WordPress is one of the most popular content management systems in the world, it started out as a blogging platform to post updates but has since morphed into a huge platform with many capabilities from hosting a normal website to an e-commerce one using WooCommerce. As WordPress wasn’t originally meant for this it has been re-engineered with new plugins to make it capable of suiting almost any website owners needs but this also leaves it more susceptible to attacks. If you make your living from your website then you need to ensure it is as secure as possible by having a cyber incident response plan in place in case anything should happen. We’ll have a look at some of the most common threats to WordPress websites below.
Brute Force Attacks
These are very common on WordPress websites as they require easy access to the user login page, once on there a hacker can run a brute force attack which essentially tries thousands of different combinations until it find the right username and password. Unfortunately, most people who use WordPress tend to leave their login page as /wp-admin and their username as ‘admin’ so a lot of the hard work is already done and the hacker just needs to decipher the password. Always use custom username, change the login URL and use strong alphanumeric passwords with special characters.
Plugin and Theme Vulnerabilities
As we mentioned at the start, WordPress utilises a large number of plugins to enable it to perform functions that it wasn’t originally intending to do when it was created. One of the biggest threats is via insecure or outdated plugins and themes as they can have vulnerabilities that attackers can exploit to gain control of your site. It is essential that you keep all plugins and themes up to date.
Cross-Site Scripting (XSS)
This is where an attacker injects malicious scripts in to vulnerable areas of a WordPress site like a comments section, a contact form or in search fields. After this when a user accesses the affected pages, the scripts will execute and compromise their browsers, potentially stealing sensitive information in the process.
This is perhaps one of the most serious forms of attack as it can lead to data theft which puts not only yourself but your customers personal information at risk. A malware infection is done through many different ways but you are at a particularly high risk if you have a file upload functionality on your site. Attackers can upload malicious files that execute code or perform unauthorised actions. Malware can also be uploaded via plugin and theme vulnerabilities so as we mentioned previously, always ensure they are up to date. One of the best things you can do aside from ensuring everything is up to date is to install plugins that offer malware scanning, firewall protection and brute force prevention. Also regularly backup your website so that if the worst should happen and you lose access you can contact your hosting provider, get the site deleted from the server and start again from your backup.