WordPress is a convenient, the most popular, and open-source platform for publishing and managing content. Because of its enormous popularity, this CRM has become a honeypot for intruders. Unfortunately, its basic settings do not provide sufficient protection, leaving many default holes unclosed. Despite the fact, their built-in security system is rather good and WordPress sites are sometimes much more protected than their “brothers and sisters”, there are some vulnerabilities that hackers can benefit from.
According to the statistic, more than 5.500 WordPress sites are infected with viruses, Trojans, backdoors, and blackhat SEO (spam links). These vulnerabilities can cost the owner zillions of labor to bring the site back to normal, let along money expenses and the ruining of search engine ranking.
In this post, we will talk about the most common WordPress threats, how to avoid them and how to fix them if they break through your system.
Brute Force Attack
While the owners of the site turn their focus toward the prevention of attacks on software, they overlook the threat that hanging over their passports. It is reckless to underestimate the damage, which can be done by brute force attacks. Using botnets and software, hackers use numerous combinations in order to guess what your passport is.
Despite many warnings, people still do not like long passwords. Moreover, by default, WordPress allows its users to make attempts to log in an unlimited number of times that makes it possible for a bot or person to try thousands of combinations per second. Therefore, cybercriminals can break through a site via its admin page even without using sophisticated software.
What to do?
The best way to protect the login of your site from a brute force attack is to add a layer of security to the admin page. It is quite easy to do. First, you want a complex password. You'd better forget about such passwords like “1234qwerty”, “mypassword”, “john1988”, and so on – they are low-hanging fruit for every bot on the earth. Use one of the plugins for creating well-protected passwords, for example, LastPass, Dashlane, Onesafe.
Moreover, it is a good practice to install a plugin that locks an IP out of your website for attempting a lot of passwords in a short time. For example, a plugin Limit Login Attempts Reloaded is rather good for protecting the WordPress site.
There is another threat concerning password attacks that I must warn you about. It is public Wi-Fi. Never use free public hot spots for administrating your site. If there is nothing you can do with that and using a free hotspot is the only way, so make sure that your connection is encrypted. The best way to do it is to use a Virtual Private Network. To find an ideal VPN for your purposes is not as easy as it seems, so it is better to carry out an “investigation” and read numerous reviews (you can find those on Cooltechzone).
Nowadays, SQL-injection is the second-most popular technique to crack a database of the site (the winner is Cross Site Scripting (XSS)). Being a result of loopholes in the backend coding, SQL-injection allows a cybercriminal to use input fields for inserting malicious code that could execute the SQL-commands, delete, update, retrieve content, as well as create a new one with malicious links.
Hackers use these input fields as entry points for SQL-injections:
- contact forms;
- feedback fields;
- site searches;
- sign up forms etc.
As you may know, almost every website has at least one of those entry points. Moreover, such attacks do not require any technical complexity to exploit.
What to do?
In order to minimize the risk of getting hacked you need to implement some common practices. It is no secret that it is better to avert trouble than to repair the damage. Fortunately, there are a lot of tools to scan your Wordpress site for injection and other vulnerabilities (WordPress Security Scan and WPScan are the top-rated ones) . All you have to do is to input the URL of your site in the field and the tool is going to discover whether your website had been attacked by intruders or not.
It is always suggested to hide your Wordpress version. The fact is that having the information about the version of your CMS, hackers can exploit its vulnerabilities for their benefit.
And the last but not the least tip is to keep everything updated, including Wordpress themes, plugins, core. As WordPress stats shows, only 34.7% of people use the last 5.2 version of this CMS.
Cross Site Scripting (XSS)
In comparison with SQL-injections, XSS attacks do not pose a threat to the server but they threaten the users of the infected site. However, if an attacker gets admin`s cookies, he can access the control panel of the site and its contents.
What to do?
In order to prevent cross site scripting, you have to validate all the data provided by the users. Here are some tips:
Never include parameters such as $_GET, $_POST, $_COOKIE in the output Html. If there is a text, it makes sense to process it with htmlspecialchars(), if there is an alt tag for a picture, then use addslashes() for that purpose, for URLs it is better to use urlencode().
Do not allow the possibility of uploading arbitrary files to the server. In this case, a user will be able to download malicious scripts and HTML pages. Files uploaded by the user should be stored in the database, not in the file system.
Do not open any suspicious links and letters even if they seem to be solid and official.
The wider the functionality of the site, the more XSS features should be considered in order to ensure the security of the site.
There is no 100% reputable way to protect a WordPress website. An experienced hacker can always find a possibility to break through the system. The vulnerabilities can be in the core, theme or plugin. But applying those recommendations you will be able to minimize the risk to protect your site and business.
Have you ever experienced with WordPress attacks? How did you repel it? Tell about it in the comments below, it would help other WordPress users.