WordPress has a growing adoption within the worldwide community of online users. It also simplifies the needs of web developers by providing various tools for building a variety of websites. Understandably, like any other popular platform, there are a host of security concerns regarding the use of WordPress (or WP). Adding fire to this constant speculation about the credibility of WordPress, are the standard myths surrounding these WordPress security issues.
Myth 1: WordPress is the Problem
Several users whose WordPress site gets hacked tend to blame WordPress for the compromise. Let’s examine this claim more closely.
Reality: Essentially, WP does not exist in isolation, but comprises of the Core WordPress, along with the external WordPress plugins and themes. The Core WP is developed and maintained by a group of highly-proficient WP developers. This Core WordPress team is responsible for addressing any security-related issues. They take precautionary measures and facilitate safety by releasing timely WP core updates.
According to CodeinWP, WordPress releases a significant WP core in an average of 152 days. Additionally, this development process is backed by funding of large corporations and goes through the timely cycle of product releases, fixes, and WordPress security updates.
The Issue: Previous statistics and reports have revealed that WP plugins are responsible for around 54% of the security-related flaws and vulnerabilities, while WP themes accounted for 14.3%. This means that while the Core WP is sufficiently secure, the same cannot be guaranteeable for the large number of plugins and themes that are developed independently and integrated with the Core WP. Budget and time constraints due to the high level of competition in this domain may mean that most WP plugins and themes do not go through timely release cycles and quality checks.
Myth 2: Regular Updates will keep the WP Site Completely Safe
Reality: Applying security updates on a constant basis is necessary to better the security aspect of any WordPress site. But does it guarantee complete protection? The truth is, it doesn’t.
The Issue: WordPress possesses 37,300 total plugins in the repository, out of which, 17,383 plugins have not been up to date since 2015! The problem stems from the proliferation of abandoned WP plugins. An abandoned plugin is one which has not been worked on or updated for a long time by its developers.
In addition to increasing the WordPress security vulnerabilities, downloading unmaintained plugins containing deprecated features, can also break the site. To avoid a website breakdown, removal of outdated plugins from the plugins folder of the WP installation should take place regularly.
Myth 3: Backups – The Ultimate Saviour
Reality: For an organization, safeguarding the website should be a top priority. A site proprietor can take up various actions required to preserve its website from any possible threats. Among all the other solutions available to protect your WordPress site, one of the most commonly used solution by users is to take a backup of the website. While reserves serve as a critical component towards keeping your information secure, they cannot be the only security option in case of a data breach.
The Issue: Entertaining myths about backups like those mentioned above will result in a flawed system and may lead to complete breakdown of the site.
No WordPress version has an automatic backup functionality, and a complete WordPress backup should include the entire website and not just the database content. Performing only a database backup will not restore the site, following a security attack.
While many WordPress hosts do offer backup-related services, it is not sensible to outsource the complete operation to them. There will always be doubts regarding the backup methods, and restoration processes applied; hence it is best to be avoided.
Backups cannot be a replacement for complete site cleanup, following a hack. The regular backup data cannot help if the repository of data itself has been hacked and compromised. Additionally, a cleanup is required to apply patches to actual code flaws, to avoid a repetition of an attack.
Myth 4: SFTP Can Protect User Credentials
Reality: Protocols like Secure File Transfer Protocol (or SFTP) and File Transfer Protocol supporting Secure Socket Layer (FTP over SSL) is a secure way of connecting to WP sites and performing file transfers safely. However, SFTP cannot completely guarantee the protection of the WP user credentials.
The Issue: Malicious attacks such as the “man-in-the-middle” attack have proven successful in the illegal retrieval of usernames and passwords, despite the use of SFTP and other protocols. Preventive steps must be taken to avoid these attacks by using proprietary certificate mechanism, public and private keys etc.
Myth 5: IP Address Blocking Can Keep Away Malicious Visitors
Reality: Most WordPress security plugins allow blocking of malicious visitors to the website, based on the visitor’s IP address. This refers to an IP address blocking, which has its list of issues. IP blocking blocks merely repeated login attempts, regardless of the IP address.
The Issue: A major flaw that is overlooked by IP blocking practice is that IP addresses keep changing so the same malicious computer or host can have a different IP address after a short duration. Additionally, improper IP address blocking can lead to frequent website crashes, which can take a long time to restore.
Myth 6: Implementing Password Protection for the WP-Admin Folder is Easy
Reality: The Internet is full of technical articles on how to increase the WP security by assigning password protection to the WP-admin folder. While this can be useful, it needs to be done carefully as the admin-ajax.php file, which enables AJAX functionality for WordPress users, is also located in this folder.
The Issue: Users, who implement password protection for the WP-admin folder, often face a problem related to the AJAX functionality with regards to blocking of users visiting the website.
Myth 7: Hiding the WordPress Website!
Reality: Being the most popular content management systems (CMS) software, hackers around the globe are explicitly targeting millions of WordPress built websites. The concept of “Hiding WordPress” basically means obscuring the fact that the site is on WP from the hacker or malicious bot. This also means hiding the current WP version that is in use, along with changing default file name, directories, and permalinks.
So, does “hiding the WordPress” work?
While it may be successful in foiling brute force attacks and SQL injection attacks made by bots, it cannot offer guaranteed success against a superior and dedicated tech-savvy hacker.
The Issue: There are multiple means for hackers to detect the type of CMS that is being used, along with ways to discover the WP version number. Additionally, most WP plugins and features function according to the default location of the system folders and can break if the folders move to another place.
Myth 8: Brute Force Attacks Can Be Stopped by Hiding the Website Login Page
Reality: Most malicious bots attempt a brute force attack by targeting the login page of the target website trying to gain information about the username and password to get admin access to the backend system. Most WordPress admins attempt to thwart this access by hiding their login page or the wp-admin folder.
The Issue: Hiding the login page or access point is not adequate protection against potential hacks. Hackers are smart enough to possess the necessary tools which can help find the location of the relocated login page folder.
Myth 9: Changing the Database Table Prefix Will Improve Security
Reality: A popular notion among WP users is that changing the prefix of the WP database tables would prevent the occurrence of SQL injection attacks on the website. This includes changing the prefix from the default “wp_” to some other value. If only it were that simple.
The Issue: Most hackers have different means to retrieve the list of database tables. Additionally, changing the database table prefix, if not done properly, can even crash your website.
Myth 10: Firewall Can Prevent DDoS Attacks
Reality: While firewalls do play a critical role in the security solution for any organizations, they do not act as a purpose-built for DDoS prevention. On the contrary, firewalls possess certain ingrained qualities which hinder their ability to provide complete protection against the most sophisticated DDoS attacks in today’s time.
The Issue: Although most firewalls are designed to stop the intrusion of entities one at a time, however, they are unable to detect the behaviour of millions of legitimate packets or sessions. Therefore, one of the most critical limitations of firewalls is their inability to distinguish between legitimate and malicious users.
Myth 11: WP Users Can Fix a Hacked Website Themselves
Reality: As a WP user, one can find plenty of online material on how to fix a website, once hacked. Typical steps include scanning the site and checking for malicious functions including base64_decode, eval, and gzinflate.
The Issue: In the scenario of a hacked website, following a complicated procedure to clean up the after the mess is challenging as well as time-consuming if you are not using the right cleansing tool. While there are companies who provide services for cleaning up a hacked website, they result to be expensive and are not always a viable option for a moderate user.
Myth 12: WordPress Hosting Companies Are Responsible for Hacks
Reality: Yes, it is prudent to choose the right WP hosting company for a website, to ensure its online security. Hosting platforms, which do not isolate user accounts from each other, run the risk of helping hackers to valuable information from multiple accounts, once they gain access to any single user account.
The Issue: While there can be security-related problems with WP hosting platforms, they are very rarely the cause of the attack. Outdated plugins and themes present more security threats to WP-powered websites than hosting platforms.
How to Keep Your WordPress Site Safe
WP website owners are not only responsible for the design and building of the website, but also for its long-term security. Through this article, we have attempted to provide information on what works (and what does not) to strengthen website security. While no website can be deemed 100% hacker safe, following the right security practices can reduce the vulnerability of a site.