At the time of writing this, WordPress powers around 25%-30% of all websites. This is impressive hugely impressive, but it also means that WordPress has an equally huge target on its back, and it’s constantly being hit with various common WordPress hacks left and right.
First off, why would you care and why would anyone want to attack your site in particular (even though it might be a relatively small site)?
To answer this, let’s look at what the Wordfence team found when researching what hackers do with compromised WordPress sites:
- It turns out that somewhere around 55% of the time, the attacker either uses the site to send spam, do SEO spam, or perform a malicious redirect.
What all these have in common is that those are the kinds of things that can be very effective when done on small, relatively unprotected sites, as opposed to main mainstream online magazines.
For example, if a hacker manages to find a certain hole in WordPress and take over 10,000 small sites, this gives them a huge network for black-hat SEO.
What this means is that everyone is at risk. No matter the size of your WordPress site.
The most common WordPress hacks
Another piece of research, this time found on WPTemplate.com, indicates that the most common WordPress hacks and points of entry for hackers trying to break into WordPress sites are:
- hosting vulnerabilities – 41% of the cases,
- themes – 29%,
- plugins – 22%,
- weak passwords – 8%.
Here’s how to avoid them:
1. Hosting vulnerabilities
I’m going to keep this one quick and simple.
But I’m also going to be painfully honest.
If your web hosting platform has a track record of being unsafe and prone to common WordPress hacks, there’s nothing you can do other than leaving it for a safer alternative.
That’s just the way it is.
Start by looking through online reviews and picking a host that has a proven reputation with WordPress sites, and ideally was built to work with WordPress primarily.
Some of the popular choices:
2. Unsafe themes
The best way to protect yourself from any theme-related vulnerabilities is to simply not get free themes found via random Google searches.
Always get/buy your themes from reputable sources and theme stores. The developers that have been on the market for years and with a proven track record will always be able to provide you with higher quality themes.
Cough(!) … you don’t need to go far to find someone like that. Here at ThemeTrust we pride ourselves on the trustworthiness of our themes … hence the company name.
3. Plugin vulnerabilities
As mentioned above, faulty plugins are the third most common culprit when it comes to WordPress hacks.
But the issue is actually more complex, since there are more individual kinds of attacks that can be performed due to plugin vulnerabilities.
For instance, you can fall victim to things like: file inclusion attacks, SQL injection, cross-site scripting (XSS), backdoor attacks, and many more.
Unfortunately, there’s no one-size-fits-all kind of solution here, and that’s because everyone uses a lot of plugins running at the same time, unlike with themes, where you just have one.
The best way to avoid any trouble is to read blogs like Sucuri, even if just the headlines and not the actual posts. Sucuri is a company known in the WordPress security space, and they do an awesome job when it comes to discovering new vulnerabilities in plugins and common WordPress hacks.
In short, if one day they warn you about a problem with a plugin that you have running on your site, deactivate it and wait for a version update.
4. Password-related issues
Next, we have all sorts of password-related issues.
However, those are not just about your passwords being weak, but also about other vulnerabilities that are meant to break even a safe password.
Here’s what to do:
a) Weak passwords
This is a no-brainer. Whenever setting up a new user account, use only safe and complex passwords. Otherwise, that user account can be compromised in seconds by a password-guessing bot.
You can also use the Force Strong Passwords plugin to do exactly what the name suggests.
b) Login page attacks
The placement of the standard WordPress login page is fairly well known … usually YOURSITE.com/wp-login.php
Because of that, various bots go straight to that page and try breaking the password with brute force or other methods.
Here are the things you can do:
- Limit login attempts with the Login LockDown plugin.
- Enable two-factor authentication with the Duo Two-Factor Authentication plugin. (Input not only your login/pass, but also a code sent via text message to your mobile.)
- Enable brute force protect features through the Jetpack’s security features module. (Since version 3.4.1, Jetpack has an additional brute force protection included due to the Jetpack’s acquisition of the excellent BruteProtect plugin.)
5. Your own computer
To conclude this post, I want to mention something that might seem obvious at first, but is, in fact, crucial.
Quite simply, if the machine you use to access your site isn’t safe then all of the things described above won’t matter that much.
Basically, whenever you’re working in the wp-admin of your site, you’re exposing it to all the inputs that are coming from your computer, and if some of those inputs are sent by a virus of any kind then you’re in serious trouble.
Do yourself a favor and always use a good antivirus.
If you have any questions about common WordPress hacks then please don’t hesitate to speak up in the comments!