WordPress websites have always been a sweet target for hackers and script kiddies looking to have some fun at the cost of damaging and defacing websites. In July 2014 the popular plugin “MailPoet Newsletters” was exploited to cause damage to over 50,000 websites across the internet. For a hacker, it is also worth investing time and money in identifying vulnerabilities, since millions of site’s across the world use WordPress, and being able to compromise one of them may lead you to be able to replicate it for other site’s with the same vulnerability as well.
The website WPvulndb.com lists all the known exploits and vulnerabilites and categorizes them under WordPress Core, Themes and Plugins. This article explains how you can test if your WordPress site is vulnerable and what precautions to take before you fall prey to an attack.
In August 2014, the Custom Contact Forms Plugin allowed alterations and modification to the database using a flaw in the system. This affected thousands of websites which had downloaded and used that plugin. The security company Sucuri, tried to contact the developers but to no avail. They finally posted this message on their blog:
“Due to the unresponsive nature of the development team, we’d encourage you to pursue other sources for your WordPress form needs. There are various options with developers that are very responsive and are actively concerned with your security needs.”
Many free plugins for WordPress, maybe outdated, vulnerable, badly coded and may no longer be supported by an active development team. This means that using such a plugin may be detrimental to your website’s security and may lead you to being a hacking victim due to the flaws in that plugin. Always install plugins which have good reviews, good ratings, are compatible with your current version of WordPress and which are regular updated by an active developer team. You can see the plugin details and inspect them before integrating it with your website.
The same applies to WordPress Themes as well. Always read the theme reviews and see their rating before you choose a theme. Also, just because you pay for a theme does not mean that it is more secure or has no vulnerabilities, the only advantage will be that you will be able to contact the developers to patch your theme or update it. Bad coding in the themes may lead your site to become slow or open it up for hackers to exploit.
Always keep your WordPress major version and all other themes and plugins up to date. You can do this manually or if your web host provides you with an auto installer, you can allow the auto installer to update WordPress, the themes and the plugins through a scheduled cron command. Keeping your site in sync with the latest version will prevent hackers from exploiting old vulnerabilities, for which a fix is already available. Although this is a very simple and easy counter-measure, keeping updated software can go a long way in ensuring security.
Always backup your site regularly and maintain a remote backup location in case of a disaster or damage to your site. Keeping a remote backup location is ideal, so that you “do not keep all your eggs in one basket”. Make sure that your backup is easy to restore in the event of an emergency. While you can backup parts of your website separately Eg: Database, Files, Image etc. you can also have a compressed zip backup of your entire website in a single file. Auto Installer software allow you to schedule nightly backups and set the backups to happen automatically.
Don’t forget to test your website for any known exploits or vulnerabilities before the hackers do. Free online tools like Sucuri Website Scanner will scan your website and suggest some security measures. They will also alert you of any major flaws in the system and will also indicate any outdated WordPress versions. Better scan your website before the hackers do.