How to secure your site

As by far the most popular content management system, WordPress powers millions of different websites. It is open source software, which means that its source code is publicly available and can be modified by just about anyone with sufficient know-how.

Although WordPress plugins and themes can be purchased, tens of thousands of them are available for free. As one might expect, this is not without drawbacks. So how vulnerable are WordPress sites? What about its themes and plugins? And how can you protect your sites?

How vulnerable is WordPress?

In February 2022, Jetpack discovered that popular themes and plugins from provider AccessPress Themes (also known as Access Keys) were compromised. Researchers spotted the vulnerability by accident, after discovering suspicious code on a compromised website. Upon further investigation, they realized that most AccessPress plugins and every theme contained the same code.

It later emerged that AccessPress Themes had been the victim of a cyberattack in September 2021, with hackers injecting a backdoor into the provider’s plugins and themes.

AccessPress finally updated and cleaned up its products, but presumably thousands of users were vulnerable to attacks for a long time.


Do WordPress plugins and themes have vulnerabilities?

A plug with a cable is visible next to a WordPress logo (graphic)

Jetpack’s findings underscore just how vulnerable WordPress can be. But this was not an isolated case.

In March 2021, for example, Wordfence disclosed major vulnerabilities in two WordPress plugins that, if successfully exploited, would have allowed an attacker to take control of a website. The vulnerabilities were discovered in Elementor and WP Super Cache plugins. Elementor is a website builder used on over seven million websites, while WP Super Cache is a popular caching plugin.

In February 2022, as reported by Search Engine Journal, the United States Government Vulnerability Database and WordPress security researchers warned of serious vulnerabilities in dozens of WordPress plugins.

Of these plugins, nine have been used on more than 1.3 million websites: Header Footer Code Manager, Ad Inserter—Ad Manager & AdSense Ads, Popup Builder, Anti-Malware Security and Brute-Force Firewall, WP Content Copy Protection & No Right Click, Database Backup for WordPress, GiveWP, Download Manager and Advanced Database Cleaner.

How to secure your WordPress site

One would assume that these vulnerabilities are always patched or removed once discovered, but this is in fact not the case.

Patchstack research found that 2021 saw a 150% increase in reported WordPress vulnerabilities compared to 2020 – and 29% of those vulnerabilities received no patch. Patchstack also found that only 0.58% of reported flaws were in WordPress core, which means vulnerabilities are almost always found in plugins.

It’s essential to ensure that any plugins you use are up to date, as well as the WordPress core itself.

Before downloading and installing any plugin, be sure to do some research first. Check the plugin’s install count, read online reviews, see when it was last updated, and check if it’s been tested with the latest WordPress core. It will only take a few minutes, but it could save you a lot of trouble down the road.

Graphic illustration, a shield is visible on the WordPress logo

Alternatively, you can use WPScan, which is a fairly simple and effective WordPress vulnerability scanner. This tool can also be used to search for a plugin by its name. The free version allows up to 25 API requests per day.

Luckily, some plugins are actually designed to protect your WordPress site from intruders. Login LockDown, Wordfence, BulletProof Security are some of the best WordPress security plugins today. Login LockDown is completely free, while the other two have free basic templates.

WordPress Security Tips

As vulnerable as WordPress can be, taking basic security precautions goes a long way in preventing and fending off cyberattacks.

Using unique login credentials and two-factor authentication, keeping all software up-to-date, hiding theme names and login credentials should be the foundation of your WordPress security hygiene.

An image of a computer screen with the word security displayed

How to Secure Your WordPress Site in 5 Simple Steps

Read more

About the Author

Comments are closed.