July 14, 2021
WordPress is one of the most popular CMS platforms in the world, but it’s also one of the most hacked. Hundreds of thousands of WordPress installations are breached every year, and online threats only increased during the pandemic. In 2020 we saw security issues jump by as much as 6 times their usual levels, partly because so much economic activity shifted online.
You have to wonder: why is WordPress getting targeted so much?
Well, it’s partly due to its popularity, and partly due to the fact that all software has vulnerabilities, including WordPress. In terms of popularity, 41% of all websites, and 60% of the top 1 million sites, are powered by WordPress, making it a “worthwhile” target for hackers. If they can find and exploit a vulnerability in one WordPress site, that can help them crack other WordPress sites more easily.
On top of that, WordPress code is open source, so new bugs and vulnerabilities are shared publicly. Hackers turn that to their advantage to refine their attacks.
Over 70% of WordPress installations are vulnerable to hacker attacks, more than 47% of hacked sites have at least one back door, and WPScan (a leading database of WordPress vulnerabilities) currently reports a whopping 22,826 vulnerabilities.
Part of what makes WordPress so popular is its versatility thanks to the many plugins and themes that make it easy to create and customize a website. But the profusion of moving parts means that there are also many opportunities for a vulnerability to creep in.
WordPress vulnerabilities can be found on numerous levels, from the OS and MySQL database to plugins, themes, and the WordPress core itself.
WordPress core developers, along with plugin and theme developers publish updates to patch security issues and fix bugs, but far too many site owners fail to keep on top of updates. Keeping WordPress updated is an ongoing effort that demands time, awareness and resources.
According to WordPress statistics, only 43% of sites are running the latest version of WordPress, just 0.5% are using the latest version of PHP, and 58.2% are running unsupported versions of MySQL. That’s particularly concerning given that SQL injection is one of the most popular types of WordPress attack.
WordPress plugins are particularly vulnerable, because anyone can build and market one, but not every developer has the same level of skills or security consciousness. Plus you have to stay on top of every one of the numerous plugins your website uses.
Plugins are often bundled together into themes, so site owners aren’t always aware of all the tools running on their site, making it even easier for vulnerabilities to go unnoticed.
It’s alarming that one of the top ten most vulnerable plugins in 2020 was the All In One WP Security & Firewall, which is a stark reminder that even security plugins can turn into a backdoor for hackers.
It’s a no-brainer that it’s important to protect your WordPress site, but it can be hard to know how to do so effectively. Cyber attackers are relentless, using automated tools to bombard sites until they find a vulnerability to exploit.
The most common types of WordPress attacks are cross-site scripting (XSS) and SQL Injection. WordPress sites are particularly susceptible to XSS attacks because so many plugins have XSS vulnerabilities.
Brute force attacks are also common, because the system permits unlimited login attempts. Other modes of attack include DDoS attacks, remote code injections, session hijacking, man-in-the-middle attacks, social engineering, and remote and local file inclusions. There are also many ways to create a backdoor into a WordPress site.
Companies use security defenses, like Web Application Firewalls (WAFs), brute-force protection, and anti-DDoS solutions, but there are too many holes to plug. What’s more, sometimes security efforts can be counterproductive and while they solve one issue, they may create others like slowing down the site. It can often feel like adding security patches and tools is an endless game of defensive whack-a-mole.
And to make protecting your site even more complicated, sometimes security patches and plugins actually conflict with each other, creating new issues where none existed before. Plus security patches also need to be kept updated themselves, adding yet another task to the to-do list.
Brute force are ineffective on the vast majority of static sites, and DDoS attacks can actually make the site faster if you’re using a high quality CDN. All the layers of WordPress vulnerabilities are non-existent, but the UX doesn’t change. Some services, like Strattic, can even keep your WordPress admin offline by default, and only bring it online when you need to make changes, adding yet another layer of protection.
With so many vulnerabilities and breaches on WordPress sites, it’s clear that the traditional methods of defense aren’t working. Headless static sites offer a new and successful way to protect your WordPress site and offer excellent UX at the same time.