Did you know that more than 74,652,825 web sites around the world use WordPress as their content management system (CMS)?
To put that number into perspective, that’s almost one quarter of the worlds websites that use WordPress!
The reason why WordPress is used so often is because it’s an open source platform (it’s free), easy to use, and has the most third party plugin support. WordPress has a lot of strengths and is a great website platform, however its popularity is also one of its biggest drawbacks, making it the most popular CMS for hackers to target.
For any readers that don’t know what a hacker is: hackers are malicious individuals that use computers and programs to gain unauthorized access to your data (website). Typically, this results in the addition of malware (viruses), modifying files and or redirecting your website browsers. In any case hackers are not good for your business website.
At Adaptive Marketing we clean & fix hacked websites, and find that in fact most WordPress hacking attempts are preventable, but also find that proper maintenance hasn’t been correctly performed.
How Do Hackers Hack A WordPress Site?
The World Wide Web is comprised of 60% bot traffic (not real) and 40% human traffic. Most of the time these bots are search bots and other programs scouring the web for relevant data, however some of the time there are malicious programs that are looking for website vulnerabilities. The vulnerabilities they tend to look for are normally to do with plugins and or outdated programs / scripts.
We find that most of the time what has lead to a website being hacked is: outdated themes, plugins, and or outdated WordPress files, these are the main reasons how hackers gain access to a website (besides brute force hacks of your login). Even deactivated themes and plugins can leave your system vulnerable, why? Because the files are still in a readable / writeable folder, just not active.
Is WordPress Secure?
WordPress Core files are secure, but WordPress is a modular platform — it can be modified by a wide variety of themes and plugins. And as anyone and everyone can write tools for WordPress, it is not possible to have all coding live up to the same code review standards as the WordPress core. It is also very possible for popular plugins (applications) to have some serious security flaws that can impact thousands of WordPress sites all at once. This isn’t anyone’s fault, but without proper updating, it can devastate your business. WordPress now even comes with an auto update feature, so when there are any security patches, it patches itself.
When Plugins Are Vulnerable
Late 2014 a very popular plugin, Slider Revolution, had a critical vulnerability that was being exploited. Revolution Slider is a very popular plugin, and is one of the most downloaded slider plugins from Envato’s Marketplace – Code Canyon. It is also commonly bundled in theme packages.
In this vulnerability it allowed a remote attacker to download any file from the server, yes any file! This hacking method is typically used to steal the database credentials, which then allows you to compromise the website via the database and is known as a Local File Inclusion (LFI) attack.
Can Hacking Be Prevented?
Your business website is an investment which helps to generate revenue and business leads, and like any business asset it should undergo proper monthly maintenance. Regular monitoring and monthly maintenance are a great first step to reduce the risk of hacking attempts. You can further reduce the risk by installing malware and file scanning software, which can identify potential holes and or unknown vulnerabilities.
Looking to see if your website is secure? Contact us to find out more.