from the biggest threats to the lowest.
- Plugins have the highest amount of threats in the entire WordPress ecosystem. More than 55% of websites are vulnerable due to the plugins.
- The next one is brute force attacks. There are almost 20% of websites vulnerable due to brute force.
- Less than 10% of the websites are vulnerable due to the core files.
- The next biggest threat is the theme. However, there are less than 10% of the websites vulnerable due to themes
- The same goes for hosting providers.
- The next biggest threat is file permissions. Incorrectly giving file permissions has made roughly 5% of websites vulnerable to attacks
- The next is the list is old files. The percentage ratio is almost the same as the file permissions
- You might also want to make sure you only share a password with known ones because the 8th biggest threat is password theft.
- Less than 5% of the websites are vulnerable to Workstation.
- Although everyone is aware of it still there are 2% of the websites compromised due to phishing.
- Insider attacks are in the 11th position
- The server is the issue for roughly 1.5% of the websites.
- The last threat is FTP. Roughly 1% of the websites are vulnerable due to weak FTP.
Common WordPress vulnerabilities and attacks
If you are wondering what are the most used attacks, you are in the right place. Here, we are going to see the most used attacks.
These are the common vulnerabilities due to which the website gets compromised. We will also see how you can fix those later on.
These are the common attacks that happen on the WordPress website. So, if you secure your website from these attacks, you are almost secured.
- Old WordPress versions
- Cross-site scripting
- Old PHP version
- DDoS attacks
- SQL Injection
So, you need to secure your website from these attacks. In fact, in most of the cases, it’s either XSS or it’s because of the older version of WordPress core files, themes, and plugins.
Therefore, this should be the top reason you should secure your website.
You surely might be thinking that is your website secure enough? Well, lucky for you, we will see the number and some stats about the total websites that are risky. With that numbers, you can determine whether your website falls in the category or not.
It covers the overall websites that are at a security risk. We will then cover how you can get out of the danger zone and keep yourself secure. It will cover the security steps you should follow.
Is your website secure?
Now, the point comes to you. Is your website secure from the vulnerabilities?
You surely might be using many plugins on your website. In the same way, you will be using an amazing popular theme fr your WordPress website. The question is that is this secure?
Well, let’s break it down to let you know about the ratio.
More than 87% of the websites have a high or at least medium security risk or vulnerability. 87 is a huge number. So, chances are your website might also be included in this number.
Also, a survey says that roughly 68% of the total sites don’t have any recovery plan. So, in case their website is compromised, it will take months to recover and get the full websites running. Your data might also be lost if you don’t have proper regular backups.
So, what is causing these security loopholes?
More than 73% of the websites have not updated the plugins/themes or core WordPress version that has a vulnerability. In other words, more than 73% of the websites are vulnerable just because they haven’t updated the software.
If these are the numbers, you might have got the idea that your website might also be vulnerable to any of these, right?
Don’t worry, we will soon see some of the important things you can do to prevent your website from getting compromised or hacked. We will see some of the dos and don’ts to secure your website easily.
Before that, we will see some of the vulnerability comparisons over the years. In simpler words, we will compare the vulnerability of WordPress with other CMS as well as with previous years.
We will also see a glance at WordPress vulnerabilities compared with other CMS websites.
Comparing WordPress Vulnerabilities
As WordPress is the number one CMS in the market, it invites a lot of Vulnerabilities. Not only the popularity of WordPress grew over the years, but also the vulnerability of WordPress grew a lot.
At first, due to the less popular, there were fewer security risks but now there are a lot of risks with WordPress. There is no way to stop this as more and more plugins are developed, the attackers will always find a way to attack the website.
That’s the main reason why you are seeing regular updates of WordPress websites, themes, and even the core files. The updates make sure that everything is secure.
Let’s go back to 2017.
The vulnerability ratio was too low in the year. There were roughly 350 vulnerabilities found in the year.
Whereas if you compare it with other CMS, WordPress had the highest amount of vulnerabilities.
Joomla stood second in the list without less than 100 vulnerabilities, followed by Drupal and Magento with an almost similar amount of vulnerability.
However, in 2018, the popularity of WordPress increased a lot. In the same way, the number of vulnerabilities also increases by 30%. There were more than 500 vulnerabilities in the year 2018. In the same way, there were more than 150 vulnerabilities in Joomla. Drupal had the lowest amount of vulnerabilities in 2018, Magento still had more than 130 security risks.
In 2019, the risks increased in all the platforms. If you compare it with the numbers, WordPress was still the highest.
On the positive side, all the vulnerabilities were fixed in no time and an update was given. So, if you keep the plugins, themes, and the WordPress core files updated, you are at a very lower risk.
How to secure your website?
Now, we will see some of the steps to secure your website and keep everything under control.
It will cover all the dos and don’ts in this. We will first see some of the steps you can take from the technical/backend side. In simpler words, it has something to do with installing the plugin and things like that. Later on, we will also see some of the steps you need to take as an admin of the website. So, you can secure your website easily. Also, if you have given the website to maintenance service, you can simply forward them this article.
Security from backend/developer side
These are the steps you can take from the backend side or the developer side.
- Keep the WordPress version up to date. Whenever there is a new version available, always update it. If possible, keep the auto-update on.
- In the same way, keep the plugins and themes updated.
- Always choose the best and the most secure hosting provider
- If you are not using plugins or themes, you can simply remove them
- Never change WordPress core files unless you know what are you doing
- Always install themes and plugins from trusted and official sources. If you have purchased a plugin, always update it.
- Enable Google search console
- Limit the login attempts on your website to prevent brute force
- Update the PHP version
- Change the admin username. Don’t keep it “admin”.
- Install a good security plugin to safeguard your website
- Always run a regular security or vulnerability scan to monitor the website
- Purchase an SSL certificate to enable HTTPS on your website
- Have a proper backup and regular backups of your website. It is useful just in case something goes wrong.
- You can also change the admin login URL for better security
Admin side security
If you run the website, you should make sure that you follow all these steps.
- Use a strong password. The best type of practice is using uppercase and lower case both in the password. Also, along with this, you should use the numbers and special characters to keep the password secure.
- Never reuse the same password again
- Change your password regularly. It is recommended that you should change your admin’s password every six months. Make sure you follow the first step while you are setting the password every six months. It will keep you safe.
- Always check the website’s URL before you login.
- Never share the admin login URL with anyone
- Don’t use “admin” username
- Use local antivirus on your system
- Don’t log in to WordPress from public wifi networks or networks that are not familiar to you. They might steal your data from the network.
- If you handle the hosting account, also make sure that the password is secure there. Keep it different from the WordPress panel. The password of your hosting account and WordPress should be different. Change the passwords regularly at both of these places.
These will keep you secure.
To conclude, this was all about WordPress and it’s security. We saw how WordPress websites are being hacked where we saw the common attacks and due to which reason your website is vulnerable. The stats will help you know the current vulnerabilities and the reasons why attacks are happening and the steps will help you to secure the website. Make sure you follow all the things mentioned in the last section to secure your website. You should also monitor your website to keep an eye on it especially if you have an eCommerce website, Membership website, or any other website that has a payment gateway in it.
Why Website Maintenance is Important?
Importance of website maintenance is always the question for any business, regardless of its size. Owning a website is just like owning a brand new car.