Common Vulnerabilities in WordPress
Your website and how you handle the data it receives are key components to your company’s reputation. But malware and other intrusions change so fast, it’s hard to keep up.
To keep your website and your data safe, you need to know what to look out for and what steps you should be taking to prevent a security breach.
Here are some of the most common WordPress vulnerabilities and what you can do to fix them…
Unprotected Login Credentials
Brute force is one of the most common ways that sites get hacked. It’s quite simply someone stealing your login credentials, such as the username and password to your account. And there’s really only two ways to prevent brute force attacks:
- Create a strong, unique password and username.
- Use two-factor authentication, which you can add with a plugin.
Never reuse important passwords, like those to your website account. And remember that making your username difficult to guess can be almost equally as effective at preventing brute force attempts as making your password difficult to guess.
Injection flaws are design flaws in an application that allow attackers to relay their malicious code. For example, someone trying to breach security on your website can inject SQL queries (bits of code) into web forms on your site. If they’re successful, they can gain access to your MySQL database and alter your data or gain access to unauthorized data.
Getting a WordPress security audit can help you to determine if your site has been tampered with by SQL injection.
Old WordPress Versions
WordPress regularly updates its core software to include new security patches. These security updates guard the software, and your website, against the majority of common threats. However, individuals who intend to break through website security are constantly looking for new ways to do so.
What that means for you is that the older the version you have of the core software, the less evolved its security measures are. Older software is more likely to be vulnerable to malicious code and other intrusions that there are already existing preventive measures for.
This malicious code is called malware. Malware can change your site's behavior or be used to extract data from your site. There's absolutely no reason to run software that increases your site's vulnerability.
Tampered with Themes and Plugins
Malevolent individuals can also tamper with the code in themes or plugins that you use on your WordPress site. And that malware can also change your site’s behavior or extract yours or your visitors’ data.
So in addition to keeping the core software updated, you also need to regularly update the themes and plugins that you use when new versions become available. Updates for add-ons often contain security improvements that prevent known malware from breaching your site.
It’s also a good idea to check the patch notes when downloading new themes and plugins. These notes show what bugs have been fixed. If the developer is not actively maintaining the software, you should not use it on your site because that means it is extremely vulnerable to malware attacks.