WordPress Security Hacks And Fixes
Since the mid 90′s the internet has sparked a revolution in communications and modern culture. It’s made many people and corporations rich, exponentially increased the rate of information delivery and made the world smaller. However, every good idea is vulnerable and the internet is no exception.
Web pages represent a gateway to the internet and WordPress CMS (content management system) represents 17% of all websites online. WordPress has gained popularity as a tool for non-developers to build and administer quality web pages. As use of WordPress increases so has “blow-back”. In 2009 estimates claim over 81,000 WordPress sites were hacked. In 2012 over 170,000 sites were hacked: a 109% increase in attacks.
Industry analyst have identified the most common methods hackers use to compromise WordPress sites; 41% through 3rd party hosting companies, 29% through malicious or unsecured themes, 22% from malicious or unsecured plugins and 8% from weak passwords.
Let’s fragment the data and explore vulnerabilities that exist in WordPress and poor network securityOS environments that affect WordPress.
Analysis of WordPress CMS reveal cavities exist in; security themes, updates, wp-config files, wp-admin files, plug-ins, default administrative account names, weak logging security, enabled file-editing, absent firewall plugins, non encrypted backups and using standard WordPress table prefixes.
Listen to the Latest Episodes Right Now.
System and network vulnerabilities that bridge to WordPress security loopholes include; web server hosting vulnerabilities, viruses, weak network security, weak local password security and absent SFTP (Secure File Transfer Protocol ).
A number of things can be done to secure WordPress. They include: using the latest WordPress release, not displaying the WordPress version, backup data using Dropbox, hide wp-config.php, change default “admin” name, use reputable hosting services, don’t install free themes, use strong passwords, protect wp-admin directory, deny access to plug-ins and use trusted plug-ins.
Since WordPress can be hacked without revealing intrusion it is important to routinely inspect the environment. The first recommendation is to download the entire WordPress site and execute a security scan on the entire folder. Inspect PermaLinks to ensure nomenclature is not compromised. Inspect .htacess nomenclature to ensure 301 redirection is not occurring. Pay attention to imitation redirects from the homepage. Investigate banner ads that mysteriously appear. Confirm Pharma hacks don’t redirect URL searches that should point to the WordPress site. Confirm spam sites don’t exist that use keywords like Viagra to redirect users to the site. Make sure unexpected admin level users aren’t covertly added to the access list. Confirm unauthorized database tables don’t exist.
Popularity of WordPress is increasing the amount of risk with 505 identified vulnerabilities. It’s a daunting problem to tackle with 67 million WordPress sites and 372 million people viewing 4 billion WordPress pages per month. Those statistics don’t include the 47 million new posts and 67 million comments that are posted to WordPress sites monthly.
Hackers are becoming more sophisticated compromising millions of WordPress sites to initiate denial of service attacks. In April 2013 security analyst discovered a botnet attack with 90,000 compromised servers targeting WordPress sites launching brute force methods.
The best way to secure a WordPress site is to execute counter measures to vulnerabilities mentioned in this article. Also stay up to date with the latest WordPress releases.
Discovered security threats should be reported to WordPress (firstname.lastname@example.org). WordPress does an excellent job of consistently releasing bug resolutions.