If you’re using WordPress to host your website or your blog, I hope you’re aware of the growing security risks and what you need to do to avoid them. Not only is WordPress one of the most popular website platforms for businesses, it’s also one of the most popular amongst hackers. But for very different reasons.
There’s little doubt that WordPress has become one of the most popular website and blogging platforms of all time, with more than 60 million WordPress sites around the globe. But being the best comes with a price and, in the case of WordPress, that means sustaining attacks by hackers. WordPress has become such a big target for hackers that earlier this year a security firm decided to log the number of hack attacks over a period of a few months. The results were eye-opening.
Between January and March of 2013 there were between 30,000 and 40,000 attacks every single day against WordPress sites, jumping to around 77,000 a day in April. Hackers are using automated tools to identify WordPress sites, then executing brute force attacks that will try thousands of commonly used usernames and passwords. If your WordPress username or password are on their lists, and there’s a good chance they are, hackers can have a field day.
So why target WordPress? There are at least 3 good reasons:
WordPress is the most popular and widely-used blogging platform on the planet, and there’s no other platform that comes even close. Being the most popular also makes you a target.
With all those websites and traffic, WordPress is one of the best ways for hackers to reach the largest number of users and spread the most malware. And compromised WordPress sites can then be added to giant botnets and used to attack even more sites.
Until recently WordPress security was based simply on passwords, in spite of the fact that passwords are usually the easiest security to bypass because of user mistakes.
And there’s another angle to worry about. Even if you’re not using WordPress, you could still be a target. Hackers will typically attack WordPress sites from other websites they’ve gained access to by exploiting unpatched security holes.
The risks are overwhelming and certainly worrisome, but not unavoidable.
Here are some simple steps you can take to minimize your WordPress exposure:
Scan your website regularly, even if you’re not using WordPress. If hackers are exploiting security weaknesses in WordPress, or security weaknesses in other sites to attack WordPress, one of the best defenses is to constantly scan your website for vulnerabilities.
Manage your passwords. Hackers love password exploits, yet it’s one of the easiest security gaps to close. Make your passwords as long and as complex as you can, change them regularly, and protect them well. And that goes for everyone else who has access to your website.
Change the admin username to something other than “admin” or your name. Most admin passwords are “admin” by default, and most users never change that. Which makes it very easy for hackers to guess at least half of your login. Change your username to something random and meaningless, and something that’s not likely to be guessed or found in a dictionary.
Limit the number of login attempts. Brute force attacks require hackers to try as many login and password attempts as quickly as possible until they hit the jackpot. If you lock users out after three failed attempts, you drastically diminish the potency of brute force attacks.
Uninstall any plugins you’re not using. Third-party plugins are highly favored by hackers because they often have weaknesses in their design that have not been fixed. Make sure all your plugins are patched regularly and disable any plugins you don’t use or need.
Choose your hosting company carefully. A good hosting company will be aware of the risks to WordPress, as well as any other websites, and will have taken precautions to address and fix any known vulnerabilities.
Activate two-factor authentication. To combat the growing threats, WordPress has introduced some additional security features that include two-factor authentication or verification. This requires you to go through some additional steps to verify who you are, or uses a different type of password generation to limit the options for hackers.
SiteLock is dedicated to providing affordable, comprehensive website security to the WordPress community. Our automated cloud-based solutions seamlessly slide into any hosting environment to find and fix threats, prevent future attacks, accelerate website performance, improve trust, and protect reputation. To learn more call us at 855-378-6200.