Another day, another WordPress plugin hole - three ways to stay safe

WordPress is the world's most popular CMS - but you should definitely keep an eye on it.

Jötnar Systems, Alister Brenton

Boasting over 60% of the CMS market share, and 35% of all websites on the Internet today, WordPress is inarguably the most popular content management system in the world today (stats: Kinsta). This level of thumping popularity will inevitably bring with it some risks: according to Wordfence, 2017 saw an average of 26 million daily attacks on WP sites across the world.

Outdated plugins: a silent menace

One of the most common attack vectors against WordPress is through outdated plugins - these often contain security vulnerabilities which are then exploited to gain access. The latest example at the time of writing is a vulnerability contained in the ThemeGrill Demo Importer plugin, which would enable an attacker to wipe and reset a compromised site to its "out-of-the-box" state - in other words, they would then be able to take over the site as if they themselves had installed it.

The consequences of such an attack can be catastrophic: your website could be permanently lost, potentially taking with it hours of work and thousands of pounds of investment, or the attacker could use your site to distribute malware resulting in crippling reputation damage.

How to protect yourself

Fortunately, protecting your WordPress site against these kinds of attacks is relatively straightforward, with some simple steps and precautions you can take to make sure your WP site stays safe from being hacked. This list isn't exhaustive, but here are the top three things you should do to make sure your site stays protected.

1. Install WordFence

I can't stress enough: if you do nothing else, do this. WordFence is an absolutely fantastic security plugin comprising a comprehensive firewall, malware scanner, abuse mitigation tool and more. WordFence is extremely good at identifying and blocking suspicious traffic, meaning that it will quite often deny an attacker the chance to even attempt an exploit.

2. Keep on top of updates

Updates are extremely important: new exploits in plugins and themes are identified every day, and developers release updates to fix them. However the fix is no good if you haven't installed it and, as explained in my previous article, once a patch is released then the vulnerability usually becomes public - with attackers specifically looking for unpatched systems to exploit.

3. Take regular backups

Of course, even if you have a state-of-the-art protection system and stay updated up to the minute, it's still possible that an attacker may 'get lucky' with a newly-discovered exploit. At this point, having a recent backup may well mean the difference between a few hours' inconvenience or a business-ending disaster.

Don't fall victim to WordPress criminals.

We can help protect you - email protect@jotnarsystems.com today.