WordPress is the most popular blogging and Content Management (CMS) platform in the world, which over a quarter of all websites are run on.
Since WordPress is an open source, it means that the code which runs WordPress is visible to everyone. Owing to the fact that it powers so many websites, it has become a target for hackers who want to infect or control websites.
As a hacker, their goal is to infect as many websites as possible, so they try to find a security hole in the individual software that runs on each website. They might also find a security hole in the most popular software used by websites and infect them all. Once a hacker finds a security hole in WordPress itself or plugin used by WordPress, it allows them to very quickly infect a huge number of websites using automated attacks.
Why attack my website?
A hacker wants to attack your WordPress website to gain control at an administrative level. This means they not only have the ability to read all files and data in the database on your website, they can also modify files, make changes to the database and change the way your website behaves and the content it serves.
There are several reasons why hackers want to attack your website:
1) To steal your website data: To access the data on your website including your customer and member email addresses and names. Stealing thousands of email addresses of your website members provides hackers with new targets to send spam and malicious email to.
2) To send spam: To be able to send spam email from your website.
3) To host malicious content and avoid filters: Hackers may use your site to host content like pornography, illegal drug sales or other spam content.
4) Spamvertise: In this instance, hackers use your website to redirect traffic to another malicious or spam website, including their own website in spam. By including your website address in spam emails instead, the emails avoid spam filters. Then when someone who receives spam clicks on the link to your site, they are redirected to the malicious website. This is called ‘spamvertising’.
How can I protect myself?
The best way to protect your website from attacks that uses WordPress is to ensure that you keep your website up-to-date and to read up on all the newest WordPress related vulnerabilities. You will then be able to update your site as soon as possible when a new vulnerability emerges.
You should also consider these recommendations as well:-
- Choose a reputable hosting provider where websites on shared servers are isolated from each other.
- Always run the latest version of WordPress core and well as ensuring that your plugins are all up-to-date.
- Use strong passwords for all user accounts.
- Force both logins and admin access to use HTTPS
- Remove all old and unmaintained web applications including old backups of the site from your website.
- Ensure there are no sensitive temporary files lying around on your web site.
- Put a Web Application Firewall in front of your website.
- Create Regular backups
Whilst these recommendations gives you a practical list of things you should follow to improve the security of your website, it still won’t protect you 100%, but it will certain make your website harder for hackers to attack.