WordPress itself may be safe, but the plugins used to optimize the potential of your blog may lead to hacks. Here’s what you should know about securing WordPress Plugins and Themes.
WordPress is by far the most popular content management system, powering millions of different websites. It is an open source software, which means that its source code’s publicly available and can update by anybody with adequate knowledge.
WordPress plugins and themes can purchase, but tens of thousands of them are free. As one might assume, this is not without drawbacks. So, how secure are WordPress sites? What about its plugins and themes? And how can you safeguard your websites?
How Vulnerable Is WordPress?
Jetpack found in February 2022 that popular themes and plugins from the vendor Access Press Themes (also known as Access Keys) had been compromised. The researchers discovered the flaw by chance after spotting suspicious code on a compromised website. Following more study, they discovered that most Access Press plugins and themes included the same code.
Access Press Themes later revealed to have been the target of a cyberattack in September 2021, with hackers inserting a backdoor into the vendor’s plugins and themes.
Access Press ultimately updated and cleaned up their goods. But thousands of consumers were probably vulnerable to attacks for a long time.
Do WordPress Plugins and Themes Have Vulnerabilities?
The findings of Jetpack highlight how insecure WordPress can be. However, this was not an isolated incident.
Wordfence, for example, reported severe vulnerabilities in two WordPress plugins in March 2021. If successfully exploited, would have allowed an attacker to take control of a website. The flaws found in the Elementor and WP Super Cache plugins. Elementor is a famous website builder that use on over seven million websites. And WP Super Cache is a popular caching plugin.
According to Search Engine Journal, the United States Government Vulnerability Database and WordPress security researchers warned of major vulnerabilities in dozens of WordPress plugins in February 2022.
Header Footer Code Manager, Ad Inserter, Ad Manager & AdSense Ads, Popup Builder, Anti-Malware Security and Brute-Force Firewall, WP Content Copy Protection & No Right Click, Database Backup for WordPress, GiveWP, Download Manager, and Advanced Database Cleaner were among the plugins used on over 1.3 million websites.
How to Secure Your WordPress Site
One would think that once found, these vulnerabilities are always patched or deleted, however this is not the case.
According to Patchstack research, reported WordPress vulnerabilities increased by 150 percent in 2021 compared to 2020, and 29% of those vulnerabilities received no patch. Patch stack also discovered that only 0.58% of reported weaknesses were in the WordPress core, implying that vulnerabilities virtually exclusively identify in plugins.
It is vital that all plugins you use, as well as the WordPress core, be up to date.
Make sure you conduct some research before downloading and installing a plugin. Check the plugin’s install count, read online reviews, see when it was last updated, and see if it was tested with the most recent WordPress core. This will only take a few minutes, but it could save you a lot of grief later on.
You can also utilize WPScan, which is a simple and effective WordPress vulnerability scanner. This tool can also use to search for plugins by name. The free version allows for a maximum of 25 API queries per day.
Fortunately, some plugins specifically design to keep attackers out of your WordPress site. Some of the top WordPress security plugins available now are Login LockDown, Wordfence, and BulletProof Security. Login LockDown is fully free, but the other two have free models with limited functionality.
WordPress Safety Tips
As vulnerable as WordPress can be, basic security procedures go a long way toward preventing and repelling intrusions.
The cornerstone of your WordPress security hygiene should be using unique login details. Two-Factor Authentication, keeping all software up to current, and masking theme names and login details.