Why do WordPress sites get hacked so much?
WordPress is a brand name for free open source code for anyone to create a CMS (Content Management System). A bit like Dyson and Hoover are brand names for vacuum cleaners. But WordPress and plugins come with dangers too.
Are WordPress websites safe?
A serious vulnerability has been discovered in Wordpress plugin code for the second time in 2023. Here are some facts about WordPress websites so far this year:
- Vulnerability discovered in WordPress plugin is the second one found so far this year
- Cross-Site Request Forgery (CSRF) Vulnerability could allow deletion of files
- More than 1 Million active installations of the affected WordPress plugin
WordPress has been used by bloggers and start-up web designers to bolt together pre-coded elements to make a blog. Later on various people created bits of code to add on to the blog to then make a website. What started off in 2003 as primarily a blogging solution, WordPress is a brand name for CMS and is now used by less than 40% of websites worldwide, but that’s still a lot.
Its huge rise in popularity does, however, have its pitfalls - and one of those is its unfriendly admin area and over-complicated editing interface but the most shocking is it's constant targeting by hackers who want to hurt businesses by benefiting from all the vulnerabilities that WordPress has.
WordPress might be one of the most well-known website development platforms in the world, but it is also one of the most vulnerable to hackers.
Every day, thousands of WordPress sites are hacked due to vulnerabilities in the software and plugins that are bolted on by unsuspecting web designers.
I mentioned earlier that WordPress code is free open-source code. The phrase open source software is code that is designed to be publicly accessible so anyone in the world can see, modify, and distribute the code as they see fit - including hackers!
Hackers can use these vulnerabilities to gain access to sensitive information (such as payment details and other private data) or to take control of websites for malicious purposes and to be a downright nuisance!
To increase the vulnerabilities further, many WordPress users don’t keep WordPress and the different plugins up-to-date, which makes them even more vulnerable to attack.
Does it matter if I don't update WordPress and Plugins I've used?
Yes, it poses a serious risk to the health of your online business if you haven't updated your website code and then updated all the plugins code to match.
Just this week (May 2023), over 1 Million WordPress websites were given a warning that if they have installed the WPCode for Insert Headers and Footers + Custom Code Snippets WordPress plugin, then their website has a severe security vulnerability that allows attackers to delete files on the server if it's not updated. The WPCode plugin (formerly known as Insert Headers and Footers by WPBeginner), is a popular plugin that allows WordPress publishers to add code snippets to the header and footer area. The plugin before version 2.0.9 contains what has been identified as a Cross-Site Request Forgery (CSRF) vulnerability.
This has obviously affected many websites in a bad way but it's too late for many. Pretty disastrous eh?
Is there a better solution?
The more a platform is used for delivering websites, the more it’s likely to be in the spotlight for hackers - and that’s an issue that WordPress and its users face. There are, however, other options worth considering.
WordPress is an open-source platform so most of it is free for anyone to access, making it easier to create plugins but also making it easier to be hacked. There are plenty of alternatives that businesses can use to develop their websites and, at aprompt, we provide custom coded websites which do not use vulnerable open-source code like WordPress - and are therefore less prone to being hacked.
The more secure a website is, the less risk there is of being hacked. We’re not talking about the security that come with SSL – we’re talking about how secure the code is that’s being used to make your website run.
The more custom the code is, the less likely it will get hacked, therefore custom websites that stay away from WordPress are much safer as hackers find it harder to “break the code”.
If your website is currently using WordPress as the core and you have plugins that make other features work on it, then there are some essential steps you need to take to protect yourself.
Firstly, make sure that your core WordPress software is up to date. Then you need to ensure that each plugin you have in the website is updated to be the same level of security as the core. Another tip is to only use plugins that are for use on WordPress. Secondly, keep your site backed up at all times so that you can quickly recover your website when you get hacked. If your website has been hacked then you will most likely need to remove all files and re-install your site, including WordPress and any plugins.
My WordPress website has been hacked - What can I do to save my business?
If your WordPress website has been hacked, then this is very bad news and it will negatively impact your business online. It can take a long time to remedy any damage that has been done in search engines and to your online reputation.
So if you’ve been hacked, it’s important to change any passwords and to notify anyone including customers of any possible data breach.
You should work closely with the web design company that manages your site if you have this service (unless you manage your own) to ensure that the issues are addressed properly, and that as many measures as possible have been taken to update the security patches.
Please note that just because your WordPress website security updates have been actioned, doesn't mean your WordPress website is immune from getting hacked, but it can help to protect you in lots of ways. It's best to liaise with your web developer to ask for help.
There may be extra costs to a WordPress website that you may be unaware of and this is to make sure that the updates provided are done – and there will be many so be prepared!
How do I know if my WordPress website has been hacked?
It’s not always easy to tell if your WordPress website has been hacked until it's too late and you cannot mend the damage. But if pages aren’t loading or you're getting strange content on your website pages and in SERPS - like images and links for fake handbags, adult content and / or new links in a different language (including redirects to pages that you didn’t create) then the chances are that you have been hacked.
You may also notice that you aren’t getting any new business or the website is not being found in search engines – all these are signs that your WordPress website has been hacked or it’s just not working as it should.
Whether you have been hacked or not, you might also want to consider moving away from WordPress as a type of website CMS and instead upgrade to a more secure website and of course a better CMS website.
Most websites need updating and freshening up every 2-3 years so if your site is close to being 3 years old then now might be the opportunity to explore your options.
See: When should I get a new website?
We would not recommend WordPress websites to anyone because of the ever-increasing security vulnerabilities that come hand in hand with this type of website code and their unintuitive admin area. However, if you have a blog and you are savvy with your updates then this is a free way of getting a blog and they can look great!
Just remember - you must install the security patches and upgrades regularly and all the other upgrades to the plugins if you are given them (if you are not given the updates to the plugins you should find them and install them yourself to ensure these aren't leaving your website vulnerable). These updates are there to help protect yourself, your customers and your site until the next security breach.
A web design company you can trust
At aprompt, we build websites that use robust programming techniques that are built on a solid foundation of coding knowledge, without the need to use WordPress code.
We appreciate the risks involved in being hacked and how damaging it can be for a business. Some of our clients started with a WordPress website then after seeing our admin areas, moved to a custom coded website written by us and found it looked stunning, worked really well and was cheaper too!
If you’re looking for a web design company that provides effective results-driven websites that are fast loading, loved by Google and don’t need regular maintenance, make sure you contact our website designers in Wiltshire today.