No piece of technology is perfect, whether it is hardware or software. Of course you know that WordPress is the platform of choice here at Nicely Done Sites and while it is incredibly easy to use it comes with its share of vulnerabilities. As of mid-November there are 11,648 noted vulnerabilities. Since WordPress powers over one quarter of all websites on the Internet it makes for an easy target. The good news is that many vulnerabilities are discovered by security researchers and patched quickly (so make sure that you are keeping your site updated!). The bad news is that WordPress is still vulnerable to some common threats.
For WordPress users the best way to protect yourself is to make your security as tough as possible and to keep your WordPress site up-to-date. You can do this yourself or Nicely Done Sites can do it for you with a maintenance agreement. The choice is yours, but do something. Doing nothing only invites trouble.
Brute Force Attacks
In order to edit your WordPress site you need to login. Getting to the login screen is easy but actually getting in is not, or at least it is not supposed to be. A Brute Force attack describes sitting down and continuing to guess until either a person or a bot gains entry.
There are ways to combat it and if you ever wonder why we use random usernames and strong passwords at Nicely Done Sites this is a reason why. Some of these passwords cannot be potentially cracked by a human over the course of their lifetime. That practice should be adhered to for any new usernames and passwords created later as well since the security of your website is only as secure as your weakest password.
Another method to stop Brute Force Attacks is to limit the number of login attempts. After a certain number that the person will no longer be able to attempt to log in. This would not only limit human attempts but bot attempts as well. The harder you make it to get in the more likely an attacker will move on.
File Inclusion
There are certain files in your WordPress installation that need to be protected and your configuration file is one of them. File Inclusion attacks allow an attacker to load code which will give them access to your configuration file. It exploits the File Inclusion system which is used for scripting, keeping applications maintainable and to provide download functionality. This vulnerability can be exploited by inserting code into a Contact form, by including malicious code with an uploaded image or by determining the file information on a downloadable part of the website like a brochure.
The best way to avoid this is to do extra work on the backend database so that only the ID information is displayed and not the file path when something is opened. Content should be stored in databases and a whitelist of file names established with instructions to ignore all others.
Cross-Site Scripting
Cross-Site Scripting (XSS) is the most common vulnerability with WordPress. These attacks occur when an attacker gets you to load a malicious website while hopefully logged into your WordPress site with administrator access which allows the code to be downloaded. Nearly half of all attacks on WordPress are XSS attacks since they are extremely easy to write in PHP. If included in a plugin it can spread extremely quickly.
These attacks are some of the oldest on the Internet and have been addressed since 2002. Changing passwords is one way to stop these and changing the password of an a breached user logs out the attacker. Functions can be included to validate and sanitize data in PHP. The main protection comes from patching the holes in vulnerable code along with installing the proper updates as well as making sure that you are not visiting malicious sites.
SQL Injection
WordPress sites use a MySQL database and a SQL Injection occurs when an attacker is able to gain access to your site’s database. They now are able to insert whatever they want into your database which could include links to malicious sites or spam websites or potentially taking control of your website. These attacks are not new and are still very effective. Code can be inserted through numerous pages but the most common are through comments, a Contact Us page or search bars..
The best way to avoid these kind of attacks is to make sure that your WordPress site is properly updated and to trust no user input. User input can be sanitized to filter out potentially malicious characters or a field can be instructed to only allow proper characters (a phone number field could be set to only accept numbers). Also only use only trusted WordPress plugins to begin with.
Malware
Malware is essentially malicious software that is used to gain access to a website. It can give an attacker control or it can be used to harvest data. This is something that every WordPress site is potentially vulnerable to and if a site becomes infected it can also potentially affect other sites on the same hosting server. The good news for many is that attackers tend to only target more lucrative businesses or websites with this but it is very easy to have your computer become infected which can open the door to someone else taking control of your website.
The best way to avoid these kinds of attacks is to watch the sites that you visit and to do regular virus scans. Keep your computer and your WordPress site up-to-date as well. Changing the password regularly is a good idea as well and don’t forget to backup your site since you may have to take down your site to clean up the infection. Backing up your site is a key component of a maintenance agreement with Nicely Done Sites and your site will be back up and running much faster if regular backups are performed.