WordPress is one of the most popular CMS platforms in the world, in large part due to how inherently secure it is.
But since it's the most popular CMS in the world that also means it's the most targeted.
A study done by Sucuri in 2021, shows us that 94% of websites that were infected with malware in 2019 were WordPress websites.
According to the study, most of the hacks were due to vulnerabilities with plugins and themes, configuration problems, and a lack of maintenance and updates.
Here is the list of 16 common WordPress security issues you need to know:
Another report done in 2021, showed that out of a testing pool of 2,837 vulnerabilities were caused by plugins 75% of the time, WordPress core 14% of the time, and themes 11% of the time.
Remember that WordPress is open source which means that anyone, anywhere, can contribute code to the files that make up WordPress and to the plugins and themes that help make WordPress work.
There are a lot of review processes and guidelines and rules that go into this code before it's published. And when it's discovered that any WordPress-related software is vulnerable or unsafe, there are people all over the world who jump to report it and, or fix it. whether it be WordPress core software, plugins or themes can help you prevent the grand majority of vulnerabilities.
The internet is close to real life there are bad people and good people who facilitate growth.
WordPress plugins and themes are all built with code blocks and, we occasionally make mistakes in code. The mistakes can cause lapses in security, which are called vulnerabilities.
Security researchers look for WordPress security vulnerabilities in popular software, in order to make the Internet a safer place. When they discover vulnerabilities, they disclose them to our developers to fix. Then we release a security patch in the form of an update, which resolves the vulnerability. Once sufficient time has passed, security researchers will then announce their findings.
Theoretically, by this time, the plugins and themes should have been updated. However, that is very often not the case. And hackers know and rely upon this tendency to attack websites, and exploit their vulnerability.
Updates can sometimes break the site unless you do them carefully.
Hackers use programs called bots to attack login pages, trying out many combinations of usernames and passwords to break into a website. Often bots can try as many as hundreds of combinations per minute, using dictionary words and commonly used passwords to break through. Once they succeed, the hacker has open-door access to your website.
On the flip side, strong passwords are difficult to remember, so admin chooses easy-to-remember ones, like pets’ names, birthdays, or even permutations of the word ‘password’.
However, this makes the site security vulnerable to attacks. This information is legitimately available online via social media and other sites, and illegitimately via data breaches or the dark web. The best thing to do is to have a strong, unique password to keep your account, and therefore website, safe.
Note: You need to set strong passwords across your site accounts, which include your user account and hosting account. Admin doesn’t often change the SFTP and database credentials, but if you have done, make sure you set strong passwords for these too.
Additionally, you can limit login attempts on WordPress. If a user has too many incorrect logins, they are temporarily locked out, or they need to fill in a CAPTCHA to prove they aren’t a bot. This measure keeps bots out and makes allowances for human error.
Malware is a catch-all term used to describe any code that allows unauthorized activity on your website. In subsequent points, we will look at specific cases too, like backdoors and phishing scams.
When we talk about addressing WordPress security issues, the goal is to keep out malware. However, as we have said, no system is 100% bulletproof. You can do everything right, and a clever hacker will find a new way to penetrate the defenses. It is rare, but it happens. So how do you deal with malware, if it is already on your website?
First of all, you need to confirm that the malware is indeed on your website. Malware can hide in files, folders, and in database. We have seen malware files masquerade as WordPress core files, as image files, and even show up as plugins. The only way to be sure if your website is infected or not is to deep-scan it on a daily basis
SEO spam is a particularly egregious malware that is used by hackers to divert your website traffic away from your website to their shady and spam websites. They do this by hijacking your search results on Google, inserting code into your existing pages, or by redirecting traffic to their own websites. Sometimes they do all of these things. In any event, it is always bad news.
There are a few common variants of the SEO spam malware, like the Japanese keyword hack and the pharma hack. Both of these variants have gained notoriety in their own right because their symptoms are specifically Japanese characters or pharmaceutical keywords in the search results.
All types of SEO spam malware are incredibly difficult to remove manually because they can create hundreds of thousands of new spam pages, which are impossible to remove easily. Plus, they insert malware into critical WordPress core files and folders, like the .htaccess file, which can break the site if it is not cleaned properly.
Invariably sites with these strains of malware get flagged on Google Search Console, land on the Google blacklist, and lead the web host to suspend your hosting account. Therefore, the key to dealing with this hack is to leave it to the experts, which in this case is a WordPress security plugins with a Website Firewall (WAF) called MalCare, Sucuri, Wordfence, Astra Wp hardening. These Security Plugins will not only get rid of the malware, but make sure your site is protected with an advanced firewall.
Phishing malware is a two-part scam that tricks users into giving up their confidential details by masquerading as trusted brands.
The first part is to send an official-looking email to an unsuspecting user, usually with a dire warning that something terrible will happen if they don’t update their passwords or something immediately. For instance, when a phishing email spoofs a web host customer, they might say that the site is in danger of being taken down.
The second half of the scam takes place on a website. The phishing email usually has a link that takes the user to a seemingly official website and has them enter their credentials. The website is obviously fake, and this is how many people compromise their accounts.
On WordPress websites, phishing comes in two flavors, depending on which part of the scam is happening. In the first case, WordPress admins get phishing emails about how a database update is required for their website, and they are tricked into putting in their login details.
On the other hand, hackers can use your website for fake pages. Often website administrators have come across banking or e-commerce logos on their website, even though they have no reason to be there. These are used to trick people.
Google is very quick to crack down on phishing scams, especially on websites that host these pages. Your website will get blacklisted and slapped with the phishing website detected notice, and that is terrible for visitor trust and branding. Even though you are innocent, your website has become a host for a scam. It is imperative that you get rid of this malware as soon as possible, and take steps toward damage control.
6. Malicious redirects
One of the worst WordPress hacks is the malicious redirect hack. It is incredibly frustrating to visit your website, only to be whisked away to another spammy or scammy website, selling questionable products and services. Often, WordPress admins can’t even log into their websites because of the hacked redirect malware.
There are many variants of this malware, and it infects the files and database of the website completely. We have seen instances of the hacked redirect malware in every post of a site with over 500 posts. It was a nightmare, and the admin was understandably frustrated.
The only way to get rid of the malicious redirect malware is to use a security plugin. In fact, you will probably need help to install the plugin all, because you can’t log into your website. That’s where our support team can help out. we will guide you through the installation process, and if necessary clean the site for you.
7. Reused passwords
Reused passwords can be strong passwords like we spoke about in the previous section, but they are not necessarily unique.
For instance, your social media account and website account have the same string of letters, characters, and numbers for a password. You’ve gotten used to typing it in, and you figure it can’t be guessed so it is a good password.
Well, you’re half right. It is a good password, but only for one account. The rule of thumb is to never reuse passwords across accounts. And the reason is the potential threat of data breaches.
GoDaddy had a breach in September 2021, which they discovered only in November 2021. By then, 1.2 million users’ database and SFTP credentials had been compromised. If any of those users had used those passwords elsewhere, like a bank account, that information was now squarely in the hands of the hacker. It becomes that much easier to break into other accounts.
We trust different services and websites to secure our data, but no system is completely bulletproof. Things can and will break on occasion. The goal is to contain the damage as much as possible. Creating unique and strong passwords for every account helps you do that.
8. Nulled software
Nulled plugins and themes are premium versions with cracked licenses available for free online. Quite apart from the moral dimension of stealing from developers, nulled software is a huge WordPress security risk.
Most nulled themes and plugins come riddled with malware. Hackers rely on people to want a good deal on a premium product and wait for them to install it. The website gets a dose of malware hand-delivered to it, and the site is now hacked. This is the only reason why anyone bothers to crack premium software in the first place. Robin Hood isn’t involved in the WordPress ecosystem.
Even if the nulled themes and plugins didn’t have malware on them—which is very rare—you cannot update them. Because they are not official versions, they obviously don’t receive support from the developers. So if a vulnerability is discovered and the developers release a security patch, the nulled software is also out-of-date with a vulnerability, in addition to having malware installed on it.
9. Backdoors on your WordPress site
Backdoors, like the name implies, are alternative and illicit ways to access the code of your website. Along with malware, hackers inject backdoor code into your website, so if the malware is discovered and removed, they can regain access using the backdoor.
Backdoors are one of the primary reasons we don’t recommend ever cleaning malware manually from your website. You may be able to find malware scripts and remove them, but backdoors can be very cleverly concealed and become almost invisible.
The only way to remove backdoors from your website is to use a WordPress security plugin, like MalCare. MalCare gets rid of backdoors as well as malware quickly and easily with the auto-clean feature.
10. wp-vcd.php malware
The wp-vcd.php malware causes spam popups on your WordPress website that direct users to other websites. It has the same purpose as the SEO spam hack and malicious redirects but works differently. It has a few variants like wp-tmp.php and wp-feed.php.
The wp-vcd.php malware infects websites with code that executes each time the site loads. It is one of the most frustrating hacks that infect WordPress sites because as soon as you remove it, it seems to come right back; in some cases, instantly. If ever there was malware that could be likened to a recurrent virus that just can’t be kicked, wp-vcd.php is the one.
The wp-vcd.php malware infects websites chiefly through nulled plugins and themes. Wordfence goes as far as to call it: “the malware you installed on your own site”; which we think is a bit harsh, but it does underscore the danger of nulled software.
11. Brute force attacks
Hackers use bots to bombard your login page with username and password combinations, in order to gain access. This method is known as a brute force attack and can be successful if the passwords are either weak or are the same as ones found in a data breach.
Brute force attacks are not just terrible for security, but also consume your site’s server resources. Every time the login page loads, it requires some resources. Ordinarily, the disk usage is negligible, so it doesn’t affect the performance noticeably. But brute force bots hammer the login page at the rate of several hundred—if not a thousand—times per minute. If your site is on shared hosting, there will be noticeable consequences.
The way to counteract brute force attacks is to have bot protection for your website, as well as limit incorrect login attempts. MalCare comes with bot protection built into the security plugin.
You can also enable CAPTCHA on your login page. You may see advice to hide your login page by changing the default URL, but don’t do this. It is incredibly difficult to retrieve if that URL is lost, and you will be locked out of your website along with the hackers.
12. SQL injection
All WordPress websites have databases that store important information about the website. Things like users, their hashed passwords, posts, pages, and comments are stored in tables and are edited and retrieved regularly by the website files. The database is rarely accessible directly and is controlled by the website files for security.
SQL injections are particularly dangerous attacks because hackers can interact directly with the database. They use forms on your website to insert SQL queries, which allow them to manipulate or read from the database. SQL is the programming language used to make changes to the database, like adding, deleting, modifying, or retrieving data. This is why SQL injection attacks are so dangerous.
The solution is to keep your plugins and themes updated because WordPress security vulnerabilities like insanities input lead to successful SQL injection attacks. Additionally, a good firewall will keep away bad actors from your website.
Cross-site scripting, or XSS, attacks on websites are similar to SQL injections, in that the hacker inserts code into the website. The difference is that the code targets the next visitor on your website, instead of your website database.
In an XSS attack, the malware is added to your website. A visitor comes along, and their browser thinks that the malware is part of your website, and thus the visitor is attacked. Generally, cross-site scripting attacks are used to steal data from unsuspecting visitors.
The way to protect your site visitors is to make sure that XSS vulnerabilities don’t exist on your website. The simplest way to do this is to make sure that your website is fully updated. You can take the security to the next level by installing a WordPress firewall plugin as well.
You may have noticed that many websites now have a green lock near the URL bar. This is a trust badge for the visitor to say that the website is using SSL. SSL is a security protocol that encrypts traffic back and forth from a website.
A good analogy for this is to think of a telephone call. The data passing between two people on the line is intended to stay between them as a private conversation. However, if a third person was able to tap into that line, they would understand the data, and therefore it is no longer private. However, if two original people were to use a code that only they are able to decipher, regardless of how much the third person overhears, the information’s true meaning is hidden from them.
This is how SSL works for websites. It encrypts the data being sent to and from the website, so that sensitive information cannot be read by a third party and used illegitimately.
The Internet as a whole has been moving towards data security and privacy in the recent decade, and SSL has emerged as one of the fundamental ways to achieve that purpose. Even Google strongly advocates for SSL-enabled websites, going as far as to penalize non-SSL websites on their search results.
15. Spam emails being sent from WordPress
Emails are a cornerstone of digital marketing, and it is a way to engage and interact with website visitors. People are also becoming increasingly judicious about the emails they want to receive, so there is an underlying trust that exists.
Given the delicate nature of trust, it is awful to think that a hacker can insert malware into your website and email spam to your visitors. And yet, that is exactly what some malware does. It hijacks the WordPress core function wp_mail() to send out spam emails.
Malware ordinarily causes Google blacklists and web host suspensions, but in the case of spam emails your web host will also blacklist your email service and you will see a bunch of other errors. In fact, if the spammer adds email addresses to your website as well, then you are in danger of having your email blacklisted altogether.
16. Dormant user accounts
Users on a website change constantly. If you run a blog with multiple authors and editors, for instance, chances are that new writers are added to the website often, while older writers leave.
The crux over here are the old user accounts that aren’t removed promptly become a WordPress security issue over time. Because the accounts exist but passwords aren’t updated regularly, they are vulnerable to attack. Dormant user accounts suffer from the same dangers of compromised passwords, so removing any accounts not in active use is necessary housekeeping.
Additionally, it is important to know who is doing what on your website. Unusual or unexpected user actions are an early signal of hacked accounts.