One of the most tightly protected platforms is WordPress compared to others. However, the saying "no system is secure" is, of course, also valid for WordPress. The more known a platform is, the more people looking for its vulnerabilities will increase, and attackers will found them.
If you have built your website on WordPress, this can become one of your biggest concerns as malware can affect your website in various ways. This article will focus on what are the things that make your WordPress not secure, how to secure WordPress site, and WordPress security plugins.
In our age, new malware is emerging day by day, and this malicious software is getting more and more complex. Therefore, in this article, we will discuss the damages that this malware can cause instead of looking at each malware one by one. One of the most known effects is falling back in Search Engine Optimization (SEO).
Most website owners try to rank at the top of search engines such as Google and Yandex, and we spend much time on this. This work is called SEO work. Are there any ways to do these things easily? Of course, there are, but these methods are banned by search engines such as Google, but some attackers still use this method today. One of these methods is the SEO Spam Injection. SEO Spam Injection is a type of attack that secretly redirects to other malicious web pages on your website and aims to fraud through the redirected pages.
In a study conducted in 2016, a total of 873 cases were categorized, and it was observed that almost 19% of them were SEO Spam. In the later stages of this article, we will also talk about how you can get rid of it and prevention methods.
Cryptocurrencies play a considerable role in the digital world these days. Along with the good sides of this technology, of course, those who want to use it maliciously have emerged. An example of this is malware that infects your website and uses your customers' devices for cryptocurrency mining. Although such attacks do not affect your customers' performance on the site, they risk the customer's severe loss of trust when noticed.
To prevent such attacks, you can use various security plugins. One of them is the WP Activity Log. This plugin shows when and where your site made changes to WordPress core files and other security events. In this way, as long as you look at your logs every day, you will have the opportunity to detect and fix a security problem when it occurs.
If anything can harm your website more than the first two items, it is unauthorized redirects. Unauthorized redirects are the unauthorized redirection of users from a site that has been captured by attackers to another site. Attackers usually perform this method with a code placed in the database or login page or upload a different file with the PHP extension to the system. These types of routing can usually have several other purposes. Such as:
It is redirected to a copy of your site to capture critical information of your users
Users can be redirected to attackers' site to get more traffic
This section will tell you about the most common mistakes that lead to WordPress security issues. Mistakes often result from site owners' incomplete information or carelessness. In addition to talking about the mistakes made in this section, we will also discuss preventing them in the following sections.
This is one of the mistakes that WordPress users often make. Whenever a new WordPress version is released, all users receive a message about the latest version, but many ignore it and hope things continue. But for hackers, every update that is not made means a new opportunity because, with each update, a vulnerability can be closed, and sites that do not update become exploitable thanks to this vulnerability.
GoDaddy's security vendor analyzed 18,302 infected websites and cleaned over 4.4 million files to compile the latest "Hacked Website Trending" report. As a result of this analysis, it was observed that the rate of various sites that were attacked according to the CMS platform distribution in 2017 increased from 83% to 90% in 2018. Approximately 37% of these numbers are outdated sites. Therefore, making every update published on WordPress on time or automatically carries enormous importance.
One of the things that WordPress users love to do with their site is undoubtedly plugins and themes. Even now, there are more than 80,000 plugins on WordPress, and the number is increasing.
While all these different usage options and features are great for bringing your website closer to perfection, each extension is a hacker's potential attack route. There may be several significant threats that even a wary user and developers are likely to overlook. For example;
A plugin or theme has a vulnerability, but it cannot be detected because it does not have many users.
The developer who made the plugin or theme stopped developing, but people still use that plugin or theme.
The developer may have closed an existing vulnerability in the software, but users will not update this software.
In a 2016 survey, more than 60% of site owners who know how hackers hacked their sites said the problem was the vulnerability of the plugin or theme they used.
What is Shared Hosting?
To create your site on the Internet, you need web servers that you can buy from secure wordpress hosting providers such as GoDaddy or BlueHost. When you set up your site on these servers, these servers manage your actions on your site. For example, when a customer logs into your site, the server you use will prepare the customer's data and then send it to the customer to be displayed on the screen. You will need the capabilities of the server you are using to execute many such operations. That's why shared Hosting was born. Shared Hosting is a method where a server hosts multiple sites.
The number of websites on the shared server depends on the limit of resources allocated to each website. However, shared Hosting can hold thousands of websites together. This is what allows providers to offer their shared hosting plans for such a low price. However, hosting thousands of websites on a single server can also lead to severe vulnerabilities and troubles. Some of these are:
When a hacker or attacker attacks another site using the same Hosting as you, this attack will consume more of the server's resources as an attack on the server. Therefore, under normal circumstances, the number of resources given to your site will decrease, and this will cause a slowdown in processing and sending requests when customers who enter your site want to access any content. Although this is not a direct attack on your site, it also affects you indirectly.
An IP address is a unique code made up of consecutive numbers that enable any device, such as a computer, telephone, to connect to the Internet. A server is a device that uses the Internet like the examples we have just given, so each server has its IP address. This means that all websites on the server used in a shared hosting service will share the same IP address.
If a different website sharing the same service and sharing the same server with you engages in illegal activity or sends spam messages to its customers, the IP address of the server it uses will be blacklisted and marked as malicious. The same sanctions will be applied to you because you are also using the server and the IP address. Some of the consequences of these sanctions are as follows:
When firewalls detect that your website has a flag telling that it is a malicious site, it prevents the relevant user from entering your site.
Since various email providers blacklist your IP address, they direct your emails to your customers' spam boxes.
Since search engines such as Google, Yandex, Yahoo blacklist your site, your site will fall behind in searches.
One of the excellent features of WordPress is that it allows web servers to modify various files. However, allowing write access to files can be potentially very dangerous, especially in a shared hosting environment. You should turn off file permissions as much as possible. If you need to allow write access, it is best to create one or more folders with fewer restrictions to perform operations such as uploading these files. All files must belong to your user account and must be able to be written by you. All files that require write access from WordPress should only be writable by the webserver. With a few examples below, you can get information about what kind of authorization you can give to the directory.
/ WordPress root directory: All files should contain write permissions only for your user account.
/wp-admin/ WordPress admin area: All files should also be authorized to write by your user account.
/wp-includes/ Wordpress's application logic Area: All files must also have write authority by your user account.
/wp-content/ User-provided content: The files here must be authorized files that you and the webserver can access.
2 more important directories inside the / wp-content / file:
/wp-content/themes/: This directory contains theme files. If you want to use a theme editor, all files here must be accessible by the webserver.
/wp-content/plugins/: This directory contains plugin files. The files here must have permissions that only your user account can access.
If we told you that software on your site allows attackers to enter your site easily, would you want to remove this software? What if we told you that you could easily find such software.
Web Shell Detector is a handy tool that defends that it can detect your servers 99% against web shell malware. Thanks to its signature base, it quickly detects many different shells and consumes minimal server resources while doing this.
To install the web shell detector application, download it from Github and then put shelldetect.php and "shelldetect.db" in the root directory. After that, all you have to do is open shelldetect.php in your browser. You can visit their website for more information.
Installing a security plugin is one of the easiest ways to find and remove malware from your site.
Even as you read this article, there are approximately 18.5 million infected websites, and an average website gets attacked 44 times a day, according to an article published in 2018. Just for the reasons we have given above, it becomes necessary to download and install a malware removal plugin. In doing so, you need to get an idea of which plugin you have installed because some malware removal plugins have not updated themselves and are behind the times when it comes to detecting and removing malware in our age. That's why when you download a malware removal plugin, you need to find a useful and effective one. Fortunately, we researched and found a few add-ons for you that helps WordPress security scan and secure your WordPress website. Some of those:
Used by thousands of different organizations and developers, MalCare automatically helps you delete various malware on your site. It is also a simple application to use.
Wordfence is a well-known WordPress security plugin like MalCare, fast and available. This plugin's feature is that it searches search engines like Google to remove malware from your website.
This application is designed for WordPress and Joomla. One of the application's highlights is that it automatically scans the system at regular intervals and deletes it by itself.
If there are any significant changes to your website or you don't have a clean backup before introducing features to your new site, a much more tiring process awaits if you lose this data. If you regularly take your backup, you can easily guess where the problem originated and not fall into this error again. So if you notice that malware exists on your system, all you have to do to remove the malware from your site is to revert to the backed up files. If your Hosting has a snapshot feature, back up the instant status of the entire site. The snapshot will be the most extensive backup of the whole server, so make sure your Internet won't go down. If you can still access your site, you can immediately back up your site with WordPress backup plugins such as BackWPup, UpdraftPlus, and Backup Buddy.
We assume that the first step is not enough to clean your website and delete all WordPress malware. Now, you have to do some actions yourself. The first thing you should do is view all the files in your hosting account. Hackers can inject malicious code in two places. The first place it can store is the actual file your website uses to run it or a file located on the server in a hosting account. Since the database is a place to store all the website's information and content, it can become another place where hackers can infect your website with malware.
Most hosting accounts now have a control panel. In the control panel, you can access your site's file manager and get ideas from there. Here you need to delete files that you do not see necessary or do not recognize. If you are unsure of what you are looking at and what to delete, it may be helpful for you to work with someone with sufficient knowledge to do this properly for you not to delete the content that should be used for the website to work.
One of the simplest and most important ways to ensure your site's security is to choose the hosting company well because when you select a cheap hosting company, it can leave your site under attack due to your hosting company's weaknesses. As a result, your data may be erased, or the malicious events that we previously listed may happen to you. Making a deal with a quality hosting company will serve you much better not only in terms of performance but also in terms of security.
Passwords are one of the most critical information of websites to be protected. However, most users prefer to leave this essential information vulnerable rather than protecting it. According to a report published in 2017, 81% of attacks occur with weak and repeatedly used passwords. To prevent you from being exposed to these attacks, the password you use on each platform must be different, and each of these passwords must contain at least one special character, number, uppercase, and lowercase letter.
The URL of your admin login account that comes by default on every WordPress site is "site.com/wp-admin." Leaving this admin login page as default allows you to initiate many attacks for your username/password combinations, such as the Brute Force attack. You can change your admin login page URL to prevent such attacks before they even start. Besides, you can further secure your WordPress account by adding a 2-factor authentication plugin to your WordPress. In this way, even if the attacker finds your username and password, they will need a code to log in and not log into your account because they cannot get it.
Another tip is to discover and block the attackers from their IP addresses by detecting the IPs trying to get into your account, which repeatedly failed through a plugin.
Keeping your WordPress up-to-date is an excellent way to make your website more secure because WordPress makes an update to fix the vulnerability whenever they found a vulnerability. This update aims to eliminate the vulnerability. When you do not update, the threat occurs, and the attackers immediately begin to infiltrate your site from these vulnerabilities and perform various activities that can seriously damage your site.
To update the WordPress version, you can easily get new versions by visiting the admin panel's updates section.
Every user wants to enjoy the benefits of a paid service for free. However, this request often leads to serious security problems because most users turn to cracked software to use paid software for free. If you think that cracked software provides its service for free, you are wrong because these software's are the various critical information of your site in return for service. A cracker who seizes this information thanks to the backdoors in the cracked software they give you can immediately take over your site, reduce your site's credibility through phishing or various attacks, or even blacklist it. So never use cracked software, give your money, be safe. Remember, "free cheese only happens in a mousetrap."
Summary of WordPress Security
WordPress security is not difficult at all. Take some time to clean and protect your site from malware, and check the items mentioned above one by one. You can start improving your website's security right now by backing up your website and updating your WordPress version. You can continue by updating the plugins and whether they are all licensed and tightening your passwords. Remember, these are never definitive solutions because no system is safe; however, it will significantly reduce your likelihood of getting hacked if you apply the substances. Stay safe!