Why So Many WordPress Sites Get Hacked – And How You Can Avoid Being Part of The Problem
According to a report published earlier this month by Sucuri, WordPress accounted for 90% of hacked content management system sites in 2018. While that could certainly be due at least in part to its popularity, there’s a deeper reason here, as well. Understanding it is the first step in avoiding becoming part of the problem.
In 2018, WordPress accounted for approximately 90% of all hacked content management systems, according to a report released earlier this month by security firm Sucuri. Now, given that WordPress is still one of the most popular CMS’s in the world, that’s not exactly surprising. It’s got a bigger market share, so you’d naturally expect it to take a bigger piece of the pie where cyber attacks are concerned.
Thing is, the second-place CMS, Magento, accounted for just 4.6% of hacks, with Joomla in 3rd at 4.3%. Let’s take a look at the numbers here. WordPress currently holds about 60% of the CMS market, and accounts for 33% of all websites
Even with such a high share, you’d expect more hacks to target other platforms, right? So what gives here? A few things.
See, WordPress’s accessibility is both its greatest strength and its most glaring weakness. Because it’s so easy to build a website in WordPress, it’s also easy to overlook basic security and configuration mistakes. Similarly, because you can install WordPress plugins with a single click, it’s easy to end up with one that’s vulnerable to a hack.
The good news is that while it’s easy to commit a security blunder on WordPress, it’s also incredibly easy to avoid becoming yet another victim of cybercrime. Basic security practices will get you part of the way, and common sense will take care of the rest.
First – and most importantly – do your homework before installing a plugin or theme. Read the reviews online, and pay attention to what people are saying. A malicious or poorly-coded plugin will probably have bad reviews, but a clever criminal might try to artificially inflate their score with review bots.
Search a plugin on Google before you download it, as well, and only download from a reputable source. That’s either the official WordPress plugin directory or the plugin developer’s site. And finally, if you’re offered the chance to download a premium plugin or theme for free….don’t.
There’s a very good chance the download is laden with malware or comes with a backdoor.
Similarly, don’t install too many plugins. Only use what you know you need for your website to work. This is as much about website performance is it is about security. A site that’s bogged down with too many add-ons will slow to a crawl – it’ll offer a terrible end-user experience and one that drives away your audience.
It’s also important that you limit the number of admin accounts on your site. The more logins that maintain administrative access, the easier it becomes for someone to compromise your backend. On that note, it’s also imperative that you change the admin account’s default username and password – user a strong password that you’ve tested with a password strength checker, and one that you’ll be able to remember (or just install a password management app).
Moving back to the software side, always keep your plugins and WordPress installation up to date. Security updates and the like exist for a reason. If you slack on installing them, you do so at your own peril, as you’re leaving your site open to known hacks and exploits.
Last but certainly not least, install antimalware and antispam plugins, and run regular checks to monitor for vulnerabilities and potential attacks. Even with all of the above steps, there’s a chance your site will still be compromised. That’s why vigilance is important here – the more aware you are of your site’s inner workings, the likelier you are to notice when something isn’t quite right.
And the quicker you’re able to pick up on the fact that something’s off, the quicker you’ll be able to prevent any lasting damage. And on that note, make sure you also maintain regular backups of your site. That way, you’re safe from pretty much any
It’s a little astounding to think that 90% of successful hacks against content management systems target WordPress. That’s not a black mark against the platform, though. The majority of these attacks are a direct result of a mistake made by the webmaster – a misconfigured plugin or a weak password, for instance.
So long as you’ve got good security hygiene and a basic grasp of the best practices necessary to protect your site, you’ll be just fine.
About the Author:
Brad Litwin is the Marketing Manager at A2 Hosting, a high-performance web hosting provider. Brad’s experience ranges from PPC management to social media management. For more great content, you can follow A2 Hosting @a2hosting on Twitter.