WordPress attacks are growing faster than ever, hackers are getting more creative than ever and they find new vulnerabilities in WordPress as we speak. That’s why we decided to make this quick list of most common WordPress attacks. Even if one of our services is WordPress security we decided to let you guys know how to protect your self against the most common attacks.
The most common attacks are the following:
- Brute Force Attacks
- Plugin Vulnerabilities
- Theme Vulnerabilities
- Hosting Vulnerabilities
- Core Vulnerabilities
Let’s take these WordPress attacks one by one to understand them better and to see how we can protect our websites against them.
Brute Force Attacks
These attacks are probably the biggest problem in WordPress since the core it’s vulnerable by default. But before talking more about it let’s see what the internet tells us about it.
In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search. (Source: Wikipedia)
That being said if we simplify the idea a little bit. A Brute Force Attack it’s a technique where a person keeps trying passwords until they guess the right one. It is the ‘big brother’ of WordPress attacks as we previously said since it’s at the core of WordPress. The good thing about it is that there are a lot of ways to be protected against it, we at Tadamus prefer to use these two methods:
- Changing the URL address and forbidding access to wp-login.php
- Enabling two-factor authentification
Changing the URL address and forbidding access to wp-login.php
Do not change the URL without forbidding the access to wp-login.php because it won’t do any good. At least against the experienced hackers, some of the WordPress attacks can target your wp-login.php directly.
If you would like to learn more about this method, check our eBook called “WordPress Security Made Easy“. There you have a detailed guide on how to get this solution done.
Enabling two-factor authentification
This solution is probably what everyone would recommend since it’s pretty hard to work your way around it if you would want to do pretty much any of the WordPress attacks.
If you would like to learn more about this method, check our article called “5 tips on WordPress security“. There you have a list of plugins that can help you against this attack and many others.
Here we don’t have much to explain, this an important member of our WordPress attacks list, but first let’s see what the internet tells us about plugins.
WordPress’ plugin architecture allows users to extend the features and functionality of a website or blog. As of March 2017, WordPress has over 55,286 plugins available, each of which offers custom functions and features enabling users to tailor their sites to their specific needs. (Source: Wikipedia)
By default, plugins might bring a lot of vulnerabilities since the market is so big and more and more people build plugins. The best way to work your way around it is to hire a qualified programmer to check your plugins. If you would like us to check your site for vulnerabilities and to prevent it against WordPress attacks you can talk to one of our experts.
As in plugin vulnerabilities, we don’t have much to explain since it’s code related. But first, let’s see what the internet tells us about it.
WordPress users may install and switch among different themes. Themes allow users to change the look and functionality of a WordPress website without altering the core code or site content.(Source: Wikipedia)
Since these themes need to be coded and the community is bigger and bigger there are a lot of rookie developers who start developing themes and plugins. Those do not have enough experience with security in PHP or WordPress, by doing that they make your site vulnerable to WordPress attacks or attacks not even related to WordPress.
Here is a sensible subject, since WordPress is such a wonderful piece of software and everybody loves and defends it. But everybody has to admit, nothing is perfect, and hackers are targeting WordPress more and more since it’s used by a lot of people and companies.
Before talking about it let’s see what the internet tells us about WordPress.
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. It is most associated with blogging, but supports other types of web content including more traditional mailing lists and forums, media galleries, and online stores.(Source: Wikipedia)
That being said, again, we have to admit that WordPress isn’t perfect. It is vulnerable and with every update, it either becomes more secure or more vulnerable. It’s better to be prepared for the worst. To be prepared you need to test the versions before updating to them if you can’t do it yourself be sure that you get a professional programmer or tester to check it for you. Our experts do those tests with every update if you would like to learn more check our WordPress security services.
WordPress attacks… case closed!
These were our 2 cents about WordPress attacks. Hopefully, it will help you with your website and your client’s websites. If you would like to learn more about WordPress please check our other blog articles or our Tadacademy blog.