WordPress powers over one-third of the Internet (34%) and its market share grows daily according to Hoistingtribunal and WordPress.org. They also state that WordPress accounts for almost 60% of the current Content Management System market (CMS – tools that are used to create and manage digital content). Needless to say, it is one of the most widespread technologies on the Internet today and almost everyone using a browser works directly with it whether they realize it or not.
WordPress officially came into existence around 2003 and was initially intended as a self publishing tool. It has since grown into an extensive modular platform with tens of thousands of supported themes and plugins that allow unlimited design and customization. WordPress is not just a blogging tool, it is utilized to provide a wide range of web-based capabilities from simple websites, to blogs, to complex business sites including eCommerce and web applications. aJuxt Media Group specializes in WordPress websites, in fact our site and this post were built with it.
Why & How
With any web-based platform there will always be security considerations. This leads to the first question you may be asking: Is WordPress secure? The answer to that is, yes, it generally is if implemented and maintained correctly. However, WordPress-based websites do get compromised. Why do WordPress sites get hacked? Here are the top reasons that attribute to this problem:
- Proliferation – most used platform
- Weak or no security
- Vulnerable themes, plugins, extensions
As I stated earlier, WordPress is by far the most popular CMS platform, as well as being one of the largest technologies utilized on the web today. This is the exact same issue as the Mac vs. Microsoft security debate. The truth of the matter is that macOS is not necessarily more secure than Windows, but since the Window’s market share is so much larger than macOS (79% vs 14%), hackers focus on the larger target with a higher percentage of a successful hack. Now this proliferation is not all bad. In fact, when usage is highest, so is the support community. Not only does this typically mean more features and capabilities, it also generally results in more troubleshooting resources, as well as faster identification and fixes when security issues arise.
The second contributor to WordPress hacks are weak or absent security practices. It should come as no surprise that if you do nothing to protect your site, it is at risk of being compromised. And yet basic user account and password management is very commonly overlooked or ignored. WordPress is a free and open source software (FOSS) so anyone can obtain it and all its source code meaning that hackers can easily test and attack known WordPress settings, configurations and code.
Lastly, vulnerabilities in software can compromise WordPress sites. Due to the modular nature of WordPress, the majority of these problems come from old or corrupt plugins/add-ons and themes which are not zero-day issues. Zero-day security vulnerabilities are those that are brand new and have not yet been seen, diagnosed or mitigated. The number one factor that allows these attack avenues to remain open is old and out of date software. Updating WordPress core, plugins, and themes on your website is tedious and does come with risk of temporary disruptions. However, if you ignore an update that addresses a known security issue, you are leaving your site vulnerable. One of the biggest issues I see at all levels is the fear that updates will “break” a website. In my opinion, it comes down to choosing between a temporary loss of functionality until you can fix it, or having your site vulnerable to attack.
This leads into another question: Why does anyone want to hack your WordPress website? There are a number of reasons a hacker may want to come after your website. You can read more about this in my blog “Small Business & Cybersecurity: Why You Should Care.” The main reasons include:
- Practice (low risk) – Hackers know that most personal websites, blogs and small business sites do not generally put much effort into security and their chance of getting caught or a hack being traced back to them is low. This allows them to practice their skills and trade with minimal risk of consequence.
- Defacement / alteration / hacktivism – This implies a motivation for attack. Site defacement or alteration can range from someone just trying to be funny, to obscene or agenda-driven (ie. political or religious) modifications.
- Use website for other purposes like bots or hop off points – There are many reasons hackers may want to compromise your website beyond practice or a direct attack. Once they have compromised a website, they can use it to spread, store, and distribute malware, email, SPAM, Distributed Denial of Service (DDos), etc. Your site may still appear to be working correctly, but is also being utilized as an agent of attack without you even knowing about it.
It is impossible to get rid of all risks, but what you can do is significantly reduce it. The truth is that bad things can happen if security is overlooked or ignored. The good news is that there is a lot that can be done to reduce your exposure and chance of being hacked. Keep in mind that you should never spend more money on security than the value of what you are protecting. It’s up to you (and the help of security professionals like myself) to determine how much you are willing to risk and to what extent protections and mitigations need to be put in place.
Stay tuned for part two of this blog series in which I will discuss some of the specific actions you can take to help protect your WordPress website.
Written by Seth Hellbusch — Site Security Specialist