In part 1 of this series, we talked and learned about 7 WordPress vulnerabilities and how you can improve your site security with WordPress security best practices. Now that revisions and promotions are done, let’s move to part 2 of this series.
Let’s discuss some more common security vulnerabilities, WordPress security concerns, and how you can prevent them and safeguard your website!
So, the citizens of WordPress, here is the security threats bulletin (continued), wanted over the globe for disrupting, slowing down, data theft, etc. of wonderful and good-looking websites:
Wanted: Dead or Alive
- XSS (Cross-Site Scripting) Attack
- Denial-of-Service Attacks
- Supply Chain Attacks
- CSRF (Cross-site Request Forgery) Attacks
- Weak Hosting Infrastructure
XSS Cross-Site Scripting
Cross-Site Scripting (XSS) takes place when an attacker places a harmful code into the backend of a website. XSS attacks are similar to SQL injections, but the major difference is that XSS is primarily targeted toward web page functionality. And once the attacker has access to your front end, they can place false links, steal user information through fake forms, break the design, etc.
Do you know who the culprits are? It’s the same old theme and plugins. Attackers are on the lookout for old themes still used and poorly managed plugins which are open to exploitation. What it gives them is an opportunity to access your site’s backend and take control of the front end. In short, my deepest sympathies ❤️🩹 and R.I.P O’ Dear website!
What Should I Do?
Say this till you forget your name, so all you remember at the end of the day is one word – UPDATE! Hey, relax, it’s not that big of a task, just glancing through your website, its themes, and plugins now and then is all I ask. Also, I’d recommend going against third-party software unless you have complete confidence in it being on your website.
You can also use a Web Application Firewall (WAF) to check and prevent unapproved visitors from entering your site from outside networks. WAFs are easy to set up and luckily they are easy to maintain too! I’d suggest using good and reputed WAF plugins to protect your WordPress website from SQL injections, XSS, and other attacks.
Denial-of-Service (DOS) Attacks
A Denial-of-Service (DoS) attack is directed to stop visitors and admins from accessing a website. The attacker does this by sending large amounts of traffic to the targeted server, making it crash, and taking down all the websites hosted on the server. Yes, the server and the websites is retrievable, but the hit to the website’s reputation and load-bearing ability can be massive.
These attacks are mostly done with a botnet (multiple machines running simultaneously), hiding the original source and volume of traffic. This is also called a distributed DDoS (Distributed Denial of Service) attack, and trust me, it’s much more dangerous and harmful than a DOS attack. Beware!
These kinds of attacks are often targeted toward hosting servers with less to limited security.
What Should I Do?
Hey, this is something that plugins can’t help you with as no matter how strong or good your website is, Don’t just rely on plugins for this one. The best defense against DOS? The DDoS attack is to have reputed and secure WordPress hosting.
This is not something that needs to be done before or during your website creation journey, you can still switch to a better and safer WordPress hosting provider. Just make sure the hosting provider supports your business’s needs and takes security seriously.
Well, this is an interesting one, because it actually is like fishing 😆, and that’s where the name comes from. Phishing involves an attacker sending out loads of spam links, hoping to get one bite, just one click, and 💥. You know we all have heard about this and have probably been exposed to this through legit-looking emails, texts from unknown numbers, WhatsApp messages, etc.
WordPress websites may also face phishing attacks, which can be from visitor form submissions, lack of security, etc. Do you know who is to blame again? Old, unreliable, and outdated plugins, themes, core software, security of form submission, comment forms, etc. Have you started the golden chant of UPDATE yet?
Once the attacker gains access to your website, they can post spam links to compromise the personal information of your visitors. Phishing leverages the trust of the users who visit your website and its content. The attacker can leave comments, post spam links, etc. to either provide additional resources or some other links. But beware, they are spam links, aimed to take your personal information.
Here’s an example of a spammy comment that entices readers to click a link.
This is how these comments with Phishy links look like. Just don’t click…
On a side note, there are good comments and legit links too. All you have to do is be aware of what you click because honestly, something fishy looks fishy, and something legit sure looks like it too! 😎
What Should I Do?
Protecting your website against phishing involves regular updates, checking site activity, and of course, a password that is secure, super-long, with loads of special characters, etc. You can also go with additional security measures like ReCAPTCHA. It uses ML to break down browsing patterns to understand and distinguish between humans and bots. Cool, right?
Supply Chain Attacks
Supply chain attack uses the most important and loved features of WordPress – Plugins and Themes. This attack takes place in two ways;
- When an owner installs malware on customer sites.
- An attacker buys a popular plugin and injects spam code into it, disguised as an update.
Hackers get access to the backend and then they can cause extensive damage by adding SEO spam, phishing, etc. Also, the site visitor’s personal information is at risk if this attack is successful.
WordPress sites are vulnerable to these types of attacks because they’re based on something that you’re supposed to do, and what we recommend doing to combat most of the issues on this list: Regular Updates.
What Should I Do?
Thankfully, WordPress is one of the most popular, community-driven, open-source CMS and website builders. This means a highly active community and a team of developers actively identifying fake plugins and themes, along with fixing major to minor security issues in the core software.
A few plugins and themes can bypass the radar, fret not amigo, you can easily fix this by running regular security checks on your site and identifying these vulnerabilities. Also, it’s worth taking regular backups of your WordPress site data, in case it’s compromised, you can get back up and running in no time. Ps. plugins come in handy for this. 😉
This is one of the worst things that can happen to your website, especially if you’re a content creator. Hotlinking means others can use your work without your permission. Commonly, how it takes place is another website will embed content like images, videos, infographics, etc. from your website, hosted on your server.
They can use the content but after downloading it, because if they don’t, after embedding it’ll be called from your server, resulting in higher monthly bills from your hosting service provider.
It’s not a spam kinda attack, as the people doing it aren’t hackers, it’s just a poor internet ethic and practice. Also, if the content on your website is licensed and restricted for your use, then hotlinking is outright illegal.
As a site owner, you want to share your high-quality content with site visitors. Unfortunately, WordPress sites are vulnerable to hotlinking because people take advantage of this.
They simply copy and paste a link to an image or digital file from another site onto their site without giving credit. Many WordPress site owners might not have the time to take preventative measures against hotlinking — or even think to do so.
What Should I Do?
There are many ways to protect your WordPress website from hotlinking. One of the easiest and most user-friendly ways is to add a watermark to the images. Although, it does not guarantee hotlink protection but acts as a barrier to many visitors who are after the content on your website. You can add a watermark to your content via plugins or any other tool of your liking.
Well, this topic here deserves an article of its own, which I’ll be covering soon. Till then, fret not, and use these tips to safeguard your WordPress website.
Cross-site Request Forgery (CSRF)
Cross-site request forgery (CSRF) allows attackers to make users take actions they don’t want to take. For example, using CSRF, an attacker can convince users to change their passwords, email addresses, transfer funds, etc. This allows the attacker to gain control of their accounts, information, and data. If the user turns out to be an admin, they can take control of their whole website.
WordPress websites are at risk of CSRF attacks owing to many popular plugins, yes, you heard it right! Popular WordPress Plugins that use the function check_url(), etc. make your site vulnerable to CSRF attacks. I’ll be creating a detailed article on this soon!
What Should I Do?
To prevent your site from CSRF vulnerability, I’d suggest you keep a close eye on the plugins you use or plan to use. Not everything that glitters is gold, my friend. 🌟
Install a robust, trustworthy, and secure WordPress plugin(s). Many great plugins provide your site safety from all kinds of threats, including CSRF attacks.
Also, you can prevent such attacks by using stronger passwords with 2fa (Two-factor authorization) as we discussed in part 1 of this article. You can also take other actions like disabling the file editor, PHP execution in untrusted folders, etc.
Weak WordPress Hosting
WordPress is one of the most popular and widely used CMS and Website Builders. What that means is a lot of competition between hosting service providers. You can either pick between Self vs. Managed WordPress hosting. It’s no wonder that hosting companies are fighting to gain as many clients as possible.
If you pick managed WordPress hosting, you’ve got loads of companies competing with prices but compromising on quality. It’s the price along with a managed WordPress website that attracts maximum users. But honestly, not a great choice to pick, read on to know more…
Paying extra for premium managed hosting comes with extra security, 24×7 support, regular security scans, frequent auto-updates, regular backups, and more. Also, the security part of your website is covered too!
Of course, quality comes with a price tag, but that’s the price you got to pay!
What Should I do?
Honestly speaking, I know we all want the best of both worlds. In the case of WordPress hosting providers, you would want the best and safest option with the lowest cost. I’d suggest going with self WordPress hosting.
The only thing involved with this is a learning curve and a detailed knowledge of WordPress, what it is, how it works, etc. Don’t worry about that, you can check out our Beginner’s Guide to WordPress. Taking you across everything you need to know and learn about WordPress to start your website creation journey.
Well, after this part 2, we’ve covered the most common yet important threats to WordPress security. It might seem overwhelming at first, but as you start conducting regular audits, and take proper measures, it’ll become a routine and part of your website maintenance process real soon.
We often overlook cybersecurity, but as time moves ahead and the world becomes digital each passing day, these threats are real and vulnerable to theft and exploitation. So, again I’ll tell you to get a bit more cautious, and a bit more aware of your website. You worked hard on it, still are, making it content-rich, and designing it to perfection, so, security should also take precedence.
WordPress as a CMS and website builder is a great platform that provides you freedom and flexibility to create the website you want. Because of its popularity, it’s quite safe owing to frequent updates, immersive and responsible community, and overall architecture. But, that does not make it safe from attacks and malicious trials, so prevention is better than cure!
I’d also suggest staying ahead of cybersecurity trends. With respect to WordPress security and issues, WPWhiteBoard is here with curated content and resources. Subscribe to get the latest updates and resources on All-Thing-Everything WordPress.
Protect your website, secure your data, and To the moon people 🌕 🍾
Until next time!