WordPress Security Vulnerabilities: What You Need to Know

As a business owner, you have a lot on your plate already. The last thing you want to worry about are the potential security vulnerabilities your website is leaving you exposed to.

But one aspect you can’t afford to skip is digital security. Think this doesn’t impact you? That’s exactly what more than 1.2 million GoDaddy WordPress customers thought when they learned they were linked to the latest WordPress data breach.

In a digital world of constantly changing cyberthreats, what should WordPress users be wary about? Does the platform offer enough protection that we can entrust it with our important web hosting needs?

Read on to learn more about some of WordPress’s biggest security issues, and why it may be time to make the switch to a more secure platform.

General Security Vulnerabilities of WordPress

To the chagrin of many WordPress users, the baseline configuration for the platform actually leaves you quite vulnerable if you don’t add an additional layer of security by implementing proper security practices and installing security plugins.

It should be clear that WordPress cybersecurity breaches have occurred over the past few years as well. Let’s go over some general problems related to WordPress vulnerabilities and then cover some specific incidents to be aware of.

Login Interception

The backend login page for a WordPress site can be accessed by taking the URL and appending “/wp-admin” to the end of it. Hackers can then attempt a brute-force attack by using a bot to try out many combinations of user login credentials. Eventually, the correct administrator user name and password might be guessed.

This issue comes up when the owner of the WordPress site does not change the default login page for the backend or chooses a poor username or password that can easily be guessed. Strong passwords benefit from being complex and sufficiently long without including common words, names, or phrases. 

Secure passwords usually contain at least one number (1–9), one uppercase letter ('A' through 'Z'), and the password length should ideally be between 8 and 16 characters.

A few other actions you can take in this regard are:

• Install two-factor authentication so that a separate device is necessary for the account owner to verify login access to the backend. This can prevent hackers from gaining unauthorized access to WordPress.
• Use a password manager to make storing long and complex passwords easy so that you don’t end up forgetting them yourself.
• Avoid using the same password for multiple sites: In case one of your accounts is compromised, you won’t end up exposing all your other accounts.
• Be careful with admin privileges, as in don’t give them to any account that doesn’t need them. Reduce your attack surface this way.
• Adopt WordPress plugins that utilize captchas to deter bots and mandate a maximum number of failed login attempts.

In regards to this last point, keep in mind that some WordPress plugins themselves have security issues to look out for. We’ll touch on plugins again later.

Unfortunately, not all WordPress cybersecurity vulnerabilities are this straightforward to address, and not all of them can be fully protected.

Outdated First-Party Software

WordPress updates its core software every few months and uses the opportunity to patch up the latest security vulnerabilities. However, the decision to install these updates comes down to each individual user. If website owners forget or are unwilling to do so, you run the risk of exposure to new security threats.

In 2017, a Sucuri Security report indicated that 4 out of 10 hacking incidents were partly the result of out-of-date core WordPress software. It’s no wonder too, considering a large chunk of those sites don’t even have the latest version installed according to WordPress’s own statistics.

Take advantage of critical security updates by checking your dashboard for new versions from WordPress. Staying on top of these changes makes a significant difference, but remember that you aren’t fully protected against vulnerabilities from other sources, such as third-party themes and plugins.

WordPress sells itself on modularity. Users have access to thousands of plugins created by a community of developers to expand site functionality, but these features also lead to another hole in the cybersecurity landscape of WordPress.

Every individual plugin and theme, even outside the authority of WordPress itself, can potentially present a security vulnerability. You’re ultimately leaving your safety up to the developers of these plugins, and not all third-parties keep their resources properly maintained in this sense.

Keep in mind that outdated versions of plugins and outdated themes can even introduce malware infections “behind the scenes” in ways you can’t foresee. Harmful code is a fairly common vector much to the chagrin of WordPress site owners.

Cross-Site Scripting

Also known as XSS, this attack happens when malicious code is implanted in the backend code of a website. Once the infection starts, the hackers might disguise a fake link into the front-end of your website and redirect visitors into a trap to steal their information.

For WordPress, XSS incidents usually occur as a result of third-party outdated plugins or themes, which are a prime target for such injections. Your main defense against them is checking for routine plugin updates, and keeping themes up-to-date to the best of your ability hoping that your plugin providers are staying on top of their cybersecurity. A web application firewall is another potential solution that works by blocking unauthorized traffic from entering or leaving your site.

SQL Injections

Structured Query Language (SQL) is a common element in WordPress database management. SQL injection, which functions similarly to XSS attacks, occurs when hackers gain access to your database and can freely edit, delete, or leak content within your databases.

You might suffer an SQL injection when you fill out a contact or payment form online and end up loading the malicious code into your site. The best defense you have against it is just proper awareness; be careful every time you need to provide user input.

Denial-of-Service (DoS)

A DoS attack works by sending so much traffic to a server that it becomes inaccessible to visitors and administrators alike. A distributed denial-of-service (DDoS) attack uses multiple machines in a botnet to achieve the same goal. Site owners typically get everything back up and running eventually, but the experience is still frustrating for everyone involved.

WordPress sites are definitely not immune to such incidents, so it’s in your best interest as an owner to find a proper hosting provider with protections against these attacks. Simple plugins won’t be enough in this case.

Specific WordPress Cybersecurity Incidents

So have these particular issues manifested in real life? WordPress has had its share of security breaches that negatively impacted its site hosts and its visitors. Don’t fall into the same trap as these companies did.

The WordPress 4.7.2 Update

In February of 2017, WordPress officially released a new security update for its platform that helped cover a few major security issues, among them an SQL injection and a cross-site scripting vulnerability.

While site owners lucky enough to catch the update in time were relatively safe, the hundreds of thousands without automatic updates enabled suffered from the consequences. Daniel Cid—who was the founder of Securi, the company WordPress worked with on the update—notes that “the core of the issue is people not updating to the latest versions. Even with auto and simple updates, people still do not update their sites.”

The “File Manager” Plugin Exploit

A zero-day exploit impacting the popular “File Manager” WordPress plugin caused over 700,000 sites to be impacted by malicious code in September of 2020. While the developers of the plugin released a security patch shortly after, many site owners simply did not update in time.

Protecting yourself against plugin exploits is all about staying on top of automatic updates and using cybersecurity firewalls whenever available. But no matter what, WordPress users should stay vigilant and be prepared for any new incident. Zero-day exploits naturally take time to fix.

The GoDaddy Breach

Here’s a frighteningly recent one. In November of 2021, GoDaddy announced a data breach that exposed 1.2 million email addresses belonging to WordPress users. Other reports have noted that the perpetrators were able to gain access for up to 2 months before getting caught.

Even a company as large as GoDaddy with a significant investment in cybersecurity suffers from such types of attacks occasionally, and the impact on users may be severe despite the fast corrections made by the company.

Businesses Should Be Wary: Make the Switch to MAP Today

The truth is that, despite being a powerful and popular content management system, WordPress is actually a rather unreliable choice for businesses wary of their cybersecurity postures.

If you’re in the market for a content management system, consider moving away from WordPress and choosing a more security-focused option like MAP instead.

Interested in seeing what MAP can do for your business and its website? Book a meeting with one of our PALs today to get started.