Launched in 2003, WordPress now becomes the biggest content management system in the world. Over 30% of all site owners trust it when building their personal blogs or business websites, including Sony Music, Best Buy, or Time Inc. With a user-friendly interface and simply-customized functionalities, WordPress proves its leading position in the huge CMS niche.
But is WordPress secure? If you own a WordPress website or you’re considering using it as your CMS, this question should be the first thing coming to mind. We can’t deny that WordPress is well-known for its various advantages.
However, any benefits have their trade-offs. Its popularity also comes with a cost. You might not notice but WordPress has been the attractive target of hackers around the world. 30,000 new websites are hacked every day. 74% out of 8,000 infected websites are WordPress. These numbers are living proof of WordPress security threats.
Stay curious about WordPress security? In this case study, we’ll highlight the most important statistics about WordPress vulnerabilities for 2021. We also dig deeper into the most common types of WordPress vulnerabilities along with tips to protect your site from malware.
But first, let us walk you through the damages of a hacked WordPress site.
- How Can Hacking Hurt Your Business?
- What are Types of WordPress Vulnerabilities?
- Most Significant Statistics about WordPress Vulnerability
- How to Ensure WordPress Security
How Can Hacking Hurt Your Business?
Your WordPress site is the most important business asset. As a business owner, having your website injected can pose huge issues. It can seriously damage your revenue and reputation. Even worse, your customers become the victims of identity theft.
Steal Important Data
Once hackers successfully hack your site, both your information and customer data will become its priority sitting targets. They can steal your data and hold it for ransom. You have to pay a lot of money to restore your access to it.
In some cases, they use this information to contact your clients, market their services, and turn your customers into theirs. After owning credential info like name, email address, phone numbers, they can easily get in touch with them.
Another reason hackers take your data comes to stealing infrastructure. Due to the high cost of servers and storage arrays, they want to break into your systems to sneakily host their applications or store data.
Destroy Site SEO Performance
The down site equivalents to search ranking drop. Google reported that 70,000 websites are blacklisted every week due to security. When your WordPress site gets hacked, its ranking will drop like a stone. How can search engines still trust your site and place it at the top if it affects user experience?
An injected website can result in 95% of traffic lost. Once attacking your site, malware will slow down your site loading time. Users will leave immediately if it takes them more than 3 seconds to load a page.
Imagine you spend a lot of time and effort building up content, improving SEO, boosting rankings, then malware destroys them all. As a consequence, you need to put the same amount of attempts, or even more, into improving and revamping your site SEO performance.
Affect Business Reputation
What if visitors search for your site and land on a broken page? They are likely to have a poor impression and hardly come back to your website again. Your company’s reputation can take a big hit now. You completely lose all the marketing effort put into your site from the beginning.
More importantly, customers, clients, and even partners care about data breaches and how your company manages them. Unless you control them effectively, they’re likely to lose trust, dissociate from the business, communicate to their network, and seek more secure competitors.
Types of WordPress Vulnerabilities
Despite being aware of the painful attacked websites, the worse thing is many WordPress site owners have no idea that their site gets hacked by malware or spam. It’s because there are so many types of vulnerabilities. While some are common to recognize, others make it difficult to notice until your site completely shut down.
The most popular security issues include Brute Force Attack, SQL Injection, Malware, Cross-site Scripting, DDoS Attack, and Old WordPress and PHP versions. Besides, we also have some other vulnerabilities such as Upload Exploitation, Database Injection, Authentication Bypass, Denial of Service, and so on.
#1 WordPress Brute Force Attack
Brute force attack refers to a trial-and-error process to guess the login info of WordPress websites. 5% of confirmed security breaches on all websites are due to brute force attacks. Hackers can attempt to access your admin dashboard or member areas. They will go through all possible combinations of login details until successfully breaking into your site.
Once gaining access to your site, attackers will start to execute malicious activities such as storing their data in your site’s resources, stealing your customer information, or even injecting spam links.
There are multiple types of WordPress brute force attacks. Below are the most popular ways for suspicious users to predict your login info:
- Simple brute force attack – Guess usernames and passwords randomly without relying on any outside logic.
- Hybrid brute force attacks – Have an external logic to define the most possible passwords. It can be your date of birth, your beloved name, etc.
- Dictionary attacks – Use a dictionary of possible strings or phrases. Common passwords will be broken easily, like “123456” or “abc123”.
- Reverse brute force attack – Repeatedly try one username with all workable passwords. Those who already obtained your username data will prefer this method.
- Credential stuffing – Enter the right password and username on many websites. Those who are using the same login details on multiple platforms should take this into account.
#2 WordPress SQL Injection
SQL is the shortened form of Structured Query Language that works as a special language allowing you to interact with the database.
SQL injection attack comes from web applications where hackers insert malicious SQL statements. Then, they can base on that to get access to your sensitive data in the database, steal or destroy it.
The first SQL injection attack was found out by Jeff Forristal in 1998 and has been becoming the top security priority until now. Barclaycard reported in their case study in 2012 that SQL injection counted for 97% of data breaches.
There are 3 different types of SQL injection: in-band, inferential (or blind), and out-of-band. The former enables attackers to use only one channel to both embed the malicious SQL statement into the application and get the results.
In case they can’t proceed with the injection even though they’ve already generated an error in the SQL query, the inferential injection would come into their mind. Attackers will send several queries to the database to understand how the website or application looks over these responses.
What if they can’t proceed with the above methods, the out-of-band SQL injection technique will become the alternative solution.
#3 Cross-site Scripting in WordPress
At the time hackers put your site under cross-site scripting status, they will steal data or control how the site looks and behaves. They can perform many actions, from shifting user’s sessions to their site, launching fake attacks, or even displacing unauthorized pop-ups and redirects, and installing keyloggers copying every of your keystroke.
Depending on the targets, we have 2 types of XSS:
- Stored (Persistent) XSS Attack: target your site visitors
- Reflective (Non-Persistent) XSS Attack: target your site directly
#4 WordPress Privilege Escalation
WordPress, by default, enables admins, authors, and editors to create and edit posts or pages. However, when your site is hacked by privilege escalation, anyone without authentication is permitted to make changes on your pages and posts.
Since you need help from plugins to create forms and other custom post types, hackers base on that to generate and misuse the features of your custom post types. And Contact Form 7 has become the biggest target for WordPress privilege escalation vulnerability.
#5 WordPress Plugins and Themes
WordPress provides an amazing open-source directory for you to freely download useful plugins and themes. As a result, you can add new features and customize your site more effectively.
There is still one flaw in this open-source environment. Hackers can inject malware into plugins and themes, especially common and outdated plugins and themes in particular. 17% of WordPress vulnerabilities are made up of plugins and 3% from themes.
Big and famous plugins are always equivalent to the most vulnerable ones. Here are the top 10 plugins with the most vulnerabilities: Nextgen Gallery, Ninja Forms, WooCommerce, Ultimate Member, W3 Total Cache, Photo Gallery, All-in-one WordPress, WP Statistics, WP Symposium, and Better WP Security.
Besides plugins, we also have the 10 most vulnerable themes: Echelon, Traveler, Awake, Extra, Avada, Divi, Careerify, Modula, Method, and Myriad.
Plugin providers release new versions of their tools not only to add new features but also to fix bugs. If you don’t update them, there are chances for hackers to inject malware into these security holes and damage your site.
#6 WordPress Core Files
WPScan Vulnerability Database estimated that 80% of the known vulnerabilities are in the WordPress core software. Similar to themes and plugins, WordPress core files are also a juicy target of attackers.
Apart from those easy-to-know vulnerabilities, there are other types of WordPress security you should notice. They include upload exploitation, authentication bypass, full path disclosure, denial of service, and multiple attack vectors at once.
Stunning Statistics About WordPress Security
Website hacking is spreading like fire in a forest. The analysis above shows you the sources of security risks on your WordPress site. Now, we’ll provide you with the latest WordPress vulnerability statistics 2021, which gives you a clear picture of how serious this issue is.
General WordPress Security Statistics
- Google blacklists 70,000 websites due to security issues every week.
- There are 22,113 core software vulnerabilities in total, tracked by the WPScan database.
- Hosting platforms are responsible for 41% of all WordPress attacks.
- 84% of all security vulnerabilities on the internet are the result of cross-site scripting or XSS attacks.
- 61% of infected WordPress websites were out of date, resulting in 44% of hacking was caused by outdated WordPress sites
WordPress Plugin and Theme Vulnerabilities
- 52% of WordPress vulnerabilities relate to WordPress plugins while themes account for 11%.
- Weak passwords contribute to 8% of WordPress website hackings.
- 3% of over 55k plugins on the WordPress directory have never been updated. This is one of the main causes of vulnerabilities.
How to Ensure WordPress Security
The maxim of “precaution is better than cure” must be proactively applied now. You shouldn’t wait until hackers leave malware on your site to start taking action. It’s your choice to either prevent malicious users from attacking your site at the doorstep or take time fixing things when errors occur.
#1 Strengthen Your WordPress Passwords
Creating strong passwords is always a smart idea to take your site security up a notch. It reduces the chance of suspicious users trying all possible usernames and passwords.
The longer your password is, the more difficult it is for bots to guess it. It should be at least 8 characters long. You can start with an uppercase letter and include letters, numbers, and special characters.
On top of that, your passwords should be unique and have never been used elsewhere. If a hacker guesses your password correctly, they will store it in their database and are able to use it on other platforms. Consequently, you lose your social accounts, e-learning accounts, and even banking credentials.
#2 Set-up Two Factor Authentication (2FA)
By adding an additional authentication layer, you’re allowed to bring your site security to a higher level. After entering the right login details, you also have to enter a code sent to their phone number or email. Sometimes, you need to scan a QR code too.
As a result, even if hackers already guess your passwords, they find no way to get into your site. This is a 100% protection method since there is a very low chance that hackers own both your passwords and your phone.
#3 Update WordPress Versions Regularly
As mentioned, the older versions of WordPress core files, themes, and plugins create a favorable environment for cyber-attackers input malware.
When updating versions of WordPress, themes, and plugins regularly, you’re getting their new features and at the same time block vulnerability holes. It’s recommended to avoid nulled plugins and themes too. Premium plugins and themes not only offer advanced features but also come with excellent customer supports for any urgent security issues spotted.
#4 Use Security Plugins
Security plugins on websites are like the lock to open the door to your house. They play a key role in setting up a successful business online. Along with an SEO or a custom post types plugin, a security plugin must be the priority plugin you need to install for your site.
These plugins allow you to put your site behind a firewall to prevent malware and malicious bots. They will scan through your site to detect malware. Then, it will begin to clean and take security measures to make sure that no one is breaking into your website.
You have a lot of security plugins to choose from, from free to premium, depending on specific demands. The top 5 plugins include Sucuri, iThemes Security Pro, Jetpack Security, WPScan, and Wordfence. Each comes with a set of benefits that are worth your consideration.
#5 Limit Login Attempts
Last but not least, it’s highly recommended to reduce the opportunities for suspicious users to log into your site. You can either set a specific logging time, restrict their IP addresses, or customize the login URL.
Instead of allowing users to enter usernames and passwords repeatedly, you can block them after 5 to 10 unsuccessful login attempts. You should block their IP addresses in a period as well. It seems like they’re brute force attackers, not real users.
Additionally, the method of changing the default login link deserves a thumbs up. The URL of www.yourdomain.com/wp-admin makes it easy for crimes to find out your site and break it.
Don’t Put Your WordPress Site Security off Any Longer
It’s time to put the finishing touches to this process. WordPress, along with its popularity, has been an attractive target for shady visitors. The shocking statistics stated previously have said it all.
Bear in mind that WordPress security is not about risk elimination but risk reduction. There is no 100% protection solution to secure your site. It’s your responsibility to actively safeguard your site against any possible future attacks.
It’s necessary to apply multiple methods at a time to beef up security. You can strengthen your passwords, apply additional authentication factors, and get the newest version of WordPress core files at once.
Now, go and check if your site gets attacked!