Be Prepared – WordPress Vulnerabilities

WordPress sites need constant updates to themes, plugins, and WordPress core. Make sure your site setup includes security features and at minimum, a quarterly update maintenance plan. I have opted over the years to go with ithemes Security Pro to help block malicious hack attempts.

In addition, consider opting for WordPress managed hosting – Ultimate plan for example includes:  1-2 websites, unlimited storage, website backups protection with 1-click restore, automatic daily malware scans, SEO optimizer, 1-click staging site, and an incredible value with their unlited malware removal and hack repair. My favorite new addition with this plan is the free SSL certificates. *FREE for the life of the hosting plan. Our hassle-free certificates are automatically installed, validated and renewed. The strong 2048-bit encryption will ensure all transactions are secure. Annual plan purchase required. It’s everything you need to keep your site up and running. The BEST way to be prepared!

 

The top three reasons websites get hacked –

#1 – Weak passwords

I have trusted iThemes Security Pro over the years to enforce strong passwords and enable 2 factor authentication. Two-factor authentication (or WordPress 2-step verification) adds an important extra layer of protection to your WordPress site’s login and admin area by requiring 1) a password and 2) a secondary time-sensitive code to login. It also limits the number of failed login attempts allowed per user. If someone is trying to guess your password, they’ll get locked out after a few tries. Strong ranking password enforcement is a must for your  site  admins and editors.

 

#2 – Lack of updates

From time to time, themes, plugins & WordPress will require updating. Updates typically happen when developers release security patches or add extra functionality. It’s good practice to keep your themes, plugins & WordPress version updated to the latest versions. In an effort to promote better security and to streamline the update experience, WordPress will now automatically update itself, if it’s able to, whenever a minor version is released. These minor releases are usually for maintenance and security purposes or translation file updates. Only core WordPress files will be auto-updated. Your themes or plugins won’t be automatically updated. Before updating your site, it’s always wise to perform a backup first, just in case something unfortunate happens during or after the installation. It happens a lot unfortunately. After your site has been updated, no matter whether it’s been done automatically, manually or just themes and plugins, it’s a good idea to give your site a quick test to make sure it’s functioning as expected. This will ensure that the new themes, plugins or even WordPress itself hasn’t introduced new functionality that adversely affects your site or changes how your site operates.

 

#3 – Plugin vulnerabilities

One of the best things about WordPress is the sheer amount of plugins available. Whether you want to create a business or a portfolio website, sell membership plans or physical products, or even manage projects, there is probably a plugin for that. But hold up – as great as plugins are, they can also be one of the main reasons why a site gets hacked. According to a survey from Wordfence, 55.9% of sites get hacked due to a plugin vulnerability. Some of the most popular plugins can negatively impact your site in terms of performance and stability as well. Any time you want to add a new plugin it’s crucial to research first.

 

  • Research Whether a Plugin Is a Security Threat
    Use a site like WPScan Vulnerability Database to search for the plugin name and see if any results come up that indicate the plugin is vulnerable. This service lists plugins and known vulnerabilities. You can check the database by using the plugin name or filter through all the vulnerabilities. A plugin like Wordfence Security can also notify you immediately if a vulnerability has been found and you can also run a daily scan on your site with it. The daily scan will scan plugin files for known vulnerabilities and changes in your site’s files and folders and send you an email alert on potential security issues.

 

  • Compare All Options Carefully
    When you’re looking for plugins, the first place you should check is the official repository. They vet each plugin before releasing it to the public, so there is less chance of a plugin with a vulnerability being available for download. Third-party marketplaces like CodeCanyon have similar vetting procedures in place to ensure code quality. Check how often the plugin is updated and whether the author provides active support for it. A quality plugin should be updated on a regular basis. But if you notice that a plugin hasn’t been updated in over a year or more, you should continue your search. The plugin should also be compatible with the latest WordPress version. Check the number of star ratings in the official repository and check user reviews.

 

  • Keep Checking Over Time
    Another feature I love about my membership with ithemes is the Vulnerability Roundup Emails I receive. This provides an email news alert when theme vulnerabilities are discovered. They include WordPress core, plugin and theme vulnerabilities in addition to breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.