5 Mistakes WordPress Users Make That Permit Cyber Attacks
During one of the biggest WordPress attacks, 1.5 million web pages were hacked. This happened in 2017 when a content-injection vulnerability was discovered and exploited by malicious cyber attackers. Although the vulnerability was patched as soon as Sucuri, a US-based security firm, warned WordPress, according to midgard.co.uk, 40,000 unique websites were attacked successfully, which allowed criminals to modify the content on those 1.5 million pages. The responsibility of this incident, of course, fell onto the shoulders of WordPress, who failed to uncover the vulnerability themselves, as well as to warn WP website developers and administrators in time. Unfortunately, there are some mistakes that these developers and administrators do themselves that permit successful cyber attacks. In some cases, that happens due to outdated software, and in others – due to weak WordPress passwords. Whatever the case might be, there's always something that can be done to strengthen protection.
1. What's the deal with your hosting environment?
WordPress websites can be hacked if they are hosted on servers that are not protected reliably. The problem here is that you cannot really control the security of the server. This is why the most important thing you can do is choose a reliable hosting service before you set up a new WordPress site. The services vary in cost and level of support and security, and so if you are looking to create a business or support a business using your WordPress website, you should consider investing in services you can trust. If you choose to save your dollar now, you are likely to be spending money on security and damage control in the future after you experience a cyber attack. If you think you are ready to handle this on your own, you might be favoring self-hosting, but if the thought of dealing with malware and fixing corrupted content gives you a headache, you will want to choose the right hosting service. Some of the web hosts recommended by WordPress include Bluehost, DreamHost, and SiteGround.
2. When was the last time you installed updates?
Yes, yes. We all hate updates because they always seem to come in at the worst possible time. But if you think about it, spending several moments out of your day to update WordPress really is not that big of a deal. On the other hand, if you do not install updates and existing vulnerabilities are exploited by cyber attackers, the security issues you might face could amount to a HUGE deal. If your website's management system is outdated, security backdoors might exist, and so we suggest that you install the latest version immediately. Have you made your website mobile-friendly? If you have, you must not forget about mobile updates as well. The same goes for all installed plugins and themes. If you are not installing appropriate updates, vulnerabilities and security loopholes could be exploited as well.
3. You don't research your plugins? Well, you should
There's only so far you can go without plugins when it comes to WordPress. They add functions to your website and can help go to the next level, so to speak. If you are looking to create a professional-looking site, you will not be able to evade plugins. Unfortunately, malicious plugins do exist. For example, a plugin called Display Widgets caused serious problems in 2017 when it silently installed backdoors on 200,000 websites. Using the backdoor, the attacker behind it could publish anything on the affected website. An interesting detail about this plugin is that it was harmless until it was sold. That means that you need to be cautious not only about new plugins you install but also the old ones you have trusted in the past. Then there are plugins that are created with good intentions but are simply too weak against malware attacks. Of course, you don't need to be afraid of all plugins. You certainly should make use of reliable security plugins that can scan for malware and add firewall to your WordPress website.
4. If your WordPress password is weak, you are asking for trouble
Do you know what a brute force attack is? It is a cyber attack during which cyber attackers gain access to an account using illegal practices. The job is much easier if your WordPress password is weak and easy to crack. We should not be telling you how to choose a strong WordPress password, but if you need a refresher, it MUST be long and it must be complex. The consensus is that the WordPress password should be at least 14 characters long, should contain symbols, numbers, lower and upper-case letters, and should not include whole words. Luckily, WordPress does not allow adding "password" as your… well, password, but that is not the only passcode that can be guessed. But how are you supposed to remember a complicated WordPress password? That is not a problem if you use a password manager. You can even use it to help you generate a strong passcode that goes beyond 6 characters that are required by WordPress. When it comes to usernames, for the love of everything that you cherish – do NOT use admin, administrator, or the name of your website.
5. Is it time to backup your WordPress website?
What if a cyber attack cannot be prevented? As we know from experience, even if all security measures are taken to protect the website, bad things happen, and even WordPress messes up from time to time. This is why you want to have a backup to your website. That way, you can easily restore the site and get it up and running in no time. Note that if you are using a reliable hosting service, backups might be created automatically, but you do not want to rely on anyone when it comes to backups, and it is strongly suggested that you find your own way to back up your website as well.
A quick reminder
- Choose the right web host that can provide security and support in the event of a cyber attack.
- Install ALL WordPress-related updates as soon as they come in.
- Choose your plugins and themes wisely. Beware of malware hidden within plugins, but do not miss out on the opportunity to strengthen your security by implementing reliable security plugins.
- Create a strong and complicated WordPress password that cannot be guessed. If you do not know how to choose strong WordPress passwords, employ a password manager with an integrated password generator.
- Use a reliable password manager to keep your login information safe.
- Make sure your username is not generic to prevent unauthorized access to the website.
- Back up your website to ensure that it is up and running even if a cyber attack occurs.