WordPress Security and Vulnerabilities

Protecting Your Website
Against Vulnerability Issues

WordPress Security is a hot topic for every Website Owner

Updated: March 10, 2022
By: RSH Web Editorial Staff
WordPress Vulnerabilities
Menu

WordPress Vulnerabilities

WordPress has become the world's most popular Website Builder. Easy to use and extremely versatile. One of the best website and blogging platforms created. The biggest drawback of WordPress's popularity is it's a prime target for hackers.

WordPress Security should always be a top priority for website owners. It is estimated 60,000 attacks on WordPress Websites happen every hour.

Keep WordPress Updated

Make sure you are always running the latest stable build. WordPress updates and improves its build often. Make sure that your version is the most up to date to stay ahead of old vulnerabilities and exploits. RSH Web Services WordPress accounts update automatically. If yours doesn't keep an eye on your Admin panel or In-box to be notified of when new updates are available. Hackers look for outdated sites, and only about 25% of sites are running the latest version. And since WordPress runs almost 30% of all websites, that's a lot of outdated websites.

Not Updating Plugins or Themes

Running outdated versions of WordPress plugins and themes can also leave you vulnerable. Updates frequently include patches for security issues. It is important to run the latest versions. Make a practice of regularly running backups and updates for your WordPress site. This is a critical WordPress security "Best" practice.

Install only trusted plugins and house clean regularly

Poorly-written, insecure, or outdated plugins are one of the most common ways attackers exploit your site. Plugins and themes are the most potential sources of security vulnerabilities. Only download and install WordPress Plugins and WordPress Themes from reputable sources. Avoid bootleg or torrent "Free" versions of premium themes and plugins, as the files may have been altered to contain malware.

Old Plugins

Get rid of them
There seems to be a temptation to install as many plugins as you can. But too many plugins can cause excess bloat and slow your whole website down. And just one unreliable or outdated plug-in can cause a major security risk. Regularly delete unused themes and plugins. Even a deactivated plug-in can be a security risk if a vulnerability is found and exploited. Review your plugins periodically to make sure you still have the best one for the job. There could be a new plug-in that combines the features of a few that you already have and might be better supported, more secure and easier to maintain.

web hosting

Add Extra Security to User Accounts

Lock down user permissions to prevent unauthorized access to admin areas. A great deal of vulnerability comes from the user accounts that intentionally give access to your site.

Pay particularly attention to administrator and editor roles. If a hacker gains access to just one of these accounts, you are in trouble. Always make sure accounts only have the access they need. It's also good practice to remind users to use secure passwords (over eight digits, with upper, lowercase, numbers etc.), and to change them every so often. Remind them never to write their passwords down, and log out when they are finished with their session to avoid unauthorized access to their accounts.

Change the "Defaults"

Changing the name of your admin account will make a hacker's job harder. New WordPress installs make you choose a custom username for your admin account. But if you installed your site awhile ago, your admin account may have the default name of "admin". This makes it easier for hackers to guess your login credentials, as half the work is already done for them. Change the default admin user-name to something else to improve your security. You should also change the default database prefix to something other than "wp_" to add another layer of security to the setup info. The easiest way to do this on an existing installation is via a plug-in. But backup your databases first.

Hide

Hide your WordPress version number and change the name of your login page. Hackers have less leverage if they don't know where to start. In this way, hackers will not know which vulnerabilities they are able to exploit. Move your login page from /wp-login to something that's not default. This makes a huge stumbling block for DOS - Brute Force Attack Bots that look for login forms to target. It also adds a more aesthetic value, in that you can change the URL to something more memorable for your users.

.htaccess file

The .htaccess is a distributed configuration file, and is how Apache Web Servers handles configuration changes on a per-directory basis.

WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories. Most notably, WP modifies this file to be able to handle permalinks.

You can use this file to increase your WordPress site's security.

Deny external access to wp-config.php and .htaccess using the following code in your .htaccess file
Here is an example of such a file

   <Files wp-config.php>
     order allow,deny
     deny from all
   </Files>
   <Files .htaccess>
     order allow,deny
     deny from all
   </Files>.

You can also disable file editing from the Admin panel if your themes are only going to be edited via FTP or cPanel. This prevents anyone with access to the Admin panel from directly editing files accidentally or as a hacker with malicious intent
Insert the following into your wp-config.php file:

    define('DISALLOW_FILE_EDIT', true);.

Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file
To disable directory browsing on your website, you need to add the following line to your .htaccess file:.

     Options -Indexes.

Ban Suspicious IP Addresses
You can block requests by blocking the IP address in your .htaccess file.

   <Limit GET POST>
     order allow,deny
     deny from xxx.xxx.xx.x
     allow from all
   </Limit>.

Brute Force Attacks

WordPress, by default, doesn’t limit login attempts, so bots can attack your WordPress Login page using the brute force method.

Even if a brute force attack or DDOS (Distributed Denial of Service Attack) is unsuccessful, it can still wreak havoc on your Server, as login attempts can overload your system. While you’re under a brute force attack, some Web Hosts may suspend your account, especially if you are on a discounted hosting plan, due to system overloads.

File Inclusion Exploits

After brute-force attacks, File Inclusion Exploits, and vulnerabilities in your WordPress website's PHP code, are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.) File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion exploits, are one of the most common ways an attacker can gain access to your WordPress website's wp-config.php file, one of the most important files in your WordPress installation.

SQL Injections

Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data. With an SQL injection, an attacker may be able to create a new admin-level user account, which can then be used to login, and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.

Security and Anti-spam Plugins

A good set of security plugins will keep your site safer. Many security features can be added with comprehensive security plugins. Some security plugins come with a suite of tools to lock down vulnerabilities on your site, such as those already mentioned here. These types of plugins can be invaluable in making your WordPress site more secure, Some security plugins also come with backup options, for that all-inclusive service.

Malware

Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your website files. If you suspect malware on your site, take a look at any recently changed files. There are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them.
The four most common WordPress malware infections are:
>> Backdoors
>> Drive-by downloads
>> Pharma hacks
>> Malicious redirects
Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup.

WordPress Malware and Security Plugins

All in One WP Security - A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.

iThemes Security - Formerly Better WP Security.

Wordfence - Firewall, malware scan, blocking, live traffic, login security & more.

WP fail2ban - Write a myriad of WordPress events to syslog for integration with fail2ban.

WPScan WordPress Security - Scans your system for security vulnerabilities listed in the WPScan Vulnerability database.

Security Ninja - Tests security issues, malware & warns of dangerous plugins.

Sucuri Plugin - Security tool-set for security integrity monitoring, malware detection and security hardening.

Jetpack - Backup, anti spam, malware scan, CDN, AMP, integrations with Woo, Facebook, Instagram, Google.

VaultPress - A subscription service offering real-time backup, automated security scanning, and support from WordPress experts.

SecuPress Free - Protect your WordPress with SecuPress, analyze and ensure the safety of your website daily.

Google Authenticator plugin - Google Authenticator, Two Factor Authentication, OTP verification, SMS, and Email.

BulletProof Security - Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam and much more.

Blog Hosting

Using Poor-Quality Hosting

Since the Server where your WordPress Website resides is a target for attackers, using poor quality hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the Server Level.

Cross-Site Scripting (XSS)

84% of all security vulnerabilities on the entire Internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.

The basic mechanism of Cross-Site Scripting works like this: an attacker finds a way to get a victim to load web pages with insecure java scripts. These scripts load without the knowledge of the visitor and are then used to steal data from their browsers. An example of a Cross-Site Scripting attack would be a hijacked form that appears to reside on your website. If a user inputs data into that form, that data would be stolen.

Weak Passwords

Using a weak password is one of the biggest security vulnerabilities you can easily avoid. Your WordPress admin password should be strong, include multiple types of characters, symbols, or numbers. In addition, your password should be specific to your WordPress site and not used anywhere else. If you’re currently using a password that contains fewer than 6 characters, change it now. If you’re currently using a password on more than one login, change it now. If you’ve had the same password for more than six months, change it now. Start practicing good WordPress password security, especially if you’re an admin user.
See our Blog on Creating A Strong Password

Never use a "Random Password Generator"

Most of these programs are made by Hackers.
And you guessed it. You just gave them your new password.
One of the easiest ways is right in your hosting account with cPanel.
Log into your cPanel, then under: Preferences > Password & Security > Password Generator.

Bundling hosting, domains, privacy, and security
Into one low price for all our WordPress hosting packages.

Tweet  Share  Pin  Tumble  Email.

More Articles Of Interest

We have been providing reliable and affordable web hosting services to our customers since 1997. Offering the best hosting solutions with security and reliability