16 WordPress security issues (vulnerabilities)
· Время на чтение: 22мин · - · Опубликовано · ОбновленоWordPress security vulnerabilities – 16 popular security issues, about them, and how to fix them in this article. WordPress allows anyone to quickly create a website, but there is a lot of noise on the Internet that tells us how many security problems it has.
- Does WordPress have security issues? Yes
- Are they irresistible? No
- Should this prevent you from building your website with WordPress? Most likely no
The most conservative estimate puts the number of websites at around 2 billion, and almost 45% of them are powered by WordPress. This is because WordPress is so prolific that it is subject to many hacks. As a direct consequence, WordPress has evolved into a very secure system. In fact, many of the security issues that WordPress has solved over the years still exist in other CMS.
In this article, I will explain which WordPress security issues you should be aware of, and more importantly, how you can protect your site from them.
The content of the article:
- Does WordPress have vulnerabilities and security issues?
- 16 Common WordPress Security Vulnerability Issues That Could Affect Your Site
- Best practices for preventing WordPress security issues
- The main reasons for hacking on sites using a WordPress vulnerability
- Conclusion
Does WordPress have vulnerabilities and security issues?
Yes, there are security issues in WordPress, but they are not difficult to deal with. You don't need to have development experience or experience with WordPress code to counter threats. Follow the simple fixes outlined in this article and you will have a reliable and secure WordPress website.
16 Common WordPress Security Vulnerability Issues That Could Affect Your Site
WordPress does have a lot of security issues and quite a few vulnerabilities. But the good thing is that all of them can be easily solved. Nobody wants to spend time managing the security of their website instead of developing it or increasing their income.
Apart from WordPress security vulnerabilities and compromised passwords, malware and attacks are also security concerns. While malware and WordPress attacks are sometimes used interchangeably, they are different. Malware is the malicious code that hackers inject into your site whereas attacks are the mechanisms they use to inject malware. In the list below, I have covered all 4 types of WordPress security issues.
Here is a list of common WordPress security vulnerability issues that you need to be aware of:
- Outdated plugins and themes;
- Weak passwords;
- Malware on your WordPress site;
- SEO spam malware;
- Phishing scams;
- Malicious redirects;
- Reusable passwords;
- Zeroed software;
- Backdoors on your WordPress site;
- Malware wp-vcd.php;
- Brute force attacks (brute force attack);
- SQL injection;
- Cross-site scripting attacks;
- The site works over HTTP, not HTTPS;
- Spam emails sent from WordPress;
- Inactive user accounts.
1. Outdated plugins and themes
WordPress plugins and themes are built with code, and as I explained earlier, developers sometimes make mistakes in the code. Bugs can cause security holes called vulnerabilities.
Security researchers are looking for WordPress security vulnerabilities in popular software to make the Internet a safer place. When they discover vulnerabilities, they report them to developers for fixing. The responsible developers then release a security patch in the form of an update that fixes the vulnerability. After sufficient time, the security researchers will announce their findings.
Ideally, plugins and themes should be updated by this time. However, very often this is not the case. And hackers know and rely on this tendency to attack websites and exploit vulnerabilities.
Updates can sometimes break a site if not done carefully. Use BlogVault to manage updates so that your site is backed up before an update so you can make sure everything works perfectly in a test phase before moving on to a production site.
Correction: Manage updates on your website quickly.
2. Weak passwords
Hackers use programs called bots to attack login pages by trying many combinations of usernames and passwords in order to break into a website. Bots can often try hundreds of combinations per minute, using dictionary words and commonly used passwords to crack. Once they succeed, the hacker will have open access to your site.
On the other hand, complex passwords are hard to remember, so administrators choose easy ones to remember, such as pet names, birthdays, or even variations on the word "password".
However, this leaves the site's security vulnerable to attack. This information is legally available online through social media and other sites, and illegally through data breaches or the dark web. It is best to have a strong unique password to keep your account and therefore the website secure.
NoteA: You need to set strong passwords for your website accounts, including your user account and hosting account. The administrator does not often change SFTP credentials and databases, but if you do, make sure you also set strong passwords for them.
In addition, you can limit the number of WordPress login attempts. If a user has too many bad logins, they are temporarily banned or need to complete a CAPTCHA to prove they are not a bot. This measure protects against bots and makes allowance for the human factor.
Correction: Use strong passwords and limit the number of login attempts to block bots.
3. Malware on your WordPress site
Malware is a generic term used to describe any code that allows unauthorized activity on your website. In the following paragraphs, I will also look at specific cases such as backdoors and phishing attacks.
When we talk about solving WordPress security issues, the goal is to keep malware out. However, as I said earlier, neither system is armor-piercing on the 100%. You can do everything right, and a clever hacker will find a new way to break the protection. It's rare, but it happens. So how do you deal with malware if it's already on your site?
First of all, you need to confirm that the malware is indeed on your site. Malicious software can hide in files, folders, and in a database. We have seen malicious files disguised as WordPress core files, image files, and even displayed as plugins. The only way to be sure if your website is infected or not is to deep scan it daily. To do this, you need to install MalCare or Wordfence Security. Let's take a look at MalCare:
MalCare uses a sophisticated algorithm to detect malware on your site. Other scanners use partially effective methods such as file comparison and signature matching to flag malware. MalCare uses over 150 signals to check code behavior and then flags it as malware if the intent is malicious. This has two huge benefits:
- firstly, there are no false positives when user code is flagged as malware;
- secondly, even the newest variants of malware are detected correctly.
MalCare provides more than 95 % malware scan accuracy and is completely free. If the scan results show that your site has been hacked, only then do you need to upgrade to clean it up. With MalCare, the automatic cleaning feature will surgically remove malware from your WordPress site, leaving your site pristine again.
Correction: Scan and clean up your site with MalCare.
4. SEO Spam Malware
SEO spam is a particularly egregious malware that is used by hackers to redirect your website traffic from your website to their dubious and spam sites. They do this by hijacking your Google search results, injecting code into your existing pages, or redirecting traffic to their own websites. Sometimes they do all these things. Either way, it's always bad news.
There are several common variants of SEO spam malware such as Japanese keyword hack and pharma hack. Both of these options have gained notoriety in their own right because their symptoms are specific Japanese characters or pharmaceutical company keywords in search results.
All types of SEO spam malware are incredibly difficult to manually remove because they can create hundreds of thousands of new spam pages that cannot be easily removed. In addition, they inject malware into important WordPress core files and folders such as the .htaccess file, which can break the site if not properly cleaned.
Sites with these strains of malware are invariably flagged in Google Search Console, blacklisted by Google, and cause the web host to suspend your hosting account. So the key to fighting this hack is to leave it to the experts, which in this case are WordPress security plugins. Not only will they get rid of malware, but they will also protect your site with an advanced firewall.
Correction: Remove SEO spam malware with WordPress security plugins.
5. Phishing scam
Phishing malware is a two-part scam that tricks users into revealing their sensitive data while masquerading as trusted brands.
The first part is to send the unsuspecting user a formal email, usually with a dire warning that something terrible will happen if they don't update their passwords or something immediately. For example, when a phishing email spoofs a web hosting client, they might say the site is in danger of being taken down.
The second half of the scam happens on the website. A phishing email usually contains a link that takes the user to a supposedly official website and requires them to enter their credentials. The website is clearly fake and this is how many people compromise their accounts.
There are two types of phishing on WordPress websites, depending on which part of the scam is happening. In the first case, the WordPress administrator receives phishing emails that their website needs a database update and they are tricked into entering their login details.
On the other hand, hackers can use your site for fake pages. Often, website administrators have come across bank logos or e-commerce website logos on their website, even if they have no reason to. They are used to deceive people.
Google and Yandex are very quick to crack down on phishing, especially on the websites that host these pages. Your website will be blacklisted and notified when a phishing website has been found, and this is terrible for visitor trust and branding. Even though you are innocent, your website has become a scam site. It is imperative that you get rid of this malware as soon as possible and take steps to prevent the damage.
Correction: Remove phishing malware from your website with MalCare or Wordfence Security security plugin, and advise your users not to click on links in emails.
6. Malicious website redirects
One of the worst WordPress hacks is the malicious redirect hack. It is incredibly frustrating to visit your website only to end up on another spammy or scam website selling questionable products and services. Often, a WordPress administrator cannot even log into their websites due to a hacked redirect malware. There are many variations of this malware and it completely infects the files and database of the website.
The only way to get rid of malicious malware redirects is to use a security plugin. In fact, you'll probably need help installing the plugin at all because you won't be able to login to your site.
Correction: Get rid of cracked redirect malware with MalCare or Wordfence Security.
7. Reusable passwords
Reusable passwords can be strong passwords, as I discussed in the previous section, but they are not necessarily unique.
For example, your social media account and website account have the same string of letters, symbols, and numbers for the password. You're used to typing it and think it's impossible to guess, so it's a good password.
Well, you are half right. This is a good password, but only for one account. The rule of thumb is to never reuse passwords for different accounts. And the reason is the potential threat of data leakage.
GoDaddy had a leak in September 2021 that they only discovered in November 2021. By that time, a database of 1.2 million users and SFTP credentials had been compromised. If any of these users had used those passwords elsewhere, such as for a bank account, that information was now in the hands of a hacker. It has become much easier to hack other accounts.
We trust various services and websites to protect our data, but no system is completely armor-piercing. Everything can and will break at the right time. The goal is to contain the damage as much as possible. This will help you create unique and strong passwords for each account.
Correction: Set unique passwords and use a password manager to remember them.
8. Zeroed software
Nulled plugins and themes are premium versions with cracked licenses that are available for free online. Beyond the morality of stealing from developers, zeroed software poses a huge security risk to WordPress.
Most of the zeroed themes and plugins are infested with malware. The hackers are counting on people to want to buy a premium product at a good price and wait for them to install it. The website is getting a dose of manually delivered malware and now the site has been hacked. This is the only reason anyone hacks premium software at all. Robin Hood is not part of the WordPress ecosystem.
Even if the reset themes and plugins do not contain malware - which is very rare - you will not be able to update them. Since they are not official versions, they obviously do not receive support from the developers. So if a vulnerability is discovered and developers release a security patch, the zeroed software is also out of date with the vulnerability, in addition to having malware installed on it.
CorrectionA: Avoid nulled plugins and themes like the plague.
9. Backdoors on your WordPress site
Backdoors, as the name suggests, are alternative and illegal ways to access your website's code. Along with malware, hackers inject backdoor code into your website, so if the malware is found and removed, they can regain access with the backdoor.
Backdoors are one of the main reasons I don't recommend manually removing malware from your website. You can find malicious scripts and remove them, but backdoors can be very cleverly hidden and made almost invisible. The only way to remove backdoors from your site is to use a WordPress security plugin.
Correction: use a security plugin to remove backdoors.
10. Malicious wp-vcd.php
The wp-vcd.php malware causes spam pop-ups on your WordPress website that direct users to other websites. It has the same purpose as SEO spam hacks and malicious redirects, but works differently. It has several options like wp-tmp.php and wp-feed.php .
The wp-vcd.php malware infects websites with code that is executed every time the site is loaded. This is one of the most nasty hacks that infect WordPress sites because as soon as you remove it, it seems to come back; in some cases instantly. If ever there was malware that could be compared to a recurring virus that just couldn't be eradicated, then wp-vcd.php is the way to go.
The wp-vcd.php malware infects websites primarily through nulled plugins and themes. Wordfence goes so far as to call it "malware you installed on your own site".
Correction: Instantly get rid of wp-vcd.php malware from your website with a security plugin.
11. Brute force attack
Hackers use bots to bombard your login page with username and password combinations to gain access. This method is known as a brute force attack and can be successful if the passwords are either weak or the same as in the data breach.
Brute force attacks are not only terrible for security, but they also consume your site's server resources. Every time the login page loads, it requires some resources. Typically, disk usage is negligible, so it doesn't have a noticeable impact on performance. But brute force bots are clogging the login page at a rate of several hundred, if not thousands, of times per minute. If your site is on shared hosting, there will be noticeable repercussions.
The way to counter brute force attacks is to protect your site from bots, as well as limit invalid login attempts.
You can also enable CAPTCHA on the login page. You may see advice to hide the login page by changing the default URL, but don't. It's incredibly difficult to recover if that URL is lost and you get banned from your website along with hackers.
Correction: Limit the number of login attempts and get bot protection for your site.
12. SQL Injection
All WordPress websites have databases that store important information about the website. Things like users, their hashed passwords, posts, pages, comments are stored in tables and are regularly edited and retrieved by the website files. The database is rarely accessed directly and is controlled by the website's files for security reasons.
SQL injections are particularly dangerous attacks because hackers can directly interact with the database. They use forms on your website to insert SQL queries, allowing them to manipulate or read the database. SQL is a programming language used to make changes to a database such as adding, deleting, modifying, or retrieving data. This is why SQL injection attacks are so dangerous.
The solution is to keep your plugins and themes up-to-date because WordPress security vulnerabilities such as raw input lead to successful SQL injection attacks. In addition, a good firewall will protect your site from intruders.
CorrectionA: Keep everything up to date and install a firewall.
13. Cross-Site Scripting Attacks
Cross-site scripting, or XSS, attacks on websites are similar to SQL injections in that a hacker injects code into a website. The difference is that the code is targeting your site's next visitor, not your site's database.
An XSS attack adds malware to your site. A visitor arrives and their browser thinks the malware is part of your website and therefore the visitor is attacked. Typically, cross-site scripting attacks are used to steal data from unsuspecting visitors.
To protect your site visitors, you need to make sure that your site does not have XSS vulnerabilities. The easiest way to do this is to make sure your site is completely up to date. You can take your security to the next level by installing a WordPress firewall plugin.
Correction: Install a WordPress firewall and keep everything up to date on the website.
14. Website uses HTTP, not HTTPS
You may have noticed that many websites now have a green padlock next to the address bar. This is a trust badge for the visitor to tell that the website is using SSL. SSL is a security protocol that encrypts incoming and outgoing traffic from a website.
A good analogy for this is a phone call. Data exchanged between two people on a line is meant to remain between them as a private conversation. However, if a third party could connect to this line, they would understand the data and therefore it would no longer be private. However, if the two original people used a code that only they could decipher, no matter how much the third person overhears, the true meaning of the information is hidden from them.
This is how SSL works for websites. It encrypts the data sent to and from the website so that sensitive information cannot be read by a third party and used in an illegal manner.
In the last decade, the Internet as a whole has been moving towards data security and privacy, and SSL has become one of the main ways to achieve this goal. Even Google strongly advocates SSL-enabled websites, to the point of penalizing non-SSL websites in search results.
Correction: Install an SSL certificate on your site.
15. Spam emails sent from WordPress
Emails are the cornerstone of digital marketing and the way you interact with website visitors. People are also becoming more sensible about the emails they want to receive, so there is an underlying trust.
Given the sensitive nature of trust, it's terrible to think that a hacker could inject malware into your website and spam your visitors by email. And yet, that's exactly what some malware does. They intercept the main WordPress function wp_mail() to send spam.
Malware usually blacklists Google, bans your site from Yandex, and suspends your web host, but in the event of spam, your web host will also blacklist your email service and you will see many other errors. In fact, if the spammer also adds email addresses to your website, you run the risk of being blacklisted.
Spam emails fall into the spam trap and compromise the email sending authority of the WordPress website.
Correction: Clean up spam from your website and use an email marketing tool instead.
16. Inactive User Accounts
Users on the site are constantly changing. For example, if you run a blog with multiple authors and editors, chances are that new authors are often added to the website and old authors leave.
The bottom line here is that old user accounts that are not deleted quickly become a WordPress security issue over time. Because accounts exist but passwords are not updated regularly, they are vulnerable to attack. Inactive user accounts are subject to the same risks as compromised passwords, so deleting any accounts that are not actively used is a necessary business task.
It's also important to know who is doing what on your site. Unusual or unexpected user actions are an early signal that accounts have been hacked.
Correction: Remove inactive user accounts and use Activity Log.
Best practices for preventing WordPress security issues
WordPress security issues are constantly evolving and it's hard to keep up to date with them in addition to all the other work involved in running a website. So here are some good security tips that will help you protect your site from malware and hackers without any extra effort on your part.
- Install the security plugin: The best protection for your WordPress against hackers is a good security plugin. A WordPress security plugin must have a malware scanner and cleaner. Ideally, it should also come with a firewall, brute force protection, bot protection, and an activity log. Such a plugin will help you overcome WordPress security vulnerabilities.
- Use a firewallA: Web Application Firewall protects your site from all sorts of intruders. Hackers want to exploit vulnerabilities on your website in addition to other WordPress security vulnerability issues. The firewall prevents this by letting only legitimate visitors through. This is a must for your website, and it's even better if it comes bundled with your security plugin.
- Keep everything up to date: Make sure WordPress core, plugins and themes are always up to date. Updates often contain security fixes for vulnerabilities, so it's important to update them as soon as possible. To minimize risk, safely update your website with BlogVault. Your site is backed up just before the upgrade and you can see how the upgrade works in preparation before you upgrade your live website.
- Use two-factor authentication: Passwords can be cracked, especially if they are not very strong or have been reused. Two-factor authentication generates a real-time login token in addition to passwords that are much harder to crack. You can enable two-factor authentication with a plugin like WP 2FA or another one from this list.
- Enforce strong password policiesA: I can't stress enough the importance of strong and unique passwords. I recommend using a password manager. To protect your website from security issues such as brute-force attacks, your security plugin should also restrict login attempts.
- Make regular site backupsA: Backups are the last resort of a hack and your website should always have a backup that is kept away from your website's server.
- Use SSL: install an SSL certificate on your website to encrypt communication with it. SSL has become the de facto standard and Google is actively promoting its use for safer browsing.
- Conduct a security audit every few months: Check users and their activities on the website with the activity log. Unusual activity can be an early warning of malware. We also recommend that you implement a least privilege policy for the administrator and user accounts. Finally, remove any unused plugins or themes on your website. Deactivated themes and plugins are ignored for updates, and WordPess security vulnerabilities remain unchecked, resulting in websites being hacked.
- Choose reputable plugins and themesA: This is a bit subjective as a security measure, but it's worth using the best plugins and themes on your site. For example, check if the developer regularly updates their product. In addition to online reviews and other user support experiences, this is an important metric. Also, premium software is generally better. But most importantly, never use zeroed software. It often contains malware in the code as it was hacked for that very reason. It's just not worth the risk.
The main reasons for hacking on sites using a WordPress vulnerability
There are two weak links in the security of your WordPress site: WordPress vulnerabilities and passwords. 90%+ malware is introduced through vulnerabilities, 5%+ due to compromised or weak passwords, and <1% due to other reasons such as poor web hosting services.
Vulnerabilities
While WordPress itself is secure, websites are built with more than just WordPress core. We use plugins and themes to enhance the functionality of our websites, add features, beautiful design and interaction with website visitors. All this is achieved through plugins and themes.
Plugins and themes like WordPress are built with code. When developers write code, they can make mistakes that lead to loopholes. Hackers can use loopholes in the code to perform actions not intended by the developer.
For example, if your website allows users to upload images for, say, a profile picture, the upload should only be an image file. However, if the developer has not set these limits, the hacker may instead download a PHP file full of malware. Once uploaded to a website, a hacker can run the file and the malware will spread to the rest of the site. These loopholes are vulnerabilities. Of course, there are other types, but these are the main ones that WordPress sites suffer from.
Compromised passwords
If a hacker has your account credentials, they don't need to hack into your site. This is why strong passwords are so important.
There are two main ways that passwords become the weakest link in the WordPress security chain. One is to use easy-to-remember passwords that are therefore easy for hackers and their bots to guess. And the second way is when users reuse passwords across different sites and services.
Data breaches are all too common. For example, a user has the same password for two different accounts: an e-commerce website and his Twitter account. If an e-commerce website has a data breach where user data is stolen, their Twitter account is now compromised. A hacker can enter an account and cause all sorts of destruction.
Both vulnerabilities and compromised passwords are WordPress security threats that can be dealt with easily with the right tools and the right tips.
Conclusion
WordPress security vulnerability issues can be intimidating for an inexperienced administrator, but that doesn't mean there isn't a solution for them. Security problems can be easily solved by listening to the advice of experts. I hope this article has helped allay the concerns. If there is something I haven't covered, please let me know.
Reading this article:
Thanks for reading: SEO HELPER | NICOLA.TOP