In the run up to the new General Data Protection Regulations (GDPR), new data shows that 86.5% of WordPress websites in the UK are vulnerable to known hackable exploits.
With GDPR now only a month away, businesses across Europe are gearing up for what will potentially be one of the biggest shifts in data privacy laws since the 2003 CAN-SPAM Act.
Businesses will face fines of up to €20 million if they do not comply with new legislation and processes, that ultimately put users in control of who, how, and where their personal data is stored.
A key part of GDPR is the business’ responsibility to secure customer data and websites to prevent data breaches, phishing, and other forms of malicious online activity.
Estimates show that WordPress is used by 25–40% of the internet, depending on which source you read, and given its widespread popularity and usage, it is a prime target for hackers.
A recent research study conducted by cybersecurity monitoring platform CyberScanner, they scanned 93,930 WordPress websites and 9834 WooCommerce websites based in the UK and found that on average 80.7% contained at least one known, hackable exploit that can be deemed as a severe security risk.
Some of the most common known vulnerabilities scanned for included cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and SSL certificate problems.
The worst offending WordPress website had a total of 23 separate high-risk known vulnerabilities, among other medium and low risk classified exploits.
Securing your WordPress website
There are more than 100,000 known vulnerabilities that can be exploited by hackers to extract customer data, plant crypto-mining software, or even setup hidden form fields to steal credit card information users have saved in their browsers.
There is no blanket solution to securing your WordPress website, but there are steps that all WordPress webmasters can take to secure commonly exploited areas of the platform.
Brute force attacks
Brute force attacks are a method used by hackers to obtain login information to websites, such as usernames, passwords and PINs. Typically conducted using automated software, a brute force attack generates a high volume of consecutive guesses to both the login and password field.
While having a strong password is always encouraged, it alone may not be enough to prevent a brute force attack. There are some things that you can do, however, to minimize your risk.
Customize login page URLs
Generally, the login page URL for a WordPress website is /wp-login.php or /wp-admin/, and an automated piece of software can guess this. By renaming the URL to something more unique, automated software may not be able to find the page to begin the attack in the first place.
Limit login attempts
A common feature of WordPress websites (and all websites), is the limitation of login attempts.
A number of free plugins exist (such as WP Limit Login Attempts) that enable easy implementation for webmasters and can go some way to protecting your site.
Enable two-step authentication
This is becoming more common across all web applications that require a password, and can be implemented with relative ease on a WordPress website (and through a plugin such as Google Authenticator – Two Factor Authentication).
This requires the user to install an application on their phone, and when they go to login on the website they will need to go to the app to get a randomly generated code to input to complete the login process.
Use SSL to encrypt data in transit
While SSL and TLS don’t wholly secure a website, they do secure user data as it travels between the user’s browser and the website server.
Again, this can be installed with relative ease through Cloudflare’s WordPress integration and its SSL offering.
Google also sees HTTPS as a basic security step that websites must take in order to protect users, and in the Chrome 70 browser websites not on HTTPS will be flagged as not secure by standard.
Securing your database
No matter how secure a website is, keeping and maintaining regular database back-ups is an essential best practice that should be part of any webmaster’s processes.
There are a number of free and premium solutions ranging from VaultPress, BlogVault, and Backup Buddy, all of which are viable options, and the chosen solution should be adequate to the business needs.
Regular housekeeping and updates
Themes and plugins are the backbone of any WordPress website, but they can easily become security threats if they’re not updated and maintained regularly.
Not updating your themes and plugins can mean serious trouble. Many hackers rely on the mere fact that people can’t be bothered to update their plugins and themes. More often than not, those hackers exploit bugs that have already been fixed.
Not updating your theme and plugins can lead to easy backdoors and exploits, as many hackers rely on the fact and look out for webmasters being lax and not updating their assets.
It’s also advised that you remove your WordPress version number, as it’s publicly visible within your source code. Some historic WordPress versions have developed a larger number of vulnerabilities than others, so this could be an advertisement for hackers to attempt a number of already known security challenges. Sururi offer a free plugin to remove the version number from your site.