With Wordpress being one of the most ubiquitous content management system used on the web today, it's no surprise that it's heavily targeted by hackers.
The ease of setup and management, together with the extensible plugin architecture of Wordpress, make it a great tool to quickly build a new website.
This however, is also one of the key reasons why it's the most targeted platform on the web. Some of the users that setup and manage these websites are not experienced at keeping the Wordpress application and its plugins up to date. Over time, vulnerabilities are discovered in different versions of the application and are usually patched by the developers when they become aware of them. If a user fails to regularly update their website, hackers can easily exploit these vulnerabilities.
Some of the risks of these vulnerabilities include; uploading a file to the website which can then be used to allow further access into the server, send spam email, corrupt or replace website files, launch attacks on other sites and servers, as well as changing content, or injecting additional content into the pages to help spread Malware and Viruses around the web.
Please don't think that because of these issues we are against Wordpress in any way. It's a fantastic free CMS that we use ourselves on a few of our own personal sites. The key is to ensure that you keep your Wordpress website (any CMS system for that matter) updated with the latest versions.
Our tips for managing your Wordpress site are:
- When you setup your site, use a strong password for your database user, and your Wordpress Admin user.
- Have a look at https://codex.wordpress.org/Hardening_WordPress and implement as many of the suggestions as possible.
- Login regularly to your Wordpress admin area to check for updates, and/or
- Install an update notification plugin like https://wordpress.org/plugins/wp-updates-notifier/ so you know when updates are available.
- Regularly review the log files for your website to look for strange behaviour or filenames (most should end in .php) that you don't recognise or contain a series of random letters
For those of you that are so inclined, you can search the online exploits database at https://www.exploit-db.com/search/ for Wordpress and see some of the nearly 1000 vulnerabilities listed for Wordpress and its plugins.
If you want to add an extra layer of protection to your Wordpress website, we offer a tool called WPScan that we can run against your website which may be able to detect any known vulnerability. Please contact us at firstname.lastname@example.org for more information.