WordPress is the world’s most popular content management system (CMS) in the world — by far.
According to data from Website Setup, WordPress is the number one CMS in the world and powers more websites than all the other CMSs in the top 10 combined.
In other words, it’s very likely that your small business website is (or will be) powered by it.
That said, while many small businesses rush to use WordPress due to its simplicity and other features, very few are aware of the security implications.
Data from Sucuri shows that WordPress is the most hacked CMS and is the victim of 90 percent of all hack attempts targeted at content marketing systems.
So how do you protect yourself as a small business owner? Start by understanding the top WordPress security threats you should watch out for:
Malware attacks aren’t just aimed at WordPress websites. They are aimed at computer applications, web applications, and any website.
The popularity of the WordPress CMS, however, makes it a sweet target.
Often, hackers target WordPress websites by looking for outdated versions of WordPress, plugins, or themes with vulnerabilities that they can exploit.
Once malware has been installed, attackers gain control of your website.
If you’ve used the Internet extensively for more than a couple of months then you’re likely to have come across apparently legitimate websites promoting Cialis, Viagra, or some other drugs that people can get “without prescription.”
In a lot of cases, the website involved has fallen victim to what we refer to as the pharma hack.
The pharma hack is reported to be the most common type of SEO spam. According to data from Sucuri, 62 percent of all infected websites are victims of the pharma hack.
As a small business, it’s natural to have contact forms, opt-in forms, a search bar, and other forms that allow users to interact with your website.
While these forms are essential to the functioning of most websites, by their very nature, they need to send and receive data from your website database to work but can easily be exploited if there is an SQL injection vulnerability.
Upon discovering this vulnerability, a hacker creates malicious input content and sends it to your database — this executes the input in your database and gives attackers access they shouldn’t have.
The Random Distributed Denial of Service (RDDoS) attack is a cousin of the Distributed Denial of Service (RDDoS) attack where hackers unleash an overwhelming amount of traffic, beyond what a website can handle, on a web server so that it eventually crashes and becomes inaccessible.
With the RDDoS attack, however, hackers have a financial motivation for carrying out the attack.
This form of attack is one of the attacks aimed at WordPress websites.
Cross-Site Scripting (XSS) Attacks
A few months ago, website security company Wordfence reported a sudden uptick in Cross-Site Scripting (XSS) attacks against WordPress websites.
According to Wordfence, the attack started gradually, and all of a sudden increased 30-fold compared to the usual volume they see in their attack data. When the dust settled, about a million WordPress websites had been targeted in the attack.
XSS attacks, in which attackers inject client-side scripts into vulnerable websites in an attempt to gain control is one of the most common attacks aimed at WordPress websites.
If you use WordPress to power your small business website, XSS attacks are one of the top attacks you should watch out for.
Japanese Keyword Hack
The Japanese keyword hack is a kind of insidious hack in which an attacker takes over a WordPress website for SEO purposes by hacking the site and injecting spammy Japanese keywords and links all over it.
Usually, the purpose of this hack is to generate backlinks to various Japanese sites with commercial intent.
Brute Force Attack
What is your password?
Let me guess:
Is it “layman123”?
How about “MonKeY444” or “year2020”?
It’s none of the three, right?
In that case, how many guesses do you think I’ll need to make before getting your actual password?
1,000 guesses? 1 million guesses? 1 billion guesses? 1 trillion guesses?
A brute force attack occurs when a computer program tries as many combinations as possible to decode your WordPress admin password; the more it tries, the closer it gets to cracking your password.
Brute force attacks are one of the top attacks aimed at WordPress websites, and it’s something you should watch out for as a small business using the world’s number one CMS.
Plugin and Theme Security Issues
One of the major reasons why WordPress is a favorite for many is the massive availability of plugins and themes for users of the CMS.
You can have pretty much any look and feel or functionality for your website by using third-party plugins and themes.
While this is good for the overall development of the WordPress CMS, it poses a problem: each of these themes and plugins is coded by different developers, with different levels of understanding and proficiency when it comes to ensuring their plugins and themes are secure.
So, it’s a case of your website being only as strong as the weakest link in terms of plugin or theme installed.
Outdated WordPress and PHP Versions
WordPress is so popular that it’s more popular than all other CMSs combined. This means it
is also the most attacked CMS in the world.
The outcome of this is that hackers tend to discover bugs and exploits very quickly.
The team at WordPress isn’t lax or slack about this, however. New version releases are introduced on a regular basis to ensure platform security.
What does it matter, however, if you do not update your WordPress version regularly?
Insecure Hosting Environment
Very few people realize how much of a role their web hosting environment plays in how secure their website is.
You can only do so much to secure your website if your web host is not on board.
For example, while you can manually update your WordPress version in a lot of cases, only your web host can make sure your PHP and database versions are up to date.
Your web host also has control over file permissions — which play a major role in how easy it will be for a hacker to gain access to your website.
How to Protect Your Small Business Website from WordPress Security Attacks
So how do you protect your small business website from WordPress security attacks?
Here are some ideas:
- Install a Web Application Firewall (WAF) to ensure that traffic and attempted access to your website are thoroughly scanned and malicious attempts are blocked.
- Make sure your WordPress CMS, plugins, and themes are regularly updated.
- Use free site scanners like the Sucuri SiteCheck or UnmaskParasites to scan your website for the presence of malware and other exploits.
- Make sure you use a reliable and secure web host that is focused specifically on WordPress.
- Only install WordPress plugins and themes from reliable sources and avoid using pirated themes and plugins.
- Enable two-factor authentication.
- Avoid using common usernames like “admin” or the name of your website.
- Install a plugin that limits the number of logins from failed IP addresses and/or usernames.
Securing your small business website doesn’t have to be complicated if you use WordPress. The above are some of the common security threats WordPress websites face and how you can protect yourself.
Kaarle Varkki is a freelance writer from Tallinn, Estonia with a passion for words. In addition to writing about anything related to website development and hosting as well as editing articles written by others, he runs a creative writing workshop with a group of friends.