WordPress sites are increasingly being infected with malware from pirated themes and plugins, as per a new report on WordPress security.
Security firm Wordfence published a report on threats and attacks targeting WordPress sites, with data gleaned from the 4 million customers that have its software installed.
The major threats facing WordPress sites fall into three categories:
- Malware from pirated themes and plugins
- Malicious login attempts
- Vulnerability exploits
Here’s a summary of key highlights from the report.
Malware From Pirated Themes & Plugins
The most widespread threat to WordPress security is malware from pirated (nulled) themes and plugins.
Wordfence detected more than 70 million malicious files on 1.2 million WordPress sites in the past year. Over 17% of all infected sites had malware from a nulled plugin or theme.
The WP-VCD malware was the most common threat to WordPress, counting for 154,928 or 13% of all infected sites in 2020.
When a plugin or theme is pirated its license checking features are disabled or removed, which makes it easy for hackers to gain backdoor access.
The best way to defend your WordPress site against this type of attack is to purchase your plugins and themes legitimately and keep them updated.
If your budget doesn’t permit the purchase of a premium theme then a free alternative from a reputable provider is the safest option.
Malicious Login Attempts
Wordfence detected (and blocked) over 90 billion malicious login attempts from over 57 million unique IP addresses. That’s a rate of 2,800 attacks per second targeting WordPress sites.
These attempts are said to include credential stuffing attacks using lists of stolen credentials, dictionary attacks, and traditional brute-force attacks.
WordPress site owners can protect themselves from malicious login attempts by setting up multi-factor authentication. This will ensure no one can get in without a password and a special code only you have access to.
According to the report from Wordfence, there were 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in 2020.
The 5 most common attacks over the course of the year include:
- Directory Traversal: Made up 43% of all vulnerability exploit attempts (1.8 billion attacks).
- SQL Injection: Made up 21% of all exploit attempts (909.4 million attacks).
- Malicious file uploads: Made up 11% of all exploit attempts (454.8 million attacks).
- Cross-Site Scripting(XSS): Made up 8% of all attempt (330 million attacks).
- Authentication Bypass vulnerabilities: Made up 3% of all exploit attempts (140.8 million attacks).
All 4 million sites tracked as part of this report experienced at least one of each the above exploit attempts.
WordPress site owners can protect themselves against vulnerability exploits with a firewall.
For more tips on keeping your WordPress site secure please refer to the resources in the next section.
How to Keep Your WordPress Site Secure
For up-to-date advice on keeping your WordPress site secure see this guide written a couple months ago by Search Engine Journal’s Roger Montti:
New WordPress vulnerabilities are exposed every day. Stay glued to Montti’s coverage as he’s often first to break the news about the latest threats and how to stay safe.