WordPress is the most widely used content management system on the Internet, but for years it has been successfully targeted by hackers. In February, hackers defaced over 1.5 million WordPress pages, and other vulnerabilities to the company’s content management system (CMS) are frequently identified.
Indeed, just days ago, Sucuri researchers discovered another flaw. They describe it as a “severe” SQL injection vulnerability, and it can be found in the popular plugin WordPress Statistics.
WordPress’s reputation led to IBM X-Force publishing research in May that questioned the CMS’s ability to reduce its susceptibility to an attack.
According to IBM X-Force’s researchers, “the sheer quantity of WordPress-based sites makes them natural targets for spammers and cybercriminals who compromise legitimate websites to freely host their own malicious content. And since so many sites are based on the same code, finding just one vulnerability can mean compromising the lot of them, a practice that black-hat hackers apply to any type of platform”.
However, IBM X-Force’s researchers note that the problem also stems from the number of WordPress users who fail to patch plugins. These patches are often applied automatically, but many users don’t upgrade, leaving them susceptible to an attack.
Javvid Malik, a security advocate at AlienVault, also picked up on the fact that WordPress users contribute to the site’s security flaws. Speaking to SC Media, he said that WordPress’s security model means that users don’t know which security aspects are their responsibility when it comes to maintaining WordPress. To resolve this, he recommends that the site raises awareness of users’ security obligations, and that users are given the right tools to audit their sites themselves.
Tips to keep your WordPress account secure
In May, Business 2 Community published seven tips to keep your WordPress account secure:
- Update regularly: Updates fix vulnerabilities, so applying them is crucial.
- Download only from well-known sources: You should only download from WordPress.org or other respected developers.
- Delete all unused plugins: Having fewer themes and plugins means that you’ll have fewer potential vulnerabilities for a hacker to exploit.
- Change your admin username: ‘Admin’ is the default WordPress username, so it’s important to change it to something harder to guess.
- Improve your password strength: Create a password that’s at least 12 characters, including letters, numbers and symbols.
- Change files and directory permissions: File and directory permissions determine which users can read, write, modify and access those files.
- Back up: If you do get hacked, a backup will allow you to restore your site to the way it was before the attack. The site recommends either daily or real-time backups.
Identify your vulnerabilities
WordPress is obviously not the only way in which you could be targeted by an attack, and it’s certainly not the most critical attack vector. Regardless, you are almost certainly going to be targeted by random, indiscriminate attacks sooner or later, so you need to make sure your organisation is secure. This means conducting regular penetration tests.
IT Governance’s Web Application Penetration Test helps you identify potential vulnerabilities in your websites and web applications to ensure all areas of your web applications are tested.