WordPress is a cross-platform content management system. They claim that 17% of Web sites are now powered by the mentioned CMS, and that number continues to grow.
WordPress makes it easy to create, maintain and update a site, without limiting what you can do. This is probably why it is one of the most widely used CMSs today.
But if you are thinking that you can just use WordPress without worrying about security, you might want to reevaluate your views on that.
WordPress Security Statistics
The truth is that WordPress is actually very much open to security attacks. A quick search for all vulnerabilities reported on the National Vulnerability Database shows that there are 505 vulnerabilities
related to WordPress.
Close to 30
of these vulnerabilities were listed in the past three months.
Granted that the National Vulnerability Database search might have some limitations and may not be an accurate indicator of the weaknesses of WordPress security, it is still a good reminder to all of us not to take security on our WordPress-powered Web sites for granted.
If that is not enough, how about hacking attempts? On May 1, 2013, The Hacker News reported
that millions of sites powered by WordPress were used to carry out distributed denial of service attacks. The report details how legitimate WordPress blogs were being used to take down a large Web site.
Less than a month earlier, on April 12, 2013, The Hacker News also reported
that a 90,000-server strong botnet is targeting WordPress sites. The botnet is trying to log into these WP sites by brute force. Citing numbers from Sucuri, THN reported that the number of brute force attempts have tripled in April 2013.
What Makes WordPress so Vulnerable?
WordPress is immensely popular. According to the organization’s official statistic, there are more than 66 million
WordPress websites around the world – with approximately 100,000 new ones installed per day. The said CMS is also used by many of the world’s most visited websites, such as CNN, Mashable, The New York Times, NBC Sports, UPS, TechCrunch, Forbes, Reuters, Sony and eBay.
It is easily the world’s most popular CMS to date. This means that if a hacker would discover a way to hack into a WordPress site, then it would be like hitting a goldmine. He or she would have a lot more sites to get into.
WordPress often comes out with a new version every so often. However, most users do not upgrade the version of WordPress they use. What happens is that these older versions get targeted because they have more vulnerabilities than current versions, with all their patches and updates.
Problematic themes and plugins.
Sometimes, the vulnerabilities do not come from WordPress itself but from the add-ons you use. Some plugins and themes are so poorly written that you might as well just put a welcome mat for hackers once you install and use them. Other plugins even come with malware. And some themes are Trojans – disguised as a valid theme but once you activated it, viruses will attack your WordPress system and site database.
A lot of WordPress users do not take security very seriously. They use weak passwords and do not take proactive steps against website hacking.
Strengthening Your WordPress Security
So with all these potential vulnerabilities, what do you need to do to make sure that your site is safe?
1. Use only the latest WordPress version. If you have the old one, update to the latest version immediately.
2. Hide your wp-config.php. Of all the files in your WordPress installation, the wp-config.php should be the most confidential. The thing is, it is found on your root directory by default, making it easy for hackers to locate. The good news is that current versions of WordPress allow you to move this file somewhere else so that, unless you are on FTP or SSH, you will never be able to read this file.
3. Junk the “admin” username. One of the many ways that hackers get access into your WordPress installation is by brute force. Meaning, they will use a program to try out a long list of words for your username and password. Do not make it easy for them to hack into your site by using the default username, which is “admin.” At the very least, they would have to guess both your username and password before getting in.
4. Use plugins to help plug security holes. You can try the following apps:
- Login Lockdown
Login Lockdown records the time and IP address of anybody who tries to log into your WordPress site. If the person exceeds a certain number of tries, the plugin would disable the login form. This is a very effective way to deter brute force attacks.
- Secure WordPress
You may not know it, but hackers can often find vulnerabilities on your WordPress installation just by looking at the information that is freely available on your site. For example, the version of WordPress you are using, or what plugins need to be updated. Secure WordPress would hide these information from unauthorized users and can do other stuff to make your site more secure.
- Website Defender
Website Defender is a plugin that allows you to do a security check of your site. If it comes across an issue, the said app can also help you by providing recommendations on how to fix problems.
5. Report bugs. If you discover bugs and security holes, you should report it to firstname.lastname@example.org. If you find these in a plugin, report it to email@example.com. WordPress is open source, which means that you would have a solid community behind you. This formidable support system could help you fix these bugs or plug these vulnerabilities.
6. Don’t even try to download and activate free WordPress themes coming from untrustworthy sources. Chances are, if they came for free from a freeware or Warez site, they might not be too dependable or that safe. To be sure, use only free themes from WordPress.org.
The WordPress Security Bottom Line
As with everything you do on the Internet, you should keep an ounce of common sense with you. Use better passwords with special characters that are more difficult to crack. Do not use the same passwords all over. Use only plugins and themes from sources you can trust.
Lastly, do not get lulled into a false sense of security. WordPress might be very difficult to get into if you are unauthorized, but that does not mean that you are out in the clear. Now that you know that you are not entirely safe, apply these tips for a more secure WordPress user experience.
Read more: http://www.webdesign.org/wordpress-security-and-wordpress-security-statistics.22291.html#ixzz3bp99Q1bx