Earlier this month, WP Mayor ran an article about WordPress Security, including the following statistics on the 117,000 WordPress sites hacked in 2013:
41% were hacked via their hosting provider. This means that the hackers exploited a vulnerability, or took advantage of insecure hosting provider configuration to be able to hack into the WordPress blogs and websites hosted by the vulnerable hosting provider.
29% were hacked via a vulnerability in the WordPress theme they were using. This means a hacker identified a vulnerability in a theme that was installed on the WordPress installation and by exploiting it, the attacker managed to gain access to the WordPress website.
22% were hacked via a vulnerability in a plugin that was installed on WordPress. The same as above, this means that a hacker exploited a vulnerability in an installed plugin.
8% were hacked because an account on that WordPress installation was using a weak password.
Here are a few tips to prevent each of these types of hackers:
People who use common dictionary words, or easily-searched song lyrics or phrases, are at risk of having their passwords cracked by hackers. Even people who turn “thequickbrownfox” into “t4equ!ckbr0wnf0#” get their passwords hacked, as crackers run common letter substitutions along with these well-known password phrases.
Currently, using a string of unrelated dictionary words, such as XKCD’s famous example “correcthorsebatterystaple,” is one of the most secure methods of password creation. However, users should also add additional security, such as a two-step authentication plugin.
Plugin security is only as good as the plugin developer. If there is a vulnerability in a plugin, a hacker can use that vulnerability to enter your WordPress site. Only install plugins from developers you trust, like developers you’ve used before or developers who have high ratings or reviews. It’s difficult to judge whether a plugin has vulnerabilities, so you’ll need an additional layer of network security to protect your WordPress site and your computer.
Like plugin security, theme security is only as good as the developer. Add a level of protection by only choosing themes listed in WordPress’s theme directory, rather than from random sites found online. However, as with plugins, you won’t really be able to tell if any given theme is vulnerable, so you’ll need an additional level of protection.
Hosting security is difficult because you can’t control the network security of your hosting provider. If they go down, you’re vulnerable even though you had no control in the matter. Nearly all hosting providers are reputable and trustworthy, but they are vulnerable to hackers in the same way that banking websites, social media websites, and any other major site relying on a large number of user logins is vulnerable.
Improving your network security
As noted above, it’s difficult to fully control plugin security, theme security, or hosting security. Because of this, consider adding an additional layer of network security that addresses the need for enterprise risk management, thereby protecting you with deep cyber intelligence. These solutions are especially effective for businesses that use WordPress as their primary website, or who use a WordPress-hosted shopping cart for sales transactions. Since working with WordPress does include a small amount of risk, it’s your responsibility to take the appropriate level of risk management.
What about for individuals? If you’re using WordPress simply to host your personal blog, it’s probably enough to use a secure password and make sure that the same password doesn’t unlock other important sites such as your bank account. However, as soon as you start using WordPress to sell merchandise or otherwise promote a brand or business, especially if you use WordPress to collect personal information from customers or fans, you need to start thinking about your network security and considering risk management options.
117,000 WordPress accounts got hacked last year. Use these tips to make sure yours isn’t part of this year’s tally.
If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.