Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites.
There are a lot of reasons why hackers target WordPress sites. One of them is the platform’s sheer popularity. By knowing what these reasons are, you’ll gain a better understanding of how to protect your website.
In this article, we’re going to break down the reasons people hack websites. Then we’ll talk about why WordPress itself gets so much heat. Let’s talk WordPress security!
Why people hack websites
Every day, thousands of websites get hacked. WordPress sites make up a disproportionate percentage of those sites, since it powers over 30% of the web.
A lot of people think their sites are safe from attacks because they don’t contain valuable and sensitive business information. However, there are plenty of other reasons why sites get hacked, such as:
- to spread malware,
- adding bandwidth to bot networks, which are often used for Denial of Service (DDoS) attacks,
- black-hat Search Engine Optimization (SEO),
- activism / hacktivism,
- just for practice and fun.
The point is, no website is 100% exempt from the possibility of being targeted. Once it is online, it will be attacked.
4 reasons why WordPress websites get targeted
As if all the reasons we listed before weren’t enough, WordPress sites get some extra attention from attackers. Let’s talk about why this is.
1. WordPress is the most popular CMS
As we mentioned before, WordPress powers over 30% of the web. As of 2018, there were over 1.5 billion websites on the internet (although not all of them active). This means a little less than a third of those use WordPress.
This is excellent news in some aspects. It means WordPress development isn’t likely to halt soon and you’ll always have a great community to help you out. The problem is, this same popularity also means WordPress is the equivalent of a jackpot for hackers.
Imagine, for a second, that someone found a vulnerability in a popular WordPress plugin. As already happened in the past, such exploit could affect millions of websites. Of course, plugins themselves aren’t the only issue, which brings us to our next point.
2. Many WordPress websites lack basic security
There are a lot of things you can do to protect your website from attacks. The good news is that many security best practices aren’t as hard to implement as you’d imagine.
No two-factor authentication
Take Two-Factor Authentication (2FA). Using a WordPress two-factor authentication plugin, it can be implemented in minutes. Plus, it drastically reduces the chances of attackers gaining access to your website, even if they’ve stolen user credentials.
Not familiar with 2FA? Refer to our introduction to two-factor authentication for WordPress.
No security hardening and protection
Likewise, it doesn’t take long to install and configure a WordPress security plugin.
If you’d like to learn more about this subject and about protection specifically, we recommend you to also read the WordPress firewalls guide.
No records and activity logs
Another simple WordPress security best practice is to keep a WordPress activity log. This lets you track practically everything that happens on your website, from unsuccessful login attempts to changes in your site’s files:
The problem is, most people don’t take the time to learn about basic WordPress security measures. They don’t consider their website to be at risk. If you don’t want your website to be a part of the prominent hacking statistics, implementing the security best practices above.
3. Weak password use is endemic
When it comes to maintaining a secure WordPress website, your WordPress users’ passwords are the first line of defense. If someone guesses your admin credentials, they gain full admin privileges on your website – not a good place to be.
The situation is more imminent than you think – users use weak passwords. Educate your users on what makes a strong WordPress password. For example, focus on length rather than complex mix of characters. Lengthy passwords are much harder to guess and crack. And always use a password manager so you and your users do not have to remember the long passwords.
Implement strong WordPress passwords policies
Likewise, it’s also smart to implement strong password policies for your website’s users. Do this with the Melapress Login Security plugin, which enables you to configure password expiry, password history, password complexity and several other policies.
Strong password policies are an effective way to keep your website safe and teach your visitors to use secure passwords.
4. Use of outdated WordPress core, plugins & other software
Quite often, outdated software has vulnerabilities. So when WordPress administrators use outdated core, plugins, themes and other software they expose security holes for hackers to exploit. Unfortunately they do so quite often; outdated vulnerable software is one of the most common causes of hacked WordPress websites.
Attackers know this. In fact they have a plethora of free scanning tools and scripts which they often use to mass identify and exploit vulnerable WordPress websites.
Summing it up
WordPress is incredibly popular. It’s easy to use, highly versatile, and you can create amazing websites with it. However, the downside is that because of these positives, WordPress becomes a target for malicious intent. Basic security practices can mitigate this negative immensely.
Let’s recap the four main reasons why WordPress websites come under attack so often:
- It’s the most popular CMS in the world.
- A lot of WordPress websites don’t follow basic security practices.
- Weak password use is endemic.
- Outdated software is often used.
How you can stop it
To close on a positive note, here are a few tips you should follow to counter the above problems: