WordPress is the world’s most popular content management system (CMS), currently powering 26.6% of all websites. It’s powerful, robust and easy to use, which makes it popular with everyone, from bloggers to businesses of any size.
Unfortunately, that popularity also makes it one of the biggest targets for hackers.
Is WordPress Safe?
Let’s be clear – WordPress does not inherently have security problems. It’s as safe and secure as any other content management system. So why do tens of thousands of WordPress websites get hacked every year ?
If you’ve ever had your website get hacked, it would be natural to think to yourself “Why Me?” After all, what would a hacker gain by hacking your website ? It’s not like your site stores sensitive client data, it doesn’t get a lot of traffic, nor is it even particularly controversial.
But that’s not what hackers look for. When a WordPress website is hacked, it’s nothing personal – it’s simply a matter of opportunity. Most websites get hacked because it was possible; because we unknowingly left a door open for attack.
The vast majority of hacking attacks are completely automated. In the same way the search engines use spiders to explore the internet looking for new content to index, hackers have their own spiders that sniff out known vulnerabilities. This automation allows hackers to gather large lists of potential targets in a relatively short amount of time.
So, if you thought there was someone sitting in front of their computer and typing your website into their browser, you’d be wrong. In many cases, the person responsible for the hack never even looks at your site.
Why Do WordPress Websites Get Hacked?
The question remains though – what’s in it for them? What’s the point of hacking a bunch of fairly minor websites?
Well, of course, if your website did contain sensitive client information, like contact details or credit card numbers, that would be a win for the hackers. But other reasons for hacking a WordPress website include:
- Redirections – by adding a redirection to your website, hackers can hijack your traffic and send visitors to your site anywhere they like.
- Malware – instead of redirecting people away from your site, hackers can use malware to discreetly attack your visitors browsers in an attempt to install viruses, key loggers, ransomware, or other malicious software.
- System Resources – the hack may be used as a doorway to your hosting server, which the hacker may then use for distributed denial of service (DDOS) attacks or brute force attacks
As you can see, if doesn’t really matter how big or popular your site it, there is always going to be a reason for a hacker to try and get access.
How Do WordPress Websites Get Hacked?
According to this 2013 infographic by WP Template, the breakdown of entry points into WordPress websites are as follows:
- 41% via a vulnerability in the web hosting
- 29% via a vulnerability in a theme
- 22% via a vulnerability in a plugin
- 8% because of a weak password
Now, those numbers will definitely have changed since 2013, because the WordPress community are extremely active in seeking and plugging the various security holes as they become known. But it serves to show us that there is no one weak point in a WordPress website.
As you can see, the biggest point of entry is actually your web host, paricularly when your website is shared with others. What can often happen is a single website is compromised, then all other websites on that shared hosting environment then become vulnerable. That why it is very important to host your website with a quality web host. You might be doing all the right things security-wise, but if other people on the same host are not, your website can become vulnerable.
Next on the list is a vulnerability in your theme, but if you combine that with vulnerabilities in plugins, that’s accounts for more than 50% of all WordPress hacks. This shows why it’s vitally important to keep your website up to date.
Finally, 8% of WordPress hacks occur because of weak passwords. Check out this list of most common 10,000 passwords. According to it’s creator, “91% of all user passwords sampled all appear on the list of just the top 1,000 passwords.”
How To Keep Your Website Safe
This is a topic we will be going into in great detail over the coming months, but to begin with, make sure you’ve ticked the following boxes:
- Use a unique, secure password
- Keep everything up to date
- Don’t have a user named “admin”
This might not seem like a lot, but you’d be surprised at how many websites score 0 out of 3 on this check list.
Other than that, ensure your using a credible web host, and backup your website regularly.
WordPress security is all about being proactive. Taking a few minutes now to secure your website could save you hours of grief later.