5 WordPress Cyberattacks and How to Prevent Them
If you’ve read through our articles on how WordPress works and why you should use it, you’ll have noticed that we highlighted one (and perhaps the only) major downside of using WordPress: the fact that it is often the target of cyberattacks.
There is a good reason for that, of course. WordPress is the most popular CMS because it is the easiest to use. Furthermore, starting your own WordPress website can be one of the most profitable online business models if executed properly.
However, because so many people use it, WordPress has become a target for hackers. It has become, in other words, a victim of its own success.
This is not to say that WordPress is less secure than other website builders. If used correctly, the built-in tools that WordPress provides can easily defeat most types of cyberattack. As we pointed out in our WordPress tutorial, though, too few of us take the time to put in place basic security measures.
In this article, we’ll explain the most common types of cyberattacks that are attempted against WordPress, and how to protect yourself against them.
1. Brute Force Attacks
In a brute force attack, a hacker will try to guess your password. That makes this kind of attack seem simple, and doomed to fail, until you realize the tools that are available to the average hacker (or the average kid with a desire to cause mischief, for that matter).
Believe it or not, there are free tools that can be downloaded and used against WordPress sites, and these tools can try hundreds (if not thousands) of passwords a second. A further level of threat is provided by botnets, in which a hacker will enslave unsuspecting machines and use them to guess even more passwords.
The best protection against this type of attack is pretty simple: use a password manager that can create strong and unique passwords for your WordPress site and then rotate those passwords out to keep cybercriminals on their toes. Despite every beginners guide to using WordPress telling users to do this, a remarkable percentage of people still don’t.
2. XSS (Cross-Site Scripting) Attacks
This malicious script will be injected directly into the code that your site runs on, and can be used to steal your login credentials or send ransomware to your WordPress site.
If you run an affiliate site, XSS attacks are among the most common threats you will face, because they can be used to steal user cookies and claim the income that you are generating.
Protecting against XSS attacks requires vigilance. You should keep a careful watch on all the places in your site where users can leave comments, or enter any kind of information. You should quickly delete any comments that look suspicious. There are also a number of tools available, such as Akismet, that can automate this process for you.
3. PHP Vulnerabilities
PHP is another of the coding languages that the WordPress platform is built on, and like all coding languages it comes with some vulnerabilities. PHP is the language that your WordPress site uses to keep track of all your pages, and the login credentials of all your users.
The most important of these data are stored in a file named “wp-config.php”. This is the most important file in your entire WordPress setup, the most commonly attacked file on WordPress sites, and the most important to protect. It is generally attacked through a hacker uploading a malicious file to your site that will allow them to see the contents of the config file.
Protecting this file might seem like a technical process, but it’s not really. You can consider, for instance, moving the file out of your root directory, which will mean that the file path to it is not the standard one. This will not defeat the most determined hackers, but it is often enough to deter amateurs who are cruising around the web looking for small-scale “exploits” to take advantage of.
A further level of protection against PHP vulnerabilities can be provided by a process we’ve already mentioned: keeping your plugins up to date.
Many WordPress plugins — and many of the most popular — use PHP, and many will require access to your config file. But even though plugins can help to improve the functionality of your site, it’s recommended to only use them if necessary. This is because too many plugins can actually slow down your site’s speed, and if not properly maintained some can even allow dangerous malware to infect your site as well.
4. SQL Injection
SQL attacks are another “classic” form of cyberattack, but one that shows no sign of going away. SQL is a computer language that is used to run many aspects of your WordPress site, and most importantly the users you have set up for it are defined in SQL.
Unfortunately, hackers can exploit this fact by using an SQL injection. The basic principle is that a hacker will use a data field on your site — say the place where they can enter a new username to sign up for an account — to send SQL code to your servers. This malicious code can allow them to take control of your site, or even add a new administrative user so they can do whatever they like.
Most high-quality WordPress plugins and themes are built with this kind of attack in mind, and will offer you a good level of protection. For this reason, you should avoid using plugins or themes that do not have a large user base, aren’t well-reviewed, or are old and no longer maintained. You should check the plugins you are using regularly, in order to ensure that they are not out of date.
5. DDoS Attacks
Distributed Denial of Service (DDoS) attacks are some of the oldest attacks around: they were seen almost as soon as the internet was invented. In this type of attack, an attacker will flood your site with Gigabytes (and perhaps even Terabytes) of data. The sheer number of requests received by your server will force your server to crash.
Once your server crashes, you have two problems. One is that, as the server reboots, it can be vulnerable to further attacks that can compromise your login credentials. Even if this doesn’t happen, though, while your server is offline you are losing money and customers.
Because most WordPress users don’t directly manage the server that their site is hosted on, preventing DDoS attacks largely means relying on your web host to keep you safe. The best WordPress hosts will provide you with DDoS protection as standard, automatically protecting your site if traffic levels increase dramatically.
Fortunately, you can take a few extra steps yourself that will help to prevent this kind of attack.
These include keeping a close eye on the traffic to your website and blocking any IPs that seem suspicious, utilizing a content delivery network to store your website’s content across multiple servers and not just one, and using a firewall on your home and office internet connection to prevent DDoS attacks from bleeding over into your other systems.
The Bottom Line
It’s worth remembering that cybersecurity is hard. It is a multi-million dollar industry, after all, and many analysts make a good living out of spotting new vulnerabilities in WordPress and other systems.
As a result of this, no cybersecurity measures you put in place will ever afford you 100% protection. You should therefore recognize that at some point, you are likely to be the victim of a hack.
That said, the simple steps above can dramatically improve the level of protection on your WordPress site. Make sure you use strong, unique passwords, choose a quality web hosting service, and keep all of your WordPress plugins up to date, and you will be able to defeat the most common types of attack against your site.
Just remember that cybersecurity is not an event, but a process. You will need to repeat some of the steps above regularly, and keep constantly vigilant, in order to ensure that your WordPress site is not just secure now, but long into the future.
To find out how safe your websites are, Namecheap offers a brief quiz on WordPress security that will help you assess your WordPress websites and give you steps you can take to beef up security.
And if you’re in the market for a place to host your next WordPress website, be sure to check out managed WordPress hosting from Namecheap.