WordPress websites, because of their popularity, are frequently under attack by hackers. WordPress is broadly used across the web, powering 30% of all websites and 60% of all content management systems. The most recent attack was from a botnet of 20,000 WordPress sites that is adding to its ranks by compromising other WordPress sites. This is a brute force attack against an older XML-RPC implementation that does not limit logon attempts. That means that hackers, using compromised WordPress sites, can try to log in thousands of times using username and password files. These files are easily found on the web and contain actual compromised credentials. Given enough time, the hackers will be able to compromise many more WordPress sites.
WordPress sometimes gets a bad rap for being insecure, but I have not experienced that when following these best practices.
- Keep WordPress, plugins, and themes up to date by applying security patches
- Deactivate and delete any themes or plugins that are no longer needed
- Create a unique admin username and use a strong password
- Install and configure a WordPress security plugin that can block common attacks
- Only install trusted software from known sources
This approach will limit the attack surface and provide a solid layer of security. If you are new to securing websites, it is a good idea to consult with an expert. If your website is unfortunately hacked, you will need to find and patch the vulnerability as well as clean the site. This can be a challenge even for an experienced professional and can require hours of research. The only other fallback to keep in mind is daily backups of WordPress. If WordPress is compromised and unrecoverable, then you will have to rely on your backups to recover to a point in time before the date of compromise.
These are the day-to-day challenges in cybersecurity and these types of attacks only improve over time. Hopefully we can continue to improve our website defenses to keep up with new attacks.