Why Do WordPress Sites Get Hacked?
One of the worst things that can happen to your website is getting hacked. Along with the feeling of being violated, there is the accompanying fallout that goes with it such as site downtime, loss of web traffic and of course loss of trust with your audience. As a top web development company, we understand all too well the frustration and issues related to this problem which is why today we wanted to discuss ‘why do WordPress sites get hacked’ as part of our series on website security.
Why are we being hacked?
Hacking has existed as long as computers have been around. The term itself is based on “hacks” or shortcuts that programmers would create to help modify the performance of a computer’s functionality including the operating system and various applications. From that point things slowly evolved, often involving intelligent programmers who were looking for a challenge in regards to accessing systems.
Typically hackers are younger and have less understanding of the amount of damage they might cause to others when they hack someone, much like when people spray graffiti on a building. Boredom or activism can come into play for some sites. There are also those that use hacking as a way to generate income via theft of data to be sold on the dark market.
Sometimes a hacker uploads malicious code to a site (malware) which is then spread to the users of the site. There are also Blackhat SEO spam campaigns where users get directed to pages that generate affiliate revenue. Finally some hackers just look to steal resources like bandwidth or physical server resources.
So why do WordPress sites get hacked so often?
The simple answer is because the platform is so popular that once you understand some of the basic security vulnerabilities you now have access to a lot of sites to go after. There are hundreds of millions of WordPress sites out there, and while the core is fairly secure, since there are so many themes and plugins people can add to their site (some with coding that might not be highly secure) the possibility of finding a flaw that gains you access to thousands of sites is much greater than focusing on smaller platforms.
How attackers gain access to WordPress sites
There are a lot of ways a hacker can gain access to a WordPress site but by far the most common method is to attack a plugin. The next most common attack is one of brute force. While core attacks along with themes, the host and file permissions occur as well, plugins and brute force attacks comprise over 70% of all risks.
There are over 47,000 plugins available in the WordPress plugin directory. That number does not include the thousands of unofficial plugins you can find floating around the internet. Much like apps, plugins are created by thousands of different people using different styles of coding and having the possibility of different exploitable errors. Plugins that are out of date, have been abandoned, or are not from reputable sites are often very vulnerable to attack.
There are also brute force attacks where hackers go after usernames and passwords. Once usernames have been guessed or obtained it is then a process to guess the password associated with that username. The reason this type of attack is still successful even with all the security measures we can put in place is because people are still very fallible and tend to do similar things out of ease such as using easily memorable names and passwords like your first initial and last name along with a birth date.
What can you do?
There are a few steps any website owner can take to help protect themselves which includes:
- Never use Admin – The user called “Admin” is one of the most abused hacks out there. By knowing a primary user name already you have given hackers one piece of data to try and exploit. Instead generate a more random user name for the Administrator, but not something egocentric like God or King. Obvious names should be avoided along with usernames based on names of anyone who is listed on your site.
- Check Plugins – Prior to installing any new plugin, research it carefully for known issues including things that haven’t been fixed yet. Then you can make a choice about security versus the usefulness of the plugin.
- Hiring a professional service – There are many service providers out there, like ourselves, that provide security and assurance services on a monthly basis. This means you have a team at your back to handle protecting your site, looking for security issues with plug-ins and updates along with having your site backed up regularly so you can get back up in case something does go awry.
- Reputable Sites – Never use plugins from non-reputable sites. For the most part we recommend only using plugins from the official WordPress directory. However if you do go somewhere else make sure you spend time researching them like you would any store before you make a purchase.
- Use Wordfence – The free version of Wordfence includes login security features which can help prevent against brute force attacks.
The bottom line is that hackers and internet attacks are part of the world we live in. There are just people out there that do things that are harmful, illegal and annoying for their own gain. We have covered the basics about why do WordPress sites get hacked this week but if you want more information on how you can be protected feel free to contact us to discuss our Security and Assurance program.
Be sure to check back every Monday, Wednesday and Friday for great new top web development company blog articles.