Here at Electric Enjin, the CMS of choice is Craft due to its flexibility, security, and ease of use for both clients and developers. However, many of our clients do use WordPress because it is an extremely popular CMS. The numbers have certainly dwindled down since its prime, but it still powers 32% of all websites in the web. Because of this popularity, WordPress is a common target for hackers to attack. We have seen the largest number of attacks between 2007 and 2013 when WordPress was experiencing tremendous growth. As the CMS giant gets older, more and more vulnerabilities are bound to appear. A statistic showed that of the 42,106 WordPress websites that were found on Alexa’s top million sites:
- 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
- 73.2% of the most popular WordPress installations have vulnerabilities that can be detected using free automated tools.
While it’s important to stress that no software is unhackable or bug free, there are steps that a user can take to ensure better security for their site. Today we will go through some pointers about how to make sure your site is less prone to attacks if you choose to stay on WordPress.
The first point is to keep your site up to date. The core application for WordPress can make minor updates automatically, however major updates will need your permission. A very important update that is happening soon is the need to update the PHP version of your site. As of December 2018, PHP 5.6 and PHP 7 will no longer have security updates, so this is an update you’d have to manually set up on your WordPress site. Any exposures to websites running on those versions will not be batched. According to WordPress’s official statistics, a whopping 57.1% of all of their sites may be at risk. Just as important, updating plugins and themes will help reduce security breaches. Some of the biggest hacks to WordPress have been through a plugin where the third-party developer may not have the best security practices. These updates are typically not automatically applied, so one does need to be diligent in checking plugin updates. It is also important to entirely remove any plugins or themes that you no longer use, as it gives hackers more ways to attack your site.
Something that is easy to update, but people often neglect, is the login information. The amount of stories that my lead developer has told me about users leaving their login information as the default “admin” is mind boggling. At that point, you don’t even have to be a hacker to gain access to your online domain. It’s like locking your screen door with no screen. It becomes a matter of when and not if. Making sure your password scores high, if not a perfect 100, on password checkers can ensure that you have a high quality bolt on your door. If you want to be more diligent, create and destroy a few accounts in the beginning to make the user ID of the accounts not as predictable. There are also plugins that allow you to monitor what a user is doing when they have logged on to your account.
Another feature to be aware of is how WordPress files are structured. The public folder of a website is what serves the static assets of your site. It’s the folder where you share files like images, styling and static pages to the world wide web. Vulnerable information such as configuration files, logins, and system logic would normally not be found in this level. However, with WordPress, all of the files are actually in the public directory and that can make it quite easy for hackers to expose your folder structure, configuration files, and other sensitive information. You can test the exposure yourself and add “/wp-content/uploads/” to the end of your WordPress site, like fakesite.com/wp-content/uploads/. If it’s not configured correctly, you would see the open directory of your uploaded files as opposed to a 403 forbidden page. Along with wp-includes and wp-logins, these vulnerabilities can be adjusted with simple modifications to your server configuration file, a.k.a, a .htaccess file. If you have access to your website via FTP/SFTP connections, then you can make the proper adjustments to protect your site, or you can ask your developer to make these changes.
A subject more complicated is the idea of hacking your site through SQL injections and cross-site-scripting (XSS). When inputs are made, like filling out a form, an attacker may inject additional code that performs tasks that the user did not intend. This malicious code might perform actions like gaining access to the database, getting sensitive account information, messing with the overall integrity of the site, and much more. There are browser protocols like the “same-origin-policy” that enforce the legitimacy of certain requests, but it is not impossible to trick. Ways to prevent this type of hacking includes having a developer validate the data that is coming in and out from the application. For example, a telephone field should always be numbers and not text. As with anything, it is important to know these risks exists and you should speak with your developer about implementing these solves.
If managing these areas of your site is already giving you anxiety, have no fear! There are more streamlined solutions to your security needs in the form of managed WordPress hosting. Companies like WP-Engine, Bluehost, and Dreamhost specialize in WordPress sites and will manage all areas of your website for you. These companies will do all of the updating, file backups, server maintenance and configurations while providing you with expert support if you have any questions. They ensure you site will never go down, giving you piece of mind to focus on other areas of your business. If you have high traffic or have an online business that you can't afford to go down, it may be worth shelling out a few extra bucks to put these safeguards in place.
If you are running a physical store and the lock in the back is rusted out or the window is broken, that is something you would immediately address. It's easy for most people to understand the urgency of fixing their real world security issues. When it comes to applying that urgency to their online domain, it is often lacking. You should take the steps to protect your online store and digital presence as seriously as protecting your physical home or store. Such exposures caused by not following best practices can be very damaging, yet very preventable. You would never leave a file cabinet of business files by the front counter, so why would you not take the necessary steps to hide it online? There are basic security practices that people don’t follow like making a strong password or having up-to-date firewall. If you are still on WordPress, hopefully this will give you a better understanding of the basic steps to follow to ensure your online domain is secure.