If you’re a blogger or affiliate marketer, you’re probably operating from a WordPress-based website. And while WordPress (WP) is a useful- and free- platform through which you can blog or market, its open source format leaves it vulnerable to hackers.
In September 2014, Sucuri, a website security company, reported that the popular Slider Revolution Premium plugin contained a vulnerability that enabled hackers to access and download files directly from the server. While the plugin was a premium item, and therefore had to be purchased, it was frequently bundled into various WP themes. As a result, many website owners had this plugin and weren’t even aware of it.
By December, the RevSlider vulnerability led to over 100,000 WP sites being compromised via a massive SoakSoak malware campaign; at least 11,000 of the affected sites were later blacklisted by Google.
Earlier in the same year, the popular MailPoet Newsletters plugin was also reported to contain a vulnerability that allowed hackers to upload files to the server and then take control of the website. Eventually, over 50,000 websites were reported to be hacked via this plugin.
The current Cross-site Scripting (XSS) vulnerability, which was caused by misuse of a function by developers, has resulted in several popular plugins being open to attack by hackers.
Why is WordPress a target?
The fact that WP is a popular content management system (CMS) and used the world over makes it a very tempting target. WP is also simple to install, use and customize- which means it’s simple to hack.
The open source nature of the WordPress Codex enables almost anyone to create additional software that can be added to the platform; this is why there are currently thousands of plugins and themes. Some of these applications are premium (paid), but most are free.
While most developers are just looking to earn extra money by eventually selling a premium version of their software, there are also those who see coding as an opportunity to hijack vulnerable websites or steal personal information. Even developers who have no nefarious intentions can still cause issues through sloppy coding.
In essence, there is no real way to prevent an open source platform from being attacked by cyber criminals. However, there are steps you can take to reduce your website’s risk of being successfully breached.
How to protect your website from cyber attacks
Update your plugins and themes.
It’s easy to forget or just ignore those update notices located at the top of your WP dashboard. Don’t. Developers often release plugin and theme updates precisely because they’ve added in a security patch. Many malware, virus and other attacks are successful simply because website owners didn’t make the time to update their plugins, themes or CMS.
Create weekly site backups.
Having a site backup not only prevents your files from disappearing in case of a file misplacement or coding error, it also helps you compare different versions of your website and check for code injections by hackers. Even if you can’t locate the new code, you can at least use your backup to restore your old website.
Use two factor authentication (2FA).
Most WP login procedures involve inputting your name and password, with the password being the single factor authentication. With 2FA, you need one more factor to access your website. Often, this might include the website sending a text to your phone with a unique numeric code. Other websites might send you a physical key that generates a unique dynamic password every 15 seconds or so.
WP offers plugins that enable strong authentication; however, if you have had recurrent security breaches even with this method, then it may be time to consider 2FA.
Purchase anti-virus software and keep it updated.
It’s easy to forget that you have hard-working anti-virus software protecting your computer files, and it’s even easier to neglect updating it or purchasing a renewal each year- until you get hacked. Also, hacking can take place in the space of a few days or even hours. Don’t neglect paying a few bucks for a good and updated anti-virus program.
Install a firewall.
A web application firewall is a separate piece of software that monitors user queries and inputs leading to your website. Normal inputs are allowed to access your website and its files; suspicious queries are blocked and dropped. Some firewalls are included as part of common anti-virus software like McAfee, while other firewalls are more specialized and can even be added directly to the server as a plugin.
Perform regular site scans.
There are many free online tools that enable you to scan your website for possible malware, viruses, spam, etc. Sucuri Sitecheck is one such scanner; Quttera, Barracuda and Qualys also provide free scan software.
Sucuri warned WP users about Slider Revolution’s vulnerability three months before the SoakSoak malware attack occurred. Many software security companies perform regular scans of popular themes, plugins and CMSs and report their findings for free. By subscribing to a few newsletters from these companies, you’ll become more aware of the latest malware, viruses and other hacker activities- and be better able to protect your website.