WordPress powers 37% of the world’s websites, making it the world’s most popular Content Management System (CMS). We can certainly see why; WordPress is easy to use, powerful, and flexible – an ideal choice for organisations of all kinds.
But it’s not all sunshine and roses online; cybercrime is rife. Almost half of UK businesses (46%) reported some kind of cyber incident or breach during 2019.
Many businesses know they need to protect their IT using antivirus software, firewalls, and the like. But how are you protecting your website from cyber attacks? A website often serves as a company’s online “centre of operations” – if it were to become compromised, that could result in a loss of trust, traffic, income, and much more.
In this article, we’ll investigate some of the more common security risks that websites face and how to secure your organisation’s corner of the web.
By the way, we’ll be discussing issues that affect all sites, so it’s a worthwhile read even if you don’t have a WordPress website.
Wait – Is WordPress Not Secure!?
In our opinion, WordPress is one of the better Content Management Systems (CMSs) in terms of “out of the box” security. However, there’s much more to website security than your choice of CMS – cheap hosting, human error, negligent data practices, and poor coding can all present very real security implications.
Also, don’t let these concerns dissuade you from having a website if you don’t have one already. Having a website is like having a computer – it’ll help you no end in your business, but it’s how well you keep it safe from online threats that matters.
Website Security: What’s at Stake?
If your website were to suffer a hack, there’s far more at stake than just the cost of “putting things right”. A hacked website could spread misinformation about your brand, steal user data, disseminate malware, and more. An attack on your website can paint an unprofessional picture of your organisation, eroding trust in your brand.
It gets more worrying if personally identifying information is breached, stolen, or tampered with. Post-breach scrutiny under standards like GDPR or PCI DSS can incur punitive fees, operational downtime, and damaged business relationships.
Also, a disclaimer of sorts: Regardless of your current cybersecurity situation, there’s no such thing as being 100% protected from all threats lurking online. The cyber landscape changes so rapidly that no single tool, solution, or piece of advice is ever going to provide complete, flawless protection. You need to maintain a constant awareness of your individual risk factors and mitigate them to the best of your ability.
10 Website Vulnerabilities All WordPress Users Need to Know About
1. Brute Force Attacks
Brute force attacks happen when hackers access sensitive login pages on your site and use automated tools to “spray” the page with usernames and passwords until they gain access; the /wp-admin/ WordPress login page is a particularly vulnerable example. Criminals may use LinkedIn or phishing to find team members’ names and use them to inform their username guessing game.
These kinds of attacks are easy to keep at bay with good password etiquette. Always use strong or randomised passwords where possible, and never use the same password twice. Multi-Factor Authentication (MFA) tools add an extra layer of security on top of “username and password” logins, requiring an extra piece of authenticating information before access is granted. Therefore, MFA can protect you even if a password does become compromised.
2. Denial of Service (DoS) Attacks
Sometimes cybercriminals will flood a website with continuous, automated requests which can slow your site to a crawl or render it totally inaccessible. This is called a DoS (Denial of Service) attack, and hackers use them for a number of reasons. The hacker may simply want to interrupt the business’s normal operations; they may use it as a way to hold a site to ransom and extort money; or it may be an attempt to overload a site’s security defences in order to gain access.
DoS attacks are hard to tackle as they aren’t reliant on internal factors – it’s external traffic that’s causing the problem. However, good hosting with decent bandwidth and responsive support can go a long way. Investing in a WAF (web application firewall) can also be a good call as they often terminate automated traffic. You should really consider a WAF if you deal with particularly sensitive information too, as we’ll discuss shortly.
3. Outdated or Insufficient Security
Out of date security plugins or poorly secured hosting can leave the back door open to opportunistic hackers. Thankfully, these issues are easily addressed: carefully choose your web hosting with security in mind, and always keep your WordPress installation, PHP version, theme, and all plugins up to date – not just ones that relate to security or access. Only ever use plugins that are sourced from WordPress’s own plugin database.
While you’re at it, it’s also a good idea to remove older, unused plugins too. Even if they’re deactivated, they can still present security loopholes in some cases.
4. Not Installing an SSL Certificate
By its very nature, SSL certification presents significant security benefits. It encrypts all inbound and outbound traffic to/from your website, protecting that information from would-be eavesdroppers while in transit.
Even if you don’t collect sensitive data like email addresses, passwords, or card details, SSL certification is becoming increasingly important. In recent years, Google has begun to rank sites with SSL certificates better than those without, so it’s a must for your online visibility if nothing else!
Essential Reading: 5 Practical Reasons Why ALL Websites Need an SSL Certificate
5. Poor Security Training
No matter how sophisticated your security solutions are, a surprising amount of attacks happen through sheer human error. All of your team members should be instructed to log out of their WordPress dashboard whenever they’ve finished what they’re doing, and should never leave their devices unattended when logged into your site (or indeed any sensitive resources like email or cloud storage).
Training should also be provided around the dangers of phishing and how to potentially spot fraudulent emails. Attacks like these are often used to obtain all manner of login credentials under false pretences, so good phishing awareness training can help you protect much more than just your website.
6. Poorly Defined User Roles
All WordPress logins have “roles”, each of which have set, predefined capabilities. WordPress comes with 6 roles as standard – Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. When doling out logins, it’s easy to give users more capabilities than they realistically need, so we encourage you to regularly head to Users>All Users within your WordPress dashboard and review each user’s role.
The trick here is to assign everyone as restricted a role as possible, e.g., if someone only needs Author or Contributor access, there’s no point in them being an Administrator. You never know where someone’s untrained tinkering fingers may reach!
7. Theft of Sensitive User Data
Any site that collects personal data can be a real temptation to hackers, and e-commerce sites are a particularly lucrative target. But regardless of the kinds of data you collect, we recommend that you keep WordPress up to date, along with any plugins and themes – especially those associated with collecting, storing, or acting on sensitive user data.
However if your site collects or processes sensitive data (and especially if it features an e-commerce element), you should really consider installing a WAF (web application firewall). In short, WAFs scan and filter all traffic flowing in and out of your site, blocking anything that may pose a threat.
8. Malware-Related Hacks
Once a hacker has access to a website, they can reconfigure it to do all sorts of things, including spreading malware. How this will look to the end user depends on how subtle the hacker wants to be – they can make relatively small tweaks that silently disseminate malware to a site’s visitors, completely change the appearance of the site to encourage disguised malware downloads, or simply forward all of a site’s visitors to a source of malware.
This is another factor that can be solved by keeping WordPress updated, along with its themes and plugins; investing in good hosting; keeping regular backups; and steering clear of plugins that haven’t come from WordPress’s own site.
9. SQL Injection Attacks
Even the simplest WordPress sites rely on interconnected databases in order to run properly. It sounds complicated, but it’s the secret to WordPress’s versatility and flexibility. Yet many online databases are potentially vulnerable to SQL injection attacks – all a hacker needs is an unsecured text box and a bit of coding know-how.
Without getting too technical, if a website includes a text box that isn’t properly secured, a criminal could enter a piece of code that talks to the website’s database. Depending on how your site’s databases are connected, they may be able to amend database records, steal data, or even wipe out whole datasets.
Keeping regular, off-server backups of your whole website will help you get back up and running should a hacker tamper with your website. Keeping your WordPress installation, theme, and plugins up to date will also minimise the chance that your text boxes will respond to this kind of code.
10. Cross-Site Scripting (XSS)
Cross-site scripting (XSS) can be particularly dangerous, and you can’t have a list of website vulnerabilities – on WordPress or otherwise – without mentioning it.
All of these practices will minimise your odds of an attack being successful. It’s all about putting roadblocks in the criminals’ path – in many cases you only need to be one step ahead.
Want a brand new WordPress website, crafted with design, security, and ease of use in mind? Or maybe you’re looking for reliable, flexible, high spec web hosting from a UK-based provider? Perhaps both! In any case, OLCO Design’s in-house designers, marketers, and technical experts are on hand to help your brand be seen online. Want a no-obligation chat about your options? Book a free consultation with us today!