Before we address this lingering question, let’s get a clear understanding of what ‘safe’ means.
Besides the obvious political ‘intent’ of the attack, it goes on to show that even the most secure of websites could fall victim at the hands of experienced hackers. Needless to say, popular services and organizations top the lists of such attack groups, , and WordPress is no different.
In the majority of cases, website owners could have dodged the bullet by sticking to specific security protocols which we will discuss shortly.
The question, “Is a WordPress website safe?”, therefore has a two-fold answer.
Yes, it is safe if you take the time to properly maintain your website, otherwise, be prepared to join the privileged 90% club mentioned above.
Safety vs Vulnerability
Imagine spotting a sleeping dog while you’re out jogging one morning. You’re safe as long as you pass by without disturbing it. But if you step on its tail, the dog might chase you down.
In conclusion, you remain vulnerable irrespective of how you interact with the creature. The same concept applies to WordPress.
Most netizens just assume that WordPress is more likely to be hacked, which is far from the actual truth. Hackers are always searching for security exploits to gain access to your site. Whether or not they succeed depends on how frequently you monitor your website , and keep it updated.
How is WordPress Exploited?
Image Source :WPScan
On closer inspection, WordPress can be broken down into 3 distinct parts. Hackers usually look for a vulnerability in any one or all of them. Let’s take a closer look so that we have a better idea on how to reinforce them when necessary.
What is it?
The ‘core’ contains WordPress’s source code which is written, maintained , and optimized by a team of experienced researchers , and developers.
Their core security team consists of 50 members spread across the world representing different companies such as GoDaddy, Bluehost, Dream host, Sucuri, and others.
You might be wondering why WordPress developers represent different companies.
It’s to ensure variety since each company encounters unique problems. By diversifying their portfolio, the security team aims to learn more about different sorts of bugs , and secure WordPress against all kinds of attacks.
How does the issue get solved?
Dedicated developers around the globe report such exploits to WordPress security via HackerOne. Once a patch is created, the security team dispatches an update which you should install right away.
Report submission marks the beginning of the patch creation process once the team decides the severity of the issue. The patch then undergoes several tests before the final version is released. You can get a more detailed rundown of the process from Aaron Campbell, Head of WordPress Core, in his 48-min presentation where he discussed the entire process from start to the bounty.
Of yes, regarding the incentive we mentioned earlier. Once a developer reports a bug to WordPress via HackerOne they are entitled to a bounty depending on the severity of the issue.
It’s an excellent way to encourage ethical hackers while also preventing the issue from getting released on the internet.
What is it?
Themes are what makes your website stand out. Unique, and beautiful visuals make for a great landing page, and distinguish you from the rest of the internet, and considering the number of sites we have today, you need that extra boost in popularity.
However, that doesn’t mean you throw caution to the wind, and start downloading themes from unknown sources.
Thousands of new themes are being created every day, and the problem arises when you are unaware of the security measures you need to consider while downloading a site.
Cheap themes are often poorly designed, which affects user experience. As for free themes, the ones recommended by WordPress such as 2016 are quite decent. But the majority of the free stuff you find all over the internet isn’t usually safe.
Free themes may look appealing, but they can cause more harm than good. They may even contain malicious codes that can break your website or even worse, infect your visitors. Here is a detailed guide explaining the presence of malicious codes in themes, and how you can detect them.
How to solve the issue?
You can design your website from the ground up if you have the technical skill. If not, then hire a developer to do the job for you. Make sure to check their portfolio before you hire them.
In case you cannot afford a developer, stick to verified, and trusted WordPress theme repositories such as Evolve. It’s written by reputed authors, so there are no concerns for malware.
You also receive lifetime updates which improve the theme’s overall security. You can even try the free version to see how it works before buying it outright.
Fonts, bloatware, responsiveness, loading speed are a few of the many factors that you need to consider while picking a theme. Just make sure that the security issue is somewhere at the top of your list so that your perfect website stays perfect for the years to come.
What is it?
Ben is a wildlife photographer, and wishes to showcase his skills to the whole world. His editor advised him to create a portfolio in the form of a website, and share it on his social media.
Ben started searching for similar portfolios on the internet. He stumbled upon an image gallery at the bottom of a photography website. Once he clicked on an image, he was redirected straight to the photographer’s Instagram feed.
The ‘image gallery’ in the above example is a plugin. It is a software that extends the functionality of your site. Like the gallery, Ben can even add video feeds, contact forms, slideshows, the list goes on. And that will make his editor happy.
Like themes, there is a lot you can do with plugins to provide a unique user experience to your visitors. Nonetheless, like themes poorly designed plugins:
- Increases loading speed.
- Makes websites clunky, and harder to navigate.
- Can even break the web page in some cases.
Image Source: WebARX
Plugins downloaded from untrustworthy sources may also contain malware, and other exploits that can do all sorts of harm. While some plugins siphon user data to the hacker’s personal basement, others could potentially infect the netizens visiting your website, damaging your reputation in the long run! As you can see from the above pie chart 3rd party plugins is the major reason behind vulnerabilities. Ouch!
How to solve the issue?
One of the best ways you can judge a plugin is by the total number of downloads, and active installations. Any plugin that has over 10k active installations is a considerably safe bet.
New bloggers are usually not aware of such security issues associated with plugins. They are also pretty easily impressed, which tends to happen when you’re trying something new.
Don’t misunderstand as there are some great free plugins available on the internet, for instance, Google Analytics, Yoast, Elementor. Click here for more detailed information of some of the best plugins on the web.
Lastly, here is a list of some of the best WordPress security plugins that’s a must-have on all websites, and keeps it secure from incoming malware attacks, and exploits.
List of Some Common Website Vulnerabilities
Image Source :WPScan
Let’s recap what we have covered so far.
- We know how other websites are just as vulnerable as WordPress. Hackers aren’t racists, and they’ll attack irrespective of colour, origin, and nationality.
- How WordPress ends up being targeted by most cybercriminals.
- The most vulnerable aspects of your WordPress website.
So now you know,
- Why the hackers infiltrate your site,
- Their preferred point of entry to your site, namely themes, plugins, and core.
In the following sections, we will cover a bit about the various tools or protocols cybercriminals use to infiltrate your site, and do nasty things to it.
Without further ado, let’s get started.
Brute Force Attack
Have you ever been chased down by a bull? No? Well, too bad, would have made a nice story.
Anyway, imagine being strapped to a pole while a 2,000 bull is charging straight towards you. A brute force attack runs on a somewhat similar idea.
Usually, the hackers upload a series of words that could potentially be the password, in hopes of guessing the correct one. They keep ramming the servers with every possible combination in the hopes of guessing the correct one.
Without proper encryption they attackers can easily gain access to your website , and wreak havoc.
Unlike brute force attack, SQL Injection takes a more covert ‘Mission Impossible’ like approach. To understand it in detail you must know how you interact with a website.
Suppose you’re in an online store searching for smartphones. You’re interested in the new iPhone, and click on ‘specifications’ to see what’s changed.
Everytime you click something on a webpage, the browser requests a specific URL where the information is stored. The data is then retrieved from the server, and displayed on your screen.
In SQL injection the hacker makes a few changes in the website’s code. As a result the site displays certain information that is not meant for public viewership.
You can click here for a more detailed rundown of the process.
Image Source: OWASP
As fellow netizens, we trust reputed websites such as Google, Facebook, and other big names thanks to their high security.
Similarly you must have websites or forums that you visit regularly. It could be your university forum or a local website that sells computers. They are not as popular but you trust them nonetheless.
Such niche websites with decent reputation often become a target for cross site scripting. It is a form of client side code injection attack where cyber criminals insert malicious codes into legitimate plugins, and websites.
The end goal is to infect the web browsers of users visiting the website or downloading such infected plugins.
You must have watched or at least heard of the famous franchise ‘The Walking Dead’. It’s a famous TV series about zombies, and is a great watch if you ask me.
Now some of you must be wondering where I am going with this conversation. In a DDoS attack the hacker controls an army of zombies known as ‘botnets’. These are infected computers that are connected to your website.
Now the hacker initiates a sequence of simultaneous attacks where he commands each botnet to send a huge amount of traffic to your site in the form of requests, overwhelming the connection, and disrupting the legitimate traffic i.e., your customers/visitors.
Here is a link if you want to read more about this little exploit.
How does WordPress fit into all these?
WordPress is not alone in this battle against cyber crime. Other websites are equally as vulnerable if they fail to take proper measures to updating WordPress security.
Since WordPress powers 63.2% of all websites on the internet it faces more problems than any other content management system (CMS) out there.
You must therefore undertake proper measures to proactively secure your website, either by yourself or by hiring a developer.
List of Things you can do to Protect your WordPress Website
All these are scary right? Hang on.
I have the solution.
What you learn next will help you fortify defenses in the upcoming battles against incessant cyber attacks. Consider paying attention as the future of your website depends on it.
WordPress’s robust security isn’t enough to protect your site from incoming threats. They do a pretty good job of addressing, and fixing the problems associated with WordPress. However, it is your responsibility as the website owner to keep an eye out for those patch notes, and keep your sites up to date.
Most website owners run older versions of the CMS to prevent their plugins from breaking the site. If you prioritize performance over security(which you shouldn’t), sticking to older versions might seem a good idea. But do keep in mind that you are potentially jeopardizing your website, and visitors, exposing them to all sorts of cyber attacks.
Now that we have talked about the vulnerable areas, and their respective exploits, let’s take a look at the arsenal of weapons we have against such enemies.
The reports by WPScan reveals that most of the bugs associated with WordPress dates back to the 3.X versions.
During Wordcamp Europa 2017, Aaron Campbell explained the amount of effort that went into creating bug fixes for 10-15 different older versions of WordPress.
Needless to say, the newer versions receive updates much faster, making them comparatively safer. Which do you prefer more? Waiting for a bug fix in an older version, or upgrading to the newest version, and instantly securing your website against such exploits?
Themes and Plugins- Always Download from Trustworthy , and Verified Sources
What’s the worst possible thing you can do to your website? There is a big list of detrimental things that can break your site. Mis-designed themes, and poorly coded plugins are always at the top of that list, and there is always the fear of malware infection if you download them from unreliable resources.
Like WordPress Core, themes, and plugins also receive periodic updates that make them secure, and more efficient. The developers of most free themes, and plugins cannot afford to release regular updates, exposing your website to future malware attacks, and performance issues.
The screenshot above has been taken from the WordPress Sub Reddit, and shows the frustration of a security personnel as he struggles to resolve an issue associated with a cheap theme.
The same goes for plugins. Premium plugins come with a support contract which guarantees security in the future. Don’t get me wrong as there are plenty of both open source , and affordable developers on the internet. However, unless you find them, premium themes , and plugins are your best bet at a secured WordPress website.
CAPTCHA- A Standard Security Protocol for Every Website
The ‘I am not a Robot’ checkbox is almost as old as the internet itself. It has a long lasting tool for most website owners in their fight against spam, and bots. You can set it to check each, and every sign up or login attempt made on your website.
The new and improved reCAPTCHA uses a combination of machine learning and advanced risk analysis to ward off bots, and is regarded as the primary line of defense. Moreover Google is constantly improving the technology making it even safer with each passing year.
Login Attempts- Limit the Total number of Login Attempts
Remeber the ‘brute force attack’ we talked about earlier? By limiting the number login attempts you successfully rule out any chances of such attacks, which is an exploit very commonly used by cyber criminals.
Brute force attempts every word possible in the dictionary to hack into a website. Once the login attempts are numbered, the attacker won’t be able to pass the set number of attempts. You can even choose to put that account on a 24 hours cool down or force them to change the password.
Speaking about passwords, the more complicated they are, the better. Chrome automatically suggests the user with a strong password, which automatically offers the highest levels of WordPress login security.
As a website owner it is your responsibility to compel users who are signing up to choose a strong password combining words, numbers, and special characters.
Server Selection- Better Hosting Provides increased Security
Imagine you’re sharing a server with 6 different websites, and unlike you, the rest don’t focus their efforts on updating WordPress security. If one of them gets infected, then all the websites sharing the server also risks getting infected as well.
Shared hosting is a great option if you’re on a tight budget. However, it can run into all sorts of troubles such as slow loading speed, and other security issues Some hosting companies even run ‘watchdog’ programs that monitor the shared environment, killing processes that abuse system resources. These programs can sometimes interfere with your loading speed as well.
In dedicated hosting, you get a whole server all to yourself. It’s faster, efficient and is generally more secure. You can customize your website without worrying about storage and performance issues. Nonetheless, renting dedicated servers will burn a hole in your wallet.
This list mentions the top hosting services available and should help you choose the best option one for your website.
Other Security Measures
Now that we have covered the basics it’s time to dive into the more technical aspect of website security. You are better off hiring a developer if you want to provide the following security services to your website.
- DDoS Protection
- System Firewall
- Web Application Firewall (WAF)
- Intrusion Detection System (IDS)
- TCP Wrappers
- WordPress Vulnerability Scanner
Hopefully this WordPress security blog was able to answer all your questions, and address any looming concerns you had regarding WordPress’s security.
By now you should have a better understanding of the question, “Is WordPress secure?”.
Since you’re reading this, I assume you intend to start a website for business or personal reasons.
Now that you have appropriate knowledge, it’s time to double down on your preparation, and start working on your WordPress website.
Whether you’re creating an eCommerce store with Woo Commerce with or a personal blog, the security of your WordPress website is in your hands.