Using WordPress? Here’s How to Deal With the Most Common Vulnerabilities
WordPress hardly needs any introduction. For years it’s been one of the most popular open source content management systems (CMS) in the marketplace. This astounding popularity makes WordPress one of the most attractive targets for hackers.
Many members of Return Path’s Certification Program host their websites on WordPress and we have witnessed how, when security is overlooked, it could jeopardize their email programs. Poor website security results in spam being sent over Certified IP addresses, leading to poor IP address and domain reputation, lower deliverability, suspension from the Certification Program, and most importantly the loss of all Certification benefits.
So how does having a compromised WordPress website affect your email program?
One of Return Path’s Security Engineers explained that a hacker gets access to a WordPress website through an exploited vulnerability, allowing them to leverage the trust relationship between the server hosting the WordPress website and your email server. This way, they get access to your mail server and exploit it to send spam and other types of malicious content.
You might think this would not affect you if you run a small business and that you’d be an unlikely target. However, this assumption is incorrect because a lot of these attacks are opportunistic. A representative from BulletProof Security, one of the most popular security WordPress plugins, told us that 99 percent of all hacking and spamming is automated with hackerbots and spambots that have targets programmed into their delivery systems or randomly look for targets. According to Tom, from one of the major real-time block list operators SURBL, targeting is achieved by looking at all published exploits and scanning the entire internet for vulnerabilities that match the exploit criteria. If vulnerabilities are found, then hackers know that any website not updated with a particular patch can be automatically hacked.
Plugin security vulnerability
One of the major advantages of WordPress is that its plugins can add pretty much any functionality you could imagine to your website. Currently, there are more than 45,000 plugins available to download for WordPress users. The downside of having so many plugins available is that it’s also the biggest source of security vulnerability for WordPress websites. “Many WordPress and CMS plugins are not well tested nor peer reviewed for vulnerabilities. Thus many plugins are vulnerable and should be reviewed with great care before deploying,” Tom from SURBL added. A single developer also takes longer to provide updates when exploits are exposed. Mark Maunder, the CEO of the leading security plugin Wordfence, cautions “If there is a vulnerability associated with a plugin, it’s not a matter of if but rather when the attack is going to happen.”
So when using plugins for your website consider the following:
- Keep your plugins up to date: Developers continuously look for new vulnerabilities in plugins. When information about the new vulnerabilities becomes publicly available, malicious actors deploy attacks to exploit them.
- Do not use inactive plugins: If you are using inactive plugins, it is very likely that developers did not release updates to address its security vulnerabilities. This makes your website a target for hackers.
- Use only reputable plugins: If you are downloading plugins from unknown sources, you might also download a virus or malware that could compromise your machine.
- Backup your website: Besides maintaining a regular backup, make sure you backup manually before updating your plugins.
Brute force security vulnerability
Brute force is the second most popular security vulnerability when it comes to WordPress websites. In its traditional form, a brute force attack involves someone trying to access your system by guessing a password. There are many different ways how brute force can manifest itself, but scanning attack is one of the most common when it comes to exploiting WordPress sites. “Most often hackers are looking for existing vulnerabilities in WordPress plugins and themes that can be exploited by performing network searches looking for the vulnerable sites. Worldwide network scans are common searching for vulnerabilities,” Tom from SURBL explained.
To protect yourself from brute force and scanning attacks you should consider the following:
- Use multi-factor authentication: This is a method of access control that requires more than one method of authentication to verify a user’s identity. For example, proving your identity by something you know (your username and password) and something you have (security token or a key).
- Enforce password requirements: A strong password policy includes a change of default passwords, requires at least eight characters, requires the use of special characters and uppercase and lowercase letters. Also, it limits similarity to previous and current passwords and forces password changes every 60 to 90 days. To ensure confidentiality of data you should use secure password hashes to store passwords rather than plain-text.
- Enable account lockout: This is a method of preventing password guessing by blocking a user after a certain amount of logon attempts.
- Implement CAPTCHA: This is a test that requires people to prove they are human by submitting a test, thereby preventing automated processes from abusing the form.
- Monitor your logs: Many failed logins from the same IP address, logins from a single account, excessive usage of bandwidth by the one account and logins with suspicious passwords can be indicative of a brute force attack.
The industry experts we spoke to agreed that the number of vulnerabilities and attacks on WordPress and other Content Management Sites (CMS) websites will continue to increase. A representative from BulletProof Security told us that they expect hackers to become more sophisticated with their methods. Mark Maunder of Wordfence added that “Business models used by attackers constantly change as they become better at monetising hacked sites.”
Nevertheless, the future of WordPress is bright as it continues to provide one of the most powerful, easy to use platforms. And it does a fairly good job at pushing automatic core platform updates to its users. Tom from SURBL reminds us that, “If a website owner wants to be a good network citizen and does not want their content blocked, they need to audit their WordPress sites on a weekly basis for vulnerabilities to ensure maximum security”.
Do you want to get more tips and advice on how to secure your email program? Stay tuned for my follow-up blog posts where I will investigate how to protect yourself against common cyber attacks that can jeopardize your email program.
About Julia Babahina
As a Compliance and Security Analyst for Return Path, Julia is responsible for the quality and security of the Certification Program. She is passionate about finding data-driven solutions for preventing and detecting clients' security breaches and spreading her knowledge about best sending and security practices. Julia holds a MSc in International Public Policy and is CompTIA Security+ Certified. In her spare time, she enjoys running and is a keen traveler.