I have a lot of great things to say about WordPress. It’s an internationally popular piece of open source software that allows anyone to start their own blog or website. It’s powerful enough to be extensible by seasoned coders, yet simple enough that tech-illiterate people can still benefit from it. We even have a mini-guide for starting your own WordPress site.
However, as with all Internet-related software, there will always be security holes that need patching. Even when past holes are fixed, new features will inevitably introduce new holes, and then those holes need to be fixed. It’s a process that never ends, which is why it’s so important for you to update your WordPress regularly.
Updating WordPress is the best way to patch the latest WordPress security vulnerabilities. What sorts of security vulnerabilities? Here’s an overview of the most common ones you’ll encounter.
1. Default Admin Account
When you first install WordPress, your basic administrator account will be called “admin” with an equally simple password. Keeping security credentials at their default settings can be a big vulnerability because hackers and crackers will know what those default settings are and, thus, will exploit them with ease.
Actually, this isn’t a problem unique to WordPress. Anything that comes with product-wide default access credentials (such as router logins or phone unlock codes) will inherently have this WordPress vulnerability. But while routers and phones usually require your physical presence for mischief, anyone can potentially hack your WordPress site as long as they have the URL.
So what can you do? The easiest solution is to create a new administrator account on your WordPress site and delete the default “admin” account. This leaves no predictability in terms of administrator access.
2. Default Database Prefixes
When WordPress is first installed, the database tables are named with a default prefix of wp_. This is done so that all of the tables remain organized in your database in case you’re working with other software packages in the same database. The wp_ signifies that those specific tables are related to WordPress.
But here’s the catch – if a hacker is attempting to mess with your WordPress site, then this bit of predictability automatically makes him one step closer to tampering with your database tables. By knowing the names of your database tables, a hacker can manually poke at it until he gains access.
Think of it this way. Suppose a thief wants to steal something from your home but your home is equipped with special doors that have hidden keyholes until you call out the right “name” for that door. If the thief knows that your door’s name is “Sandy”, then all he needs to do is pick the lock, but if the thief doesn’t know your door’s name, he needs to first figure that out somehow before he can even start to pick it.
So what can you do? Simple. WordPress allows you to install using a table prefix that is different from the default prefix.
3. Accessible Files & Directories
With any website, the number of files that you actually want users to access is far smaller than the number of files that are necessary to power that website. You may have a lot of function files, class files, template files, configuration files, and more – none of which should be publicly available. The same is true for directories.
Using CHMOD, you can set permissions on various files and directories to prevent unwanted users from accessing sensitive materials. If a user had access to your configuration file, for example, he could tamper with your WordPress settings and break your website. WordPress is vulnerable when your website’s files and directories aren’t secured behind proper permission settings.
So what can you do? I actually had to deal with this problem recently, and the fix isn’t too difficult. Make sure that your WordPress installation is in accordance to the WordPress permission scheme.
4. SQL Injections & Hijacking
SQL injections are not unique to WordPress; in fact, they are one of the most common (and destructive) forms of web server attacks in the world. Not familiar with the term? Give my introduction to SQL injections article a quick peek to give yourself a basic understanding of the problem.
In essence, WordPress has had a few SQL injection security holes in their code over the years. Some have been patched while others remain uncovered or undetected. If a hacker gains access to one of these holes, he can inject malicious SQL code into your database, which can be used to steal data or just delete it altogether.
So what can you do? Well, here’s the catch – if you aren’t well-equipped enough to know how to defeat SQL injections, then you probably don’t have the technical know-how for building up a protection in the first place. You can probably look around for WordPress plugins that might address potential injection holes, but most users will simply need to wait for the next WordPress security patch.
- WP Security Scan - this plugin will scan your website setup and look for potential security vulnerabilities. It covers all sorts of areas from file permissions to database holes to password management and more.
- WordPress File Monitor Plus - in case someone has gained access to your site’s file structure, this plugin will let you know. It regularly monitors your system’s files and directories and makes note of any discrepancies.
- WordPress Firewall 2 - this plugin sets up a metaphorical wall around your site, scanning all inputted data and traffic for malicious intent. It’s pretty good at preventing attacks like SQL injections and other database attacks.
- Wordfence - Wordfence is something of an all-in-one security suite plugin that includes malicious attack protection, anti-virus scanning, a firewall, and more. Definitely worth a try.
While WordPress may be both open source and widely popular, that doesn’t mean it isn’t without its flaws. WordPress vulnerabilities pop up from time to time and when one is fixed, another one is usually right around the corner. With careful monitoring and preventative steps, you can minimize the risk that your WordPress site faces.