Dan Moen carried out a survey in 2016 of people who have WordPress websites that have been attacked, seeking to understand why and how the attacks were being made. 1,032 people responded to the survey.
The most telling statistic is that 61% of respondents didn’t know how the attacker compromised their website.
This is of concern as if you don’t know how the attack was made it is difficult to be sure you have blocked a repeat.
For the site owners who did figure out how the attackers entered, there are two main fidnings:-
- Plugins Are A Big Risk
Plugins play a big part in making WordPress very popular and very useful and there are tens of thousands of plugins available for WordPress. But you obviously need to be careful with them, as plugin vulnerabilities represented 56% of the known entry points reported by respondents.
- Brute Force Attacks Are A Big Problem
A brute force attack is a password guessing attack. The attacker needs to both identify a valid username on your website and then guess the password for that username. This type of attack is a huge problem, representing 16% of known entry points.
How to Protect Your WordPress Site
- Don’t Use Obvious Usernames
Every WordPress site has an administrator login and this should be renamed as administrator or admin are too easy to guess and the most used in brute force attacks.
Make the login something impossible to guess and not used elsewhere on the site.
- Add Security Plugins
e.g. WordFence, Jetpack etc. which typically use these kind of features:-
- Enforce strong passwords
- Lock users out after a defined number of login failures
- Lock out users after a number of forgot password attempts
- Lock out invalid usernames
- Keep Plugins updated
Reputable plugin creators fix any vulnerabilities quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. Check for updates at least weekly if your WordPress website does not do this automatically.
- Only download plugins from reputable sites
If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised plugin.
Keep your WordPress website safe.
If your website has been attacked – let me know the details and the outcome by email.