I’ve seen a lot of WordPress based websites not having a security plugin, even there are free options and it only takes a few hours to setting them up. And worst, some people think by having an SSL certificate their website is secured, while this only makes communications private for visitors and hackers.
Why are some plugins and themes insecure?
WordPress has not only opened a wide market for plugins and themes covering a lot of features and options, but it also has opened a juicy market for hackers who are continuously searching for vulnerabilities on plugins and themes. And WordPress itself has proven to be secure, but plugins and themes are not always secure, mainly because of some of the next reasons:
- A lot of unexperienced programmers develop free plugins to showcase their skills and with this getting well-paid jobs, however, they are not always aware of the security issues their code can have, and if their plugins/themes go viral, they are spreading a vulnerability over hundreds or thousands of WordPress based websites.
- Some complex plugins can have dozens of files with thousands of code lines, making it difficult to find and trace code vulnerabilities. Some well-known plugins and even plugins for security have been reported with security issues affecting sites that have them installed.
Malware as the way to take advantage of this vulnerabilities
Same that viruses are for PC’s, malware is for websites. And this malware is nothing more than code designed to either gain control over a website or simply deleting its content, however, most hackers are motivated by monetizing, so malware commonly take control of a website not for throwing it down, but to create an income in one or more of the next options:
- Placing advertising on the infected website, which gives them a small earning in a single site, but a big income when hundreds of websites display their ads.
- Encrypting content and asking the website owner to pay to recover their website, or worst, their client’s database.
- Using the infected website as a free hosting taking advantage of the owner, who not always have programming skills, therefore not even knowing his website is hosting files and/or micro-sites.
How malware works
Is almost the same concept of viruses for PC’s:
- It’s usually encrypted code to have it difficult to tell what’s for, creating doubts like: Is it code my website needs to work?
- It propagates itself, so that if an infection is removed, another one keeps working. Usually a single infection creates a backdoor allowing the attacker to either execute code on the infected site or uploading more malware.
- It looks for gaining control on the infected website by increasing access credentials (like creating admin users that the attacker can use later to connect into the site as an admin does, through the wp-admin area).
- Usually there are fully automated bots fed by lists of websites/domains and they scan hundreds or thousands of websites for several vulnerabilities, alerting the owner/hacker of an infected site, or even start exploiting vulnerabilities without needing of human actions. This is the common business model for hacking WordPress websites.
- Different than PC viruses, malware is code that only executes when someone visits the infected site, so it’s a common pattern that malware reside on WordPress files that are called on every single visit, like:
- /wp-config.php
- /index.php
- /wp-settings.php
- /wp-content/themes/{your_theme_name}/functions.php
Plugins in defense of WordPress websites
For every problem there’s a business opportunity, and some companies have been thought to keep WordPress based websites secure with some features like:
- Malware scanners (whether manual or scheduled and automated scans)
- Website firewalls (blocking suspicious activities, blocking IP’s attacking a website and managing some important file/folders permissions)
For the above, some well-known and recommended plugins for security are:
- Wordfence (my first option to go with, free and paid option)
- Sucuri (leading malware analysis and always making public their findings)
- iThemes Security (this is a good one too, in my opinion)
How to avoid installing vulnerable plugins and themes
It’s an excellent practice to research a bit about the plugin or theme you are about to install. Also, search in Google for WordPress {plugin/theme} {your_plugin_or_theme_name} version {version_number} vulnerable. So, for example, if I were about to install a plugin named wp_x_feature version 2.4.2, then I would first go and Google for wordpress plugin wp_x_feature version 2.4.2 vulnerable, and in the first results page I can quickly check if the plugin has reports of vulnerabilities. Version number is important because some vulnerabilities only exists in certain versions.
Also:
- Only install plugins from trusted sites.
- Check if the plugin you’re about to install has been updated by the developer recently and is not abandoned.
- Be aware that some free plugins and themes (specially new ones) are developed by non-experienced programmers in order to gain experience and showcase their work, so there’s a chance their code is not safe and secure.
- Do NOT install nulled plugins and themes (there’s a hidden cost to pay)
I think I don’t need a security plugin
Then I recommend you to start saving some money, because, sooner or later, your website can figure as a target of bots that are continuously searching for vulnerable sites, so expect to have some occasional attacks trying to get advantage of some known and unknown vulnerabilities affecting some WordPress plugins and themes.
FAQ’s
Does a SSL certificate protects my website from malware?
Bad news. HTTPS or an SSL certificate only guarantees communication between the visitor and the website is encrypted. In fact, an attacker would have it easier to hack a website because no third-party can see what he/she is sending to and receiving from your site.
I have a custom firewall made of a set of rules added to my .htaccess, does it help?
While a set of rules can protect your website from some attacks, they do not get updated, therefore, you’re not safe out of new threats or complex attacks.
Is it expensive to install and setup a firewall on my website?
Not at all. You just need to dedicate a few hours to set up a security plugin and a firewall to secure your website and data.
My website is protected by a security plugin and a firewall, but I see advertising on it when I check it from X device. Is it hacked?
Probably your device is the one infected. Confirm this by checking your website from different devices.
Need help with a hacked website or setting up a security plugin / firewall?
I can help. After cleaning and re-building +40 small and big websites (which is a complex task for each and every site), I developed a simple program to track malware code, allowing me to confirm before removing it. I also found many vulnerable WordPress based websites in the first 6 months of 2018 (which are being privately noticed in order to be fixed).
If you don’t feel comfortable with giving me full access to your data (which is understandable), we can work together in a remote TeamViewer session, just note in a certain time I will need absolute silence to fully focus on what I’m doing and not deleting anything your site needs to work.
