Is Your Website on WordPress? It’s Time to Level Up Your Security
No matter what platform you run your website on, it’s imperative to have measures in place to keep your data and your users safe. That includes running any updates for additional third-party plugins and themes where hackers can find vulnerabilities.
This is highlighted by a new report that shows 98% of hackings on WordPress can be blamed on plugins and themes that are not consistently updated. Without updates, these tools are lacking the security updates, patches and bug fixes that put WordPress website owners and users at risk.
Case in point: on April 28th, WordPress revealed that a hacker group recently tried to hijack over 900,000 WordPress websites, using over 24,000 distinct IP addresses to do so.
ZDNet spoke to Ram Gall, QA engineer at WordPress security plugin Wordfence, who said the hackers generally targeted cross-site scripting (XSS) vulnerabilities. Their goal was to implement specific JavaScript code to send future users to fraudulent sites.
This code was also used to identify WordPress website administrators to use their credentials to create additional fake and dangerous websites.
Why Was WordPress Attacked?
WordPress is one of the most popular hosting websites on the internet. It’s free of initial costs and is an accessible way for people to create a professional site for their company or personal pursuits.
Because of this, there are a reported 1.3 billion active WordPress websites online today, making the platform a massive target for cyberattacks.
Luckily, the core WordPress features that come with every account have not been affected. Instead, it’s important that WordPress users check on their website’s specific plugins and themes to make sure they are not behind on any updates.
Which Plugins Were Hacked?
It’s important to remember that cyber hackers are always leveling up their tactics and finding new plugins to target. There’s no way to guess which plugin is going to be victimized next.
However, ZDNet has rounded up some of the most highly targeted plugins on WordPress this year so far – here are the ones you should be sure to update on your site:
- Duplicator: Allows site administrators to export the content of their sites
- Profile Builder: Allows site administrators to let website users create login accounts
- ThemeGrill Demo Importer: A plugin used to implement commercial WordPress themes from ThemeGrill
- ThemeREX Addons: A plugin used to implement commercial WordPress themes from ThemeREX
- Flexible Checkout Fields for WooCommerce: Allows site administrators to create custom e-commerce setups
Some of these plugins are extremely popular – Flexible Checkout Fields for WooCommerce, for example, is installed on over 20,000 websites. No matter how popular or mainstream a plugin may look, they’re still vulnerable to hacking if they remain outdated.
What Can WordPress Users Do?
As we’ve discussed earlier, the most important thing you can do to protect yourself from being hacked is to regularly check your website for updates. Hackers were able to infiltrate these WordPress websites through plugins and themes that were not updated to the most current version. Oftentimes, updates contain important bug fixes that will help keep your site safe.
It’s also important to do your research about the plugins you’re installing to make sure they’re coming from verified, reputable vendors who you can trust. Once you stop needing a plugin or theme you’ve downloaded, don’t let it sit there – delete it if you’re not going to use it again.
ZDNet also suggests that WordPress website owners should consider a website application firewall (WAF) plugin to help screen and block future hackings.
If you have any additional questions on comprehensive ways to keep your company’s website and assets safe from online attacks, contact Switchfast today to discuss your options.
