WordPress makes it very easy to have and run a website.
According to W3 Techs, WordPress is the content management system used by 26% of all websites live on the internet. That includes this website you’re reading right now.
In our work with clients, we use WordPress when the client in question wants a website that’s easy to manage, easy to update, and easy to add content to. As long as their website scope does not include much customizable handling and/or processing of data, WordPress is the option we recommend.
And, as that 26% figure attests, WordPress works very well for what it does.
But WordPress also has a dark side – when you have such a huge install base, and when so many different plugins are available that add extra functionality to WordPress, that means WordPress is a huge and easy target for hackers.
Just over the weekend, there was a widely noted hack where hackers exploited a WordPress vulnerability to replace a Linux version installer with a malicious version. In the post announcing this exploit, one of the commenters asked point-blank:
I’ll ask this question, without knowing the intrinsic details, or any specific details other than what has been posted above; did the breach have anything to do with the fact that you’re running WordPress?
Best wishes and thanks for the heads up.
And the admins of the hacked Linux flavor responded:
Yes, the breach was made via wordpress. From there they got a www-data shell.
A quick read of the Reddit post where this issue was discussed sees some comments lamenting yet another WordPress exploit that spread potential havoc across many sites:
Now, there are ways you can protect yourself from attack. But the reality is, few WordPress site owners take many steps to protect themselves.
Here are five steps you should definitely follow to protect your site if you’re running WordPress:
- Make your Admin Name and Password Hard to Guess – Never stick with the default “admin” as your admin username. And use the most complex password you can handle for your site’s admin logon(s).
- Stay On Top of Your Updates – WordPress releases periodic updates to its core code. Make sure you run those as soon as they’re released. (Software updates are often released due to vulnerabilities that were discovered and then patched. Companies often sidestep this fact and make it sound like the update adds fun new functionality. Whether or not that’s true, run the updates ASAP whenever they’re released just in case.) The same goes for any plugins you’re using – the older your plugin versions, the more likely hackers have figured out ways to exploit vulnerabilities in those older versions.
- Keep Your Site Regularly Backed Up – In the potentially disastrous event of your site being hacked, having a complete backup of your site’s files and database will be a godsend. You can manually backup your site’s files via a quick FTP dump. And you can easily log into PHPMyAdmin and export your complete WordPress database. Some web hosts take care of backups for you. And there are plugins that can help you here as well.
- Isolate Your WordPress Sites On Your Web Host – If you have other types of sites or services, it’s best to keep those quarantined from WordPress. That way, if something does happen to your WordPress installation where it is hacked, the rest of your web properties won’t also go down with the ship.
- Use As Few Plugins As You Can Get Away With – The most likely way I’ve seen hackers break into a WordPress installation is through an old version of a plugin. The more plugins you run, the more potential vulnerabilities you’re dealing with. So, whenever you don’t need a plugin, deactivate and delete it from your WordPress site. There’s no sense in leaving potential attack vectors lying around, so get rid of any plugin you’re not actively using on your site.
WordPress offers many wonderful things to a would-be website owner.
What it doesn’t do well is keep you safe and protected. It’s up to you to handle that part.
If you’re using WordPress and you haven’t been adhering to the above five steps, be afraid. Be very afraid.