WordPress has been one of the leading content management systems (CMS) for more than a decade. Many of the internet’s largest blogs, as well as plenty of small, individual sites, run on the WordPress framework for publishing text, image, and video content to the world wide web.
A WordPress website has both a front-end and back-end interface. The front-end provides the view that outside visitors will see when they load the webpage. The back-end can be accessed by site administrators and contributors who are responsible for drafting, designing, and publishing content.
Like every other internet-based system, WordPress is a target of hacking attempts and other forms of cybercrime. Which makes sense considering now more than 32% of the internet runs on WordPress. In this article, we’ll run through some of the most common WordPress attacks on the software and then offer suggestions for how to defend against them and keep your website secure.
Methods of Common WordPress Attacks
First let’s look at the common attack WordPress site owners might run into.
1. SQL Injection
The WordPress CMS platform relies on a database layer that stores metadata information as well as other administrative information. For example, a typical SQL-based WordPress database will contain user information, content information, and site configuration data.
When a hacker carries out a SQL injection attack, they use a request parameter, either through an input field or a URL, to run a customized database command. A “SELECT” query will allow the hacker to view extra information from the database, while an “UPDATE” query will allow them to actually change data.
In 2011, a network security company called Barracuda Networks fell victim to a SQL injection attack. The hackers ran a series of commands across the entire Barracuda website and eventually found a vulnerable page which could be used as a portal to the company’s primary database.
2. Cross-site Scripting
Even popular websites like eBay can be targets of XSS attacks. In the past, hackers have successfully added malicious code to product pages and convinced customers to log in to a spoofed webpage.
3. Command Injection
Platforms like WordPress operate on three primary layers: the web server, the application server, and the database server. But each of these servers is running on hardware with a specific operating system, such as Microsoft Windows or open-source Linux, and that represents a separate potential area of vulnerability.
With a command injection attack, a hacker will enter malicious information in a text field or URL, similar to a SQL injection. The difference is that the code will contain a command that only operating systems will recognize, such as the “ls” command. If executed, this will display a list of all files and directories on the host server.
Certain internet-connected cameras have found to be especially vulnerable to command injection attacks. Their firmware can improperly expose system configuration to outside users when a rogue command is issued.
4. File Inclusion
Common web coding languages like PHP and Java allow programmers to refer to external files and scripts from within their code. The “include” command is the generic name for this type of activity.
In certain situations, a hacker can manipulate a website’s URL to compromise the “include” section of the code and gain access to other parts of the application server. Certain plug-ins for the WordPress platform have been found to be vulnerable against file inclusion attacks. When such hacks occur, the infiltrator can gain access to all data on the primary application server.
Tips for Protection
Now that you know what to be on the lookout for, here are a few easy ways to harden your WordPress security. Obviously, there are many more ways to secure your site than are mentioned below, but these are relatively simple methods to start with that can yield impressive returns in hackers thwarted.
1. Use a Secure Host and Firewall
The WordPress platform can either be run from a local server or managed through a cloud hosting environment. For the purpose of maintaining a secure system, the hosted option is preferred. The top WordPress hosts on the market will offer SSL encryption and other forms of security protection.
When configuring a hosted WordPress environment, it’s critical to enable an internal firewall that will protect connections between your application server and other network layers. A firewall will check the validity of all requests between layers to ensure that only legitimate requests are allowed to be processed.
2. Keep Themes and Plugins Updated
The WordPress community is filled with third-party developers who are constantly working on new themes and plugins to leverage the power of the CMS platform. These add-ons can either be free or paid. Plugins and themes should always be downloaded directly from the WordPress.org website.
External plug-ins and themes can be risky, as they include code that will be run on your application server. Only trust add-ons that come from a reputable source and developer. In addition, you should update plugins and themes on a regular basis, as developers will release security improvements.
Within the WordPress admin console, the “Updates” tab can be found at the very top of the “Dashboard” menu list.
3. Install a Virus Scanner and VPN
If you are running WordPress in a local environment or have full server access through your hosting provider, then you need to be sure to have a robust virus-scanner running on your operating system. Free tools to scan your WordPress site like Virus Total will check all resources to look for vulnerabilities.
When connecting to your WordPress environment from a remote location, you should always use a virtual private network (VPN) client, which will ensure that all data communications between your local computer and the server are fully encrypted.
4. Lockdown Against Brute Force Attacks
One of the most popular and common WordPress attacks takes the form of so-called brute force attacks. This is nothing more than an automated program a hacker turns loose at the “front door.” It sits there and tried thousands of different password combinations and stumbles across the right one often enough to make it worthwhile.
The good news is that there is an easy way to foil brute force. The bad news is that too many site owners don’t apply the fix. Check out the All in One WP Security and Firewall. It’s free and allows you to set a hard limit on login attempts. For example, after three attempts the plugin locks the site down against further logins by that IP address for a preset length of time. You’ll also receive an email notification that the lockdown feature has been triggered.
5. Two-Factor Authentication
This nifty method of securing your site relies on the fact that hacker likely won’t be able to assume control of two of your devices simultaneously. For example, a computer AND cell phone. Two-Factor Authentication (2FA) turns logging into your Website website into a two-step process. As usual, you log in the regular way but then will find yourself prompted to enter an additional code sent to your phone.
Clever, huh? This one extra step increases the security of your site exponentially by separating the login into different steps. Check this list of free plugins that will help you set up 2FA. Those hackers that were thinking of trying to mess with your site are probably already changing their minds.
While there is no such thing as a 100% secure website, there are plenty of steps you can take to protect your website. Using a good firewall, keeping your themes and plugins up to date and periodically running a virus scan can make a huge difference.
It might help to think of website security as an eternal iterative process. There should never come a point when you step back and think it is “complete” because the game between hackers and website defenders will never stop, with even officially-sanctioned online players getting into the online surveillance business . Only by keeping yourself knowledgeable about the latest threats and how to repel them will you be able to maintain cybersecurity and online privacy.
It’s too bad the world has to be this way but accept it and move on. If you’ve never done it before, now would be a good time to locate a few respected cybersecurity news sites. Either subscribe to their newsletter or at least pay regular visits. Get started by running a Google (or the search engine of your choice) search for “cybersecurity news.”
Have a question, or more tips to add? Leave a comment and let us know.