Wealthy Affiliate
Home
Education
Websites
Hosting
Community
Success
About us
Pricing
Blog

Security Issues - Common Causes

20
byAngelaHall
2.9K followers
Updated

WordPress powers 25 % of all websites.

There are many security issues you should be aware of. Thankfully WA protects sites hosted here very well but you have to do your part as well.

Vulnerabilities extend beyond WP though. A recent report by wpscan.org, of the 3,972 known WordPress security vulnerabilities:

  • 52% are from WordPress plugins
  • 37% are from core WordPress
  • 11% are from WordPress themes

It's important for you to keep all themes and plugins up to date.

The following is from a list put out by iThemes Security.

The 5 most common security issues

1. Brute Force Attacks

This is a trial and error method of entering multiple username and password combinations over and over until a successful combination is discovered. The brute force attack method exploits the simplest way to get access to your website: your WordPress login screen.

This is why it is advisable to not leave admin as your user name.

2. File Inclusion Exploits

Vulnerabilities in your WordPress website’s PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.)

File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion exploits are one of the most common ways an attacker can gain access to your WordPress website’s wp-config.php file, one of the most important files in your WordPress installation.

3. SQL Injections

WordPress websites use a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data.

With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.

4. Cross-Site Scripting (XSS)

84% of all security vulnerabilities on the entire internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.

The basic mechanism of Cross-Site Scripting works like this: an attacker finds a way to get a victim to load web pages with insecure javascript scripts. These scripts load without the knowledge of the visitor and are then used to steal data from their browsers. An example of a Cross-Site Scripting attack would be a hijacked form that appears to reside on your website. If a user inputs data into that form, that data would be stolen.

5. Malware

Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your website’s files, so if you suspect malware on your site, take a look at recently changed files.

Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them. The four most common WordPress malware infections are:

  • Backdoors
  • Drive-by downloads
  • Pharma hacks
  • Malicious redirects

Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup.

What Makes Your WP Site Vulnerable to WordPress Security Issues?

1. Weak Passwords

Using a weak password is one of the biggest security vulnerabilities you can easily avoid. Your WordPress admin password should be strong, include multiple types of characters, symbols or numbers. In addition, your password should be specific to your WordPress site and not used anywhere else.

I use a password saver/generator called LastPass. It will generate passwords for you and you just create a main password. For your main password you can use a long sentence or phrase that is easy to remember.

For example: IwenttoScotlandin2016

2. Not Updating WordPress, Plugins or Themes

Running outdated versions of WordPress, plugins and themes can leave you open for attacks. Version updates often include patches for security issues in the code, so it’s important to always run the latest version of all software installed on your WordPress website.

Updates will appear in your WordPress dashboard as soon as they’re available. Make a practice of running a backup and then running all available updates every time you login to your WordPress site. While the task of running updates may seem inconvenient or tiresome, it’s an important WordPress security best practice.

If you manage more than one WordPress website, a tool like iThemes Sync can help by giving you one dashboard to manage multiple WordPress sites.

3. Using Plugins and Themes from Untrustworthy Sources

Poorly-written, insecure, or outdated code is one of the most common ways attackers can exploit your WordPress website. Since plugins and themes are potential sources of security vulnerabilities, as a security best practice, only download and install WordPress plugins and themes from reputable sources, such as from the WordPress.org repository, or from premium companies that have been in business for a while. Also, avoid bootleg or torrented “free” versions of premium themes and plugins, as the files may have been altered to contain malware.

Whenever you have an issue on your site, the first place to look is plugins. Deactivate the most recently installed or updates plugin and see if that resolves your issue.

4. Using Poor-Quality or Shared Hosting

Since the server where your WordPress website resides is a target for attackers, using poor-quality or shared hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the server-level.

Shared hosting can also be a concern because multiple websites are stored on a single server. If one website is hacked, attackers may also gain access to other websites and their data. While using a VPS, or virtual private server, is more expensive, it assures your website is stored on its own server.

8 Actions You Can Take Today to Protect Your WordPress Site

1. Use a strong password.

If you’re currently using a password that contains fewer than 6 characters, change it now. If you’re currently using a password on more than one login, change it now. If you’ve had the same password for more than six months, change it now. Start practicing good WordPress password security, especially if you’re an admin user.

Also using a password saver/generator like LastPass that I mentioned earlier.

2. Install a WordPress security plugin.

Using a WordPress security plugin like iThemes Security is a great way to take care of additional security measures on your WordPress website. iThemes Security offers a one-click WordPress security check that activates the most important and recommended WordPress security settings.

I use iThemes and couldn't be happier.

3. Enable WordPress two-factor authentication.

Two-factor authentication adds an extra layer of protection to your WordPress login. In addition to your password, an additional time-sensitive code is required from another device such as your smartphone, in order to login. Two-factor authentication is one of the best ways to lock down your WordPress login and nearly completely minimizes the potential of successful brute force attacks.

4. Keep your WordPress site updated.

Keeping your WordPress site updated is one of the best ways you can avoid potential WordPress security issues. Login to your WordPress site now and run any available updates for WordPress core, your themes or plugins. If you’re using premium WordPress plugins or themes, make sure you have a current license to ensure you’re getting updates and not running outdated versions.

5. Set up proper permissions on your server.

Ensure proper permissions are set on all directories on your server. Proper permissions dictate who has permission to read files, create and edit files.

This can be done within iThemes Security settings.

6. Run scheduled malware scans.

Keep tabs on potential malware infections with scheduled malware scans. Most services, like the malware scan offered in the iThemes Security Pro plugin, give you a report on your website’s malware status along with several other blacklisting statuses.

WA does this for you if hosted here.

7. Have a reliable WordPress backup plan.

Having a WordPress backup plan is an important component of your WordPress security strategy. Set up scheduled backups to run and make sure you’re sending your backups safely off-site in a secure, remote WordPress backup location. Also, make sure your backup strategy has a restore component in case you need to restore a backup.

I actually use Updraft Plus for backups. The plugin gives you step by step instructions.

8. Activate WordPress Brute Force Protection.

Protecting yourself from brute force attacks is another way to reduce any potential vulnerabilities or server overloads. Use a service that includes both local and network brute force protection to ban users who have tried to break into other sites from also breaking into yours.

Again, included in iThemes settings.

Be diligent in keeping your websites updated to prevent security issues.

Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training

Recent Comments

10

New message...

SamiWilliams

We do get careless sometimes.
Thanks for the reminder.
Sami

terrycarroll

Thanks Angela - really good security advice here and for the most part easy to implement.
Terry

LH-CLUB

You can't change your admin username!

I have uploaded this plugin, there is a lot of settings what about Away mode, SSL and System Tweaks do you have them on Angela!

AngelaHall

Hi Lou, yes I do have them on. No you can't change the admin user name, but you do have the option of choosing your own user name instead of admin when you first create your website and install WP.
It's been so long since I hosted on WA I honestly don't remember if you can here. BUT you can create a new user admin with a different name and you can make sure the admin user has a secure password. :)
Hosting at WA is very secure. iThemes is what I use but all my sites are hosted elsewhere.

LH-CLUB

Yes thanks for that,

when you first start your WP site I wasn`t told to change the admin username because of hacking and all that.

I can`t understand why anybody wants to host elsewhere and pay more when hosting is Free and secure at WA!

So what you are saying I could use another user admin and use another name and use that or Not!

AngelaHall

correct. I have other hosting because when I first started at WA it took some time before I was making full time income. SO I had to leave and come back a couple times lol.
Now with the amount of sites I have, it is easier to just leave them where I have them hosted.
Not to say I won't ever use WA hosting but haven't started any new websites since I came back this last time and paid for yearly. :)

lynnsam61

Thanks for sharing these useful tips Angela. Any action that prevents a cyber attack is worth doing.

Erica

Calmkoala

Hi Angela, important hints and tips like this are always welcome! Many thanks, Sue :)

MKearns

Good cybersecurity awareness briefing Angela!

AngelaHall

Thanks Michael :)

See more comments

Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training
Home
Education
Websites
Domains
Hosting
Community
Success
About us
Contact us
Privacy
Sign-up
Affiliate Program
Login
© 2024 WealthyAffiliate.com