“WordPress is insecure” – I hear and read this quite frequently – here’s the lowdown for normal people:
What is WordPress?
WordPress is a Content Management System (CMS) used to build websites. It is easy to use, and is now so popular that nearly 25% of the top 10 million websites in the world are built using it. It’s popular because it’s easy to use and there are virtually endless ways to customise it just by installing plugins and themes. This means the cost of building a WordPress website is a fraction of the cost of developing a similar website using another platform or building it from the ground up. Also there are, by extension of it’s popularity as a platform, loads of WordPress developers out there, so it’s easy to get help when you need it. This reduces the ongoing cost of ownership of your website.
The Security Issue:
Lots of WordPress sites get hacked into – that is true. However there is a bit more to it than that… Here are some of the reasons:
- WordPress is extremely widely used, therefore statistically it is likely that you are going to hear about it.
- WordPress websites are quite commonly build by non-technical people and so little or no thought is is given to security – more on this below.
- For every WordPress website there are probably multiple administrators – it’s easy to update WordPress sites so therefore it is common to have 2 – 5 admins when there should probably only be 1.
- There are tens of thousands of themes and plugins available to customise WordPress. Not all of them are up-to-date with the latest security standards.
Number 2 above is a biggie. It is relatively easy to install WordPress, do a bit of tweaking to the layout and populate your content. There are many step by step guides available so lots of WordPress websites are set-up by people who aren’t working with websites on a daily basis. Of these people, probably a very small proportion give any consideration to security. I expect there are lots of very insecure username/password combinations out there which is the most basic security requirement. Of those who do look into security in any detail, almost all will be put off by technical terms such as PHP and htaccess, and terrified by concepts like Brute Force attacks. Most WordPress websites I encounter have some serious security vulnerabilities with not even the most basic protection.
This combination of extreme popularity and lack of security understanding means that statistically WordPress is the juiciest target imaginable for hackers. If they find a vulnerability and can exploit it, they have the power to cause a lot of damage which seems to be what hackers like to do most of all.
What can be done?
The most commonly exploited “vulnerability” is also the most obvious – the front door, or in this case the login screen. If a hacker can login as a WordPress administrator, they can do pretty much anything they want to your website. What is required to gain access as an administrator?:
- access to the admin login screen
- administrators username
- administrators password
Number 1 – the admin login screen for a WordPress website is by default the same for all WordPress websites, so it is very easy to find the login screen. Changing the default admin login URL to something unique immediately makes it harder for hackers.
Number 2 – many WordPress administrators have the default username “admin”. If this is the case and the login URL is also the default (as above), then 2 of the 3 required elements are pretty much a given and the only thing hackers need to guess is the password – see below. Even if the “admin” password isn’t being used, quite often it is possible to figure out a person’s username because they have posted something and their display name is the same as their username – slightly harder than the “admin” username issue but not much…
Number 3 – this is a serious issue because it relies on people to pick secure passwords, and people are notoriously bad at this!
I’d guess that nearly half of all WordPress sites use the default admin login url and have an administrator with username of “admin” or “administrator”. Hackers have, amongst their arsenal of nasties, scripts which can repeatedly try to login to your website, email or internet banking account with, say, the top 10,000 most common passwords in a matter of minutes.
The answer to this? Lock the front door!
Other security considerations:
There are various ways to detect intrusion attempts and block them automatically. Given that most hackers know that the admin login URL is generally the default, and it is likely that there is an administrator with username “admin” or “administrator”, they can set-up scripts to automatically try and login to WordPress websites with these default details and the most common 10,000 passwords. This is called a Brute Force attack. It is possible to secure your WordPress website by automatically detecting this type of intrusion and blocking the attempts.
There are a variety of security plugins that can help with this type of configuration – get in touch if you’d like to know more.