13 WordPress Worst Security PracticesWordPress hacks happen all the time. Keeping your WordPress site safe from cybercriminals requires that you avoid plummeting into the froth of WordPress worst security practices. When a WordPress site broadcasts worst security practices, you can rest assured — the bad guys will always line up to listen. WordPress worst security practices include:
- Minimal or no WordPress maintenance (not updating core, plugins, and themes).
- Not backing up the database and files.
- Lack of malware checks, security scans, security plugins (or services) and security monitoring.
- Failure to limit login attempts.
- Failure to use sitewide SSL.
- The use of weak passwords.
- Using the default user admin account instead of using a custom name.
- Adding too many admins (use caution when giving user privileges).
- Not using two-factor authentication (2FA).
- Using plugins and themes from untrustworthy sources.
- Failure to use the latest PHP version.
- Failure to use a firewall.
- Using "cheap" low quality or shared hosting.
Automated ToolsMany small businesses have limited budgets alongside insufficient security knowledge. In other words, this combination often overlooks website security as an essential priority. Perhaps your small businesses or startup uses WordPress. You may not even know what platform your website runs on. If you haven't a clue as to what powers your company website, you can ask your web designer, query BuiltWith or use a browser extension like Whatruns.
The relative ease of attacking a smaller business has become such that it’s now perceived as being worth a hacker’s time and effort in more cases – particularly when smaller businesses don’t patch out known vulnerabilities that hackers can use automated tools to quickly scan for and exploit. – Scott Ikeda, CPO MagazineWith the ease and use of automated vulnerability tools, it's easy for businesses (of any size) to be targeted by hackers. Remember this: for cybercriminals, WordPress hacks are an easy slam-dunk when worst security practices enter the arena.
WordPress Is a Hot CMSIn late May of 2003, I experienced the birth of WordPress 0.70. No plugins. Zero widgets. No spellcheck. Sixteen years later, this particular CMS has undeniably become the love of my writing life! Its evolution over time has been nothing short of Olympian. WordPress is currently one of the fastest growing content management systems. As of this writing, WordPress is used by 34% of all websites and has a CMS market share of 60.7% (see figure 1). BuiltWith lists at least 24,808,989 live websites that use WordPress. What's more, there are over 800 new sites built daily and more than 55,000 plugins.
Checks and Balances RuleTransitioning from worst security practices to security best practices is equivalent to acknowledging an elephant has been coexisting with you in the room. This magnanimous twelve-ton entity you previously were unaware of has materialized and come to life. In the meantime, you must plan to remove this behemoth creature from the room. What's more, it is absolutely critical to begin keeping tabs on all your digital assets. This includes your company website. In other words, company involvement in website security is crucial. To clarify, If you hired a consultant or outside agency to handle your site, you should also have an internal employee crewing the ship. Above all, remember this: the ability to act on knowledge is power. Undeniably, to put it another way, checks and balances should always rule.
WordPress HacksThere are several ways attackers can hack your site. With WordPress powering 34 percent (see figure 2) of the Internet, the bad guys are always looking for ways to exploit WordPress vulnerabilities. Whether it is via common weak spots like comments, contact forms, old insecure WordPress versions, plugins, themes or weak passwords, hackers embrace any opportunity that hinges on a set-up-and-forget mentality.
Build a Security MindsetBy now, you are probably wondering how to remove the elephant from the room. To begin with, elephants obviously can't fit through the door. You will have to tear down the wall, lead the elephant out and then rebuild the wall. This is the same way you need to approach the use of WordPress worst security practices. At the present time, If you have a WordPress site powered by a set-up-and-forget mentality, it's time to clean up the dung. Firstly, to minimize the possibility of WordPress hacks, you should employ WordPress best security practices (by reversing the 13 worst security practices listed above): WordPress security best practices include:
- WordPress maintenance (always update the WordPress core, plugins, and themes).
- Always backup the database and files.
- Implement malware checks, security scans, security plugins (or services), and security monitoring.
- Limit login attempts.
- Use sitewide SSL.
- Enable strong passwords.
- Remove the default admin username and replace with a custom name.
- Limit admins (use caution when giving user privileges).
- Use two-factor (2FA) authentication.
- Only download plugins and themes from reputable sites.
- Use the latest PHP version.
- Use a firewall.
Don't Forget to Monitor WordPress PluginsWith so many vulnerabilities continually being discovered in WordPress plugins, a set-up-and-forget mentality coupled with worst security practices can prove disastrous.
Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular plugins that are found on many websites. An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites. — Prakhar Shrotriya, ZscalerRecent examples include WP Live Chat Support malicious redirects and Convert Plus that allowed unauthenticated attackers to create accounts with administrator privileges. What's more, last month researchers warned that the wildly popular WP Database Backup plugin could let attackers take over a victim’s entire operating system! Though this flaw has since been patched (as of version 5.2), the sheer possibility of a plugin firing off an OS command injection should send hackles up your back.
In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run. — Mikey Veenstra, WordfenceThe above example illustrates why it is imperative for you to update plugins post haste. Also, you should always delete unused plugins and avoid abandoned plugins altogether.
It's Wrap-Up TimeAs I have noted above, all small business websites (including startups) need to reject this set-up-and-forget mentality. Most important, you should remove the elephant from the room by building and maintaining a healthy, cybersecurity mindset. By the same token, you should always apply security best practices. In truth, we are all connected...by keeping your website healthy and happy, you will be giving back to the Internet as a whole.