Top 5 WordPress Security Threats

WordPress is the world’s most popular content management system (CMS). Today, WordPress powers over 35% of all websites online. With such a great number of website installations, WordPress is the most targeted CMS by hackers.

Article Quick Links:

That does not mean that WordPress is an insecure CMS at all. Security has been a major concern among the WordPress community. WordPress receives regular updates and security patches to make sure it is mostly shielded from website attacks.

However, website security is not always straightforward. Core vulnerabilities only make up a small percentage of attack vectors. There are many other factors involved in making sure a WordPress website is secure.

Before we talk about how to make your WP site more secure, let’s take a look at the top 5 WordPress security threats in 2020.  

Sucuri has put together the 2019 Website Threat Research Report that gives valuable insights on the website threat environment. In this post, we will rely on this data to see the most common WordPress trending threats.

1. WordPress SEO spam

SEO spam remains the most popular attack method, especially because of financial motivations. Hackers inject hand-picked content, keywords, and links into hacked websites in order to benefit from their SEO rankings. It means that more people will be exposed to what malicious attackers have crafted instead of seeing the real content of the website in search engines. In these hack campaigns, visitors can be redirected to other scam pages.

According to the report, 2019 saw 62% of all websites that we cleaned up with an SEO spam infection. This means an increase of over 10% compared to 2018. Unwanted content targeting the website’s database was the most popular type of SEO spam infection. There are usually more than one type of SEO infection per compromised website. Each site Sucuri cleaned had an average of 12 types of SEO infection, which shows that hackers take a lot of time to craft campaigns that take the most advantage of each vulnerable site they choose to exploit.

The consequences of having SEO spam are dramatic. The most prominent one is a website getting on a blacklist. When a website is blacklisted, it loses more than 98% of its organic traffic in a small amount of time. The website’s visitors see a bright red page with a message explaining that the website they are about to enter is dangerous. All of this leads to brand reputation damage. In 2020, we expect the number of SEO spam attacks to keep raising, so beware of your WordPress site security and check out our previous post on preventing WordPress comment spam.

2. WordPress Backdoors

The second most common type of malware in 2019 was backdoors. You might be wondering what that means. Website backdoors are a type of malware that is very hard to find and even harder to remove. When a website has a backdoor it means that a hacker has left a piece of malicious code in a website in order to regain access to the website. The main objective of a WordPress backdoor is to regain control of a website and reinfect it over and over again. 

According to the Sucuri report, in 2019 over 47% of all websites cleaned had some type of backdoor. If your website keeps being reinfected, it likely has a backdoor. Looking for professional help to clean up a website is highly advisable in this case.

3. WP-VCD Malware in WordPress

WordPress has been suffering from reinfections, most importantly because of the WP-VCD malware. On average, 40% of all sites affected by this malware were reinfected. The Sucuri team cleaned up over 5,000 WordPress sites that had the WP-VCD malware in 2019.

4. Vulnerable core WordPress files

Keeping your core file updated is one of the key security measures to avoid website attacks. According to the Sucuri report, 56% of all WordPress installations were out of date when the websites were infected. WordPress offers automatic updates options since version 3.7, which  can help you keep up with the latest core updates.

5. Vulnerable WordPress plugins and themes

Keeping plugins and themes updated are as important as keeping the WordPress core updated. Outdated plugins and themes is one of the most common attack vectors. Leaving vulnerable software on a website is like leaving the door open to hackers. The great majority of today’s attacks are completely automatic, so hackers search the web for WordPress sites with vulnerable plugins to exploit them. That is why updating everything on a website is one of the most effective security best practices you can take. 

How to protect your WordPress site from hacks and attack

You can take these simple steps to protect your WordPress website:

  1. Implement proper password management

    Start by changing all of your passwords and make sure the new passwords are unique, complex, lengthy, and unpredictable. But, how are you going to remember all of your passwords? Well, actually you don’t have to. Use a password manager like LastPass to store and generate random passwords for you.

  2. Use multi-factor authentication

    Make sure all of your WordPress users have two-factor authentication (2FA) enabled. 2FA adds an extra layer of password protection.

  3. Implement WordPress user account management processes

    Not everybody needs to be an admin user. Scale back on the level of roles your contributors have. Use the principle of least privilege when choosing WordPress roles: Administrators, Authors, Editors, Contributors, and Subscribers.

  4. Update everything, always.

    We cannot say it enough: update, update, and update. Make sure all of your plugins and themes are updated. Enable WP core updates.

  5. Use a WordPress Firewall

    It is important to prevent attacks and hacks proactively. A Web Application Firewall such as the Sucuri WAF will filter all the website traffic leaving only legitimate traffic go through. It prevents distributed denial of service attacks (DDoS) and illegitimate traffic.

Juliana is a content marketing manager at Sucuri, passionate about website security and making the internet safer to everyone!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.