WordPress is the most popular CMS (Content Management System) in the world. Currently, WordPress powers about 20 million websites all over the world, which combine to form 31% of the entire web. The initial idea behind creating WordPress was to give the average person a platform to blog on matters close to their hearts.
However, it has grown very fast over the years to encompass almost all other complex usages from creation of powerful photo album websites to full-blown eCommerce websites. There are currently over a dozen uses for the WordPress platform, partly due to access to very large libraries of themes and plugins from third-party developers and the hard work of a very large community of web developers, experts and enthusiasts around the world.
A platform this big is undoubtedly going to be the target for many unscrupulous attacks from hackers. For this reason, WordPress takes immense steps to ensure that its users are safe and secure. Development of frequent updates to its core is done on a high-speed level to take care of bugs as fast as possible, sometimes even before the bugs develop.
However, the problem is usually not with the core WordPress software or extensions (themes and plugins), but those of third-parties. As an “Open Source” software, WordPress allows developers to build their own website by way of themes, plugins and sometimes direct tweaking of files in the WordPress software itself. This is the major source of potential attacks from hackers. Unsecured hosting packages coupled with failed server software are a major contributing factor, as they do not take advantage of recommended industry practices to safeguard users’ websites.
With that said, let’s dive into some common WordPress attacks and how to stop them in their tracks:
1. Brute Force
Most database-driven CMS platforms such as WordPress require that users create accounts with “Usernames” and “Passwords” to allow only the eligible users gain access. As humans, we sometimes choose Usernames and Passwords that are easy to remember so we don’t have to keep resetting them over and over again.
Due to this tendency to choose “easy-to-remember” passwords, an attacker creates a software or “bot” that can guess potential Username-Password combinations multiple times until the right combination works. Once the attacker gains access to your administrator account, they can basically do anything to your website from completely pulling it down to stealing private information.
What You Can Do:
WordPress warns about “weak passwords” and sometimes mandates users to use combinations of various characters to create a more secure password. Also, there are plugins and tips to limit the number of guesses one can make before they are “locked-out” for some time or permanently blocked or blacklisted. Two-factor step login resources can also be used to monitor account logins.
2. Cross-Site Scripting (XSS)
Sometimes, attackers do not request direct access into your administrator account. Instead, they target sections of your website where you gather data such as contact forms and other data-input forms. Some JavaScript code snippets are entered into pages that contain these forms to “harvest” user’s data, right from their browsers. In the foreground, nothing seems to be happening but, unknown to these unsuspecting users, a third-party has intercepted their processes.
What You Can Do:
Technically, WordPress outlines two functions: esc_url() function and wp_kses() on the Developer section of its website to check and eradicate XSS attacks. Alternatively, developers can strip away any important data from their form outputs.
3. SQL Injection
Plugins and themes have almost the same power over your website as the core of WordPress. This is because, they can interact with various parts of the website, especially the database, to perform their functionalities. An attacker, through a plugin or direct access to your website files, can inject malicious code into your WordPress database to perform the functions they seek.
This, though similar to XSS attacks, can be much more disastrous as the database (their target) is the source of all stored data on your website and access to any part of it unscrupulously can harm your whole website and brand reputation.
What You Can Do:
WordPress comes with a standard API that employs multiple of functions such as the add_post_meta() which outlines a secure way to add data to your database.
4. CSRF Attack
CSRF means Cross-Site Request Forgery. This is when an attacker tricks an unsuspecting user to perform their desired actions without their permission. It doesn’t really matter the size of the action as it can be from just clicking a link to searching for a term on the site. The real problem is when all this happens in the name of the user without his notice or permission.
What You Can Do:
The best way to fix CSRF attacks is to use single-use tokens to stop the compromise of links and form data as they are sent and received. This is called nonce. The wp_nonce_field() is a WordPress nonce function specifically to fix potential CSRF attacks.
5. DDoS Attack
DDoS refers to Distributed Denial of Service and is not a WordPress-specific attack, but a general attack anywhere on the web. An attacker directs excessive amounts of “false” traffic from several compromised systems to target a website or its server to increase its server resource consumption levels up to a point where the server (and the website) goes down.
What You Can Do:
This is more of an external attack than internal. It is important to choose a hosting company that is trusted and safe enough to have in-built mechanisms to check and mitigate this attack when they reach a threshold. A hosting package appropriate for your website’s purpose should be patronized. Alternatively, it is recommended to use trusted extensions that do not exert too much pressure on your WordPress website as this can easily lead to a potential attack.
Conclusion
Cyber-attacks have been part of the web almost since its inception. WordPress has become more targeted as many people use it. It is essential to ensure correct security measures recommended by WordPress are in place to protect your website against threats and attacks. Also, data protection and safety should be paramount if you need to collect user data. Lastly, use trusted and frequently updated themes and plugins, while ensuring a trusted host is in place.