WordPress Hacking Vulnerabilities & What You Can Do

WordPress is an awesome platform, with 30% of the internet agreeing enough to host their own website on WordPress. Its open-source technology makes it extremely easy for third parties to create new functionality, which can be bolted onto your site in just a few clicks. However, one of the main drawbacks (which often surprises people) is that hackers target WordPress sites and there are a growing number of WordPress hacking vulnerabilities that can be readily exploited.

WordPress is in fact the most hacked CMS out there and last year saw the % of hacked websites on the web increase, meaning it’s an area we still haven’t got under control. In this post, we’ll examine how hackers get into WordPress sites and what you can do to protect yourself.

Why WordPress Sites Are Easy To Hack

A large part of it comes down to the open-source nature of the WordPress themes & plugins library. When you download a new plugin to your website, you are installing a third parties’ application – one which comes with its own security flaws & tribulations. Most of the popular plugins are rigorously tested, however you can never say for certain whether a hacker can find a loophole into your site through your existing theme or plugins.

WordPress websites are also particularly vulnerable at a hosting level and it’s one of the main areas where hackers target WordPress websites. If you are using a basic Apache or NIGNX hosting provider, you really need to make sure you have:

  • Server level firewall & encryption
  • Secure SSL certificates
  • Anti-malware & Anti-virus software

Without these in place, it becomes much easier for hackers to get into WordPress websites. A lot of hackers will begin the process of infiltrating your website by trying to get into your hosting account first, from here they can access your site in its entirety. It’s crucial to go with a good web host, who offers strong security features however it’s also vital to make sure any PHP code on your website is error-free. Sloppy PHP code is another reason why WordPress sites are easy to hack, hackers spend a lot of time scouring the web – looking for sites that have been coded incorrectly & provide a backdoor straight into the website or hosting platform. They even have automated tools that do the searching for them!

How You Can Keep Your WordPress Site Safe

Learning about the various WordPress hacking vulnerabilities is the first step to understanding the risks in place and keeping your site safe. Below we have also listed several tips that you can implement straight away, that will significantly reduce the chance of unauthorised  access of your domain:

Use Strong Passwords – each password you use should be unique and contain a completely random assortment of numbers, letters & special characters. You absolutely shouldn’t use items like your name, birthday or the same password you use for platforms such as Facebook & Google. Hackers target WordPress sites in many ways and have built up various tactics for extracting password details from you when you are using the web.

Don’t Do This

Keep WordPress, It’s Plugins & Your Theme Updated – WordPress and your plugins are constantly evolving and releasing new versions for you to upgrade to. Aside from adding new features, these upgrades are also used to address any security concerns. Each time a new release is rolled out, a list of the changes the new update addresses will also be published. The way you need to look at this is if any security risks have been discovered & improved – those release notes are a massive signpost to hackers, which say exactly what the vulnerabilities are of any of the dated versions people may still be running.

Use Two Factor Authentication – this is a growing trend across the web, and it’s worth investing in it. If you’re wondering how hackers get into WordPress sites then it’s often because they have figured out your login password & username. Two Factor Authentication adds an extra step into this process, as your website also sends a code to your mobile phone to be used as an extra piece of login information. When hackers see that this is enabled they often move onto their next target, as they know it will be too difficult for them to be able to acquire the necessary information.

Securing Your wp-config.php File – your config file is arguably the most important WordPress file, as it contains your entire WordPress database. It’s also one of the primary WordPress hacking vulnerabilities – as this database also holds your password information. This is a file that you don’t want hackers getting anywhere near, so it’s best to add an extra layer of security to this file by adding the below code to your .htaccess file

<files wp-config.php>
order allow,deny
deny from all

Modifying Your WordPress Table Prefix – usually hackers target WordPress websites by either compromising login information or by guessing the naming structure of certain files & database components. As WordPress is hosted on the web, if a hacker can accurately guess what a websites database tables are called then in theory it’s possible to access them. WordPress by default makes all database tables start with ‘wp_’ – if your database tables are then also called something obvious such as ‘wp_locations’ or ‘wp_catalouge’ then it is possible to work them out. We recommend changing all your default table prefixes to something more random, that can’t be worked out. This is such an easy to job to fix, but it’s these kind of naming oversights that are why WordPress sites are easy to hack.

We hope you found this blog on how hackers get into WordPress sites useful and if you believe you are at risk from any of the WordPress hacking vulnerabilities mentioned then it’s best to act now. Likewise, if you have been hacked in the past then it’s worth completing a comprehensive review of your website’s security – even if you have already changed your login details or removed any malicious code.