The average person can’t even imagine why hackers gain access to their site, let alone HOW.
A recent survey by Wordfence, asking how their sites had been compromised, compiled responses from over 1,000 people.
Nearly 60% said it was plugins. Brute force accounted for roughly 15%. WordPress core, their theme, hosting, file permissions, password theft, phishing, their workstation, etc. accounted for less than 10%.
Plugins are the riskiest
Plugins are what add individuality to WordPress sites. As WordPress has grown, so has the popularity of plugins.
With over 40,000 plugins to choose from, you can imagine the options for making your site unique. But it also means there is a lot of opportunity for vulnerability. That is exactly what this survey shows.
Keep plugins updated
When you notice that there is an update for a plugin, take care of it right away. Most commonly updates are due to vulnerabilities that are discovered, not for cosmetic reasons.
Don’t use plugins that are not maintained
If you are relying on the plugin author to keep the plugin safe and they’ve abandoned the project for whatever reason, your site is vulnerable.
Before installing a plugin, check to see how long it’s been since there was an update. If it’s been longer than six months, don’t use it. Check your plugins periodically to see if they are still being maintained.
Only download plugins from reputable sites
If you download a free plugin, use the WordPress repository, wordpress.org/plugins. Check when it was last updated, the rating, the number of downloads, and I even like to check the forum to see if issues are being resolved.
If you buy a premium plugin, you will want to do some research. Unlike a free plugin that you can simply uninstall if it doesn’t meet your needs, you want to make sure a premium plugin is really what you need.
In addition, you will want to do some research on the company and find some reviews that reveal vulnerabilities, bad experiences, etc.
Brute Force attacks are still an issue with hackers
A brute force attack is when a person or machine tries to guess your password. Clearly, it could take a lifetime for an individual to guess your password. But hackers use machines that can guess passwords in a matter of seconds.
Don’t use obvious usernames
The obvious usernames to avoid are “admin” and “administrator.” Using your business name or the name of anyone who is blogging should also be avoided as they are easy for hackers to guess.
Use login lockout software
After a set number of attempts, hackers can be blocked from gaining access using an invalid username.
This approach requires the user know their password AND have access to their cell phone. While inconvenient, it is very effective at keeping hackers out.
Other security steps to take
We have talked in previous posts about keeping everything up to date, having a good virus scanner on your computer, using strong passwords, and backing up your site on a regular basis.
It’s critical to keep your site as secure as possible to avoid inconvenience, expense, and in some cases, identity theft.
Do you want to learn more about how to secure your site?
Get your FREE copy of WordPress Security Checklist below.
If this checklist overwhelms you, I can help you secure your site. Sign up at www.solowebsolutions.com/pom
Leave a Reply