WordPress is so popular that it powers 25% of the entire internet’s websites. Because of its popularity, WordPress sites become a target for a lot of hackers.
Understand WordPress Security Vulnerabilities & Protect Your WordPress Sites
In order to understand how to protect your own websites, you need to understand the different types of WordPress security vulnerabilities. During this webinar, we’ll look at how to lock down WordPress and protect it from common threats.
3,972 Known WordPress Security Vulnerabilities
- 52% are from WordPress plugins
- 37% are from core WordPress
- 11% are from WordPress themes
Source: Statistics from WPScan.org
39% Cross-Site Scripting (XSS)
XSS injects client-side scripts into web pages viewed by other users. Used to bypass access controls and other impersonation exploits. 84% of all security vulnerabilities on the entire internet are XSS attacks.
Other Known Attack Vectors…
- 5% — SQLI (Database Injections)
- 11% — Upload exploitation
- 7% — CSRF (Cross-Site Request Forgery forces logged in users to perform an action they didn’t mean to do.)
- 6% — Multiple attack vectors at once
- 3% — LFI – (Local File Inclusion) (example)
- 2% — RFI – (Remote File Inclusion)
- 2% — Authentication Bypass
- 2% — FPD (Full Path Disclosure)
- <1% — Redirect
- <1% — XXE (XML External Entity Attack) (intercepting XML and
- reformatting before submission)
- <1% — DDOS (Denial of Service)
- <1% — SSRF (Server Side Request Forgery)
- 6% — Unknown
File Inclusion Vulnerability
Remember that a website responds to arguments placed into the URL. So, imagine if you had a site that had an innocent way of loading PHP files that contain the code for option selections.
That file would load an additional file based on the form submission. BUT if someone found this vulnerability it could be exploited. And this would output the contents of the UNIX server password file (without proper permissions set).
This is just a harmless example that COULD happen. Or someone could force a server to load their own files onto the server through this method as well.
What Can I Do?
- Remove Weak Logins. Enforce strong passwords & use two-factor authentication.
- Prevent Malware
- Secure Vulnerable Servers
- Set Proper Permissions
- Setup WordPress Correctly
- Update All The Things! Use a service like iThemes Sync to keep all your WordPress sites updated with the latest version of WordPress and any installed plugins and themes.
- Learn To Harden Your WordPress Site
- Wake Up and Smell Your Password Problem
- WordPress Password Security: How to Protect Your Site & Your Digital Life
- Introduction to Two Factor Authentication
- How to Set Up Two-Factor Authentication for Your WordPress Site with Google Authenticator
- WordPress Malware Scan