Two or three decades ago, robbery was limited to breaking to steal someone’s cash or valuables. The would be mischief makers and robbers of today, take on the form of hackers. Anyone who finds and exploits software vulnerabilities for personal gain or political reasons.
Before I start, you should know this article does not go into the nitty-gritty of WP security but rather discusses the causes for WordPress vulnerabilities. If that isn’t what you are looking for, I’d suggest you read – “Beefing Up WordPress Security – A Complete Guide To Securing WordPress Sites“. Although, I must state that understanding the nature of WP vulnerabilities in the past, provides great insight on how you can sure up your website’s security protocols.
Why do people break into websites and data centers ? Breaking into websites that hold client information, email IDs, credit card numbers, etc is more profitable than robbing a bank. If you run a reasonably successful website, I’m sure hundreds, if not thousands of attempts to access your website’s information have already been made.
Most recently, AshleyMadison.com was hacked and the details of 37 million users have been stolen. The hackers have demanded that the website be shut down, failing which they will release the details of the stolen user’s information including sexual fantasies. This gives you a taste of the kind of destruction a hacker can cause by merely gaining access to information.
Web security is a very important topic and growing ever more relevant given the number of websites popping up to collect personal information of its users.
As much as 65% of the web runs with WordPress as the Content Management System, so today I’ll be discussing WordPress security and how WP sites have been targeted or hacked in the past.
Why Invest In Good Security Practices ?
- You owe it your customers and clients who trust you with sensitive personal information to keep it safe.
- Your site gets hacked – You lose money.
- Your site gets hacked – Your search engine rankings take a nearly one way trip to hell.
WordPress websites are hacked by the thousands, if not the hundreds of thousands. Not every website reports that they’ve been hacked in the past. It isn’t a great endorsement for their brand as you might guess.
I’d like to shine some light on the necessity for this article on WordPress security.
According to a study, as shared by Sandro Gucci (Founder Of Enable Security).
- 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools.
- Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1, this was the latest version of WP when the test was conducted.
- 13,034 websites (30.95%) were still running a vulnerable version of WordPress, version 3.6. WordPress 3.6 had 5 known vulnerabilities at that time.
And if you were wondering, well this just some unfair generalized characterization of small unknown websites somewhere on the dark web, you would be mistaken. The statistics were produced based on a study of about 42,000 WordPress websites on Alexa’s Top One Million websites. That is a huge number of vulnerable websites for supposedly the most visited websites on the web. These websites collect a vast amounts of information on their visitors and subscribers.
The statistics were true as on September 2013, I do not think it would have deviated much since then and even if it has, the stats on display here display the scale of the security problems that plague WordPress.
If you’d like more evidence that proves that WordPress can be compromised. I refer you to a study by Netcraft,
- In February 2014, there were 12,000 WordPress blogs that were serving as platforms for phishing sites.
- More than 8% of all malware URLs blocked by Netcraft for distributing web hosted malware were WordPress blogs.
I should point out that not one of those blogs were run on Automattic wordpress.com. This should quite clearly illustrate that even WordPress can be vulnerable if not used with caution and some knowledge of WP security. Another reason for this may be related to the fact that all blogs hosted on wordpress.com are updated almost as soon as the WordPress updates are released. Since then, it should be noted that automatic WordPress updates were introduced in WP version 3.7 to protect websites against zero-day exploits.
And even after that, there have been a host of security issues that have plagued WordPress. Check out this list of WordPress vulnerabilities in different versions of the platform.
Now there is nothing you can do to prevent this from happening, new vulnerabilities will almost always be discovered. The core WP team have taken security very seriously and have made WordPress a lot safer.
But as with every other popular software, exploiting vulnerabilities becomes more profitable when more people start using them.
Don’t trust me ? If you believe that somehow WordPress will suddenly become free of all vulnerabilities, check out this graph!
While the number of vulnerabilities have decreased over time from their highs in 2007 and 2014, the incentive to discover new vulnerabilities and exploit is forever on the rise given the increasing profitability due to the increasing popularity of WordPress.
WordPress may be secure out of the box, but after adding so many plugins/themes and custom code, many vulnerabilities begin to grow with great haste.
That being said, we can make small changes to your WordPress, to make it a lot more secure. First we need to have a thorough understanding of WordPress security, this very helpful in figuring out the causes of failure in security.
You might be surprised to learn that it is rarely the case that the WP core platform is at fault in the cases of a security breach. It is more likely that something you’ve added to your WP, creates a vulnerability that hackers might exploit.
How Are WordPress Sites Compromised ?
The difficulty with ensuring complete security is, there is no such thing.
Assuming your WordPress is fully secure, you still have your Apache, FTP client, MySQL and any software that runs on your server that you have to worry about. Your website is only as safe as its weakest link. And that includes the quality of your host’s software, the themes and plugins your websites operate on.
I wish I had more recent stats I can point you too. Still, this study presented as an infographic on WpWhiteSecurity’s blog provides great insight into how WordPress websites are hacked and what makes them vulnerable.
The study was conducted based on information of 170,000 websites that were hacked in 2012. There was an 18% increase in the number of hacks from the previous year (2012), the funny thing is the number of vulnerabilities did not increase by the same percentage. But even a small increase in vulnerabilities affects far more websites, due to increased use of WordPress and WordPress based products.
- 41% of hacked WordPress were hacked through a security vulnerability on their hosting platform.
- 29% were hacked via a security issue in the WordPress Theme they were using.
- 22% were hacked via a security issue in the WordPress Plugins they were using.
- 8% were hacked because they had a weak password.
- From the above, we can conclude that more than 51% of hacked WordPress sites were hacked via a vulnerability in the WordPress themes or plugins they were using.
An overwhelming majority of the hacks came about due to installing software in the form of plugins, themes and because web hosting service providers failed to adequately beef up the security at the server end.
There isn’t any point in discussing measures to protect your website, before addressing the good options you have in terms of security when it comes to hosting, themes and plugins. And I’ll discuss how you can find good third-party software and safe hosting for your website before I start recommending specific security measures to strengthen WP security.
WordPress websites are rarely vulnerable due to errors in the core code of the content management system. But a website does not operate solely based the content management system, it requires a web host to host the CMS on the web, themes to make it fancy and plugins to add the necessary functions. Adding multiple layers of third-party software to your WordPress installation makes your security a bit porous, if it isn’t done right.
Your WordPress core, the plugins & themes, and web host need to communicate to keep your WordPress site running. This interaction sometimes has flaws, and it makes websites vulnerable.
Sure 8% of websites may be compromised due to weak passwords. Still, an overwhelming amount of evidence suggests that adding badly written plugins/themes or a web host that runs on outdated software is the primary cause for a great percentage of all WordPress websites hacked or shut down.
Now that we’ve established some clarity regarding the causes of WordPress vulnerabilities, as part of the next post in the WP Security series, I’ll discuss the steps you need to take to beef up your WordPress security.
Please share the details if you’ve ever had your WordPress site compromised by a hack or fallen victim to a DDOS attack. Either Aigars or I will try to remedy the problem if it is within our powers. Cheers 🙂