WordPress powers more than a third of the internet, an impressive statistic when you consider that there are over 1.8 billion live sites as of today. Whilst impressive, it is also somewhat concerning as it means it is far more likely to be exploited.
According to a report on website hack trends published by the security company Sucari, a staggering 90% of all CMS hacks happen to WordPress sites.
As shown in the image above (credit: Sucuri), WordPress consistently tops the rankings of the most hacked CMS. Why is this?
Why is WordPress so vulnerable?
According to the report, the leading cause exploitation was down to “component vulnerabilities” like themes, plugins and extensions that had not been updated; other factors such as a lack of overall security maintenance also played a large part.
If you’re using eCommerce functionality you might want to check up on your site, the report found that eCommerce sites are notorious for not updating their plugins and themes because of the website downtime associated with these updates.
Ecommerce sites are targeted the most due to the valuable data they collect and the more extensions that are needed to support such functionality. The more plugins an ecommerce site has, the more opportunity there is for hackers.
39% of WordPress sites were running out of date core software at the time of an attack, so right away you can see a correlation between getting hacked and using an outdated core.
WordPress as a CMS is not vulnerable, it’s the decisions developers and site owners take that make it vulnerable. Overusing plugins that bloat a site making it difficult to manage, not updating to the latest core, and not updating themes and plugins when a threat is identified; these are a few examples of how a WordPress site is exposed to a possible attack.
The most common ways hackers attack
There are many different ways a hacker can gain access to your site. According to a survey conducted by leading security plugin Wordfence, the top four reasons for vulnerability were:
- Plugin - 55% of hacked sites were plugin related.
- Brute Force - 16% of hacked sites were due to a brute force attack (weak password).
- Core - 5% of hacked sites were due to an outdated core.
- Theme - 4% of hacked sites were theme related.
Those are how the hackers gain access, but what do they do when they have access? According to the guys and gals at Sucuri, this is how:
- SEO Spam. Hackers target highly ranked website’s SEO to monetise via affiliate marketing, one of the most vulnerable plugins is the popular SEO plugin Yoast.
- Malware. One of the most popular forms of exploitation, malware is browser-side code that creates drive-by downloads on your site and was found in over 50% of vulnerable WordPress sites.
- Backdoor attacks. These attacks happen happen when files are used to reinfect a site to retain access.
How to protect your WordPress site
While there is no way you can make your website 100% secure, there are a few things you can do to help mitigate against the chance of an attack.
- Use a super strong password and change it every so often. If you're running a high traffic site, an eCommerce site, or a site with a lot of functionality then we recommend you change it every month. Use a password that has at least 16 characters, use at least one number, one uppercase letter, one lowercase letter and one special symbol.
- Install an SSL certificate on your site. An SSL certificate used to encrypt all communication between your website and server. Encrypting this data makes it much harder to intercept and will result in a more secure site, it also benefits your SEO!
- Only use plugins and extensions from reputable developers that offer support, and only use plugins if you have to! If you have to use a plugin, be sure to use them from reputable developers with good reviews and a solid record of updates and support.
- Keep plugins and themes up to date, but don't set them to auto-update. As outdated plugins are the most common cause of exploitation, you must be sure to keep them up to date as often as you can. Don't just set them to auto-update and think you're good to go, if a plugin is updated that hasn't been thoroughly tested it could end up breaking your site; we've fixed many that this has happened to!
Want to avoid 90% of all hacks & secure your site?
In this article we've covered a few reports from Sucuri and Wordfence, learning that the leading cause of CMS infections is plugin and theme vulnerabilities, followed by misconfiguration and poor security protocols.
If you're ready to take your WordPress website security seriously, it's time to find someone who can manage it 24/7 so you can focus on your business.
As a website owner you will constantly have to find out about new vulnerabilities, make sure everything is updated safely so the site doesn't conflict at the time of an update (believe me, it happens!), consistently monitor all activity, and learn about how to mitigate against attacks. It's tiring, you won't have the time for it and it will lead to vulnerabilities that leave you and your customers at risk.
At Folifi, we manage hundreds of WordPress websites every single day, preventing attacks and securing sites is our forte. Whether you have an eCommerce site or a small blog, your site can and will be attacked at one point or another. Using Folifi as your WordPress Support provider is the safer and more cost-effective choice.
Don’t leave the security of your WordPress site up to chance, sign up to Folifi today!