When it comes to popularity, nobody could even come close to Wordpress's reputation as a CMS software. The open-source CMS has been actively used behind millions of websites from all over the world, and Wordpress has never let them down. Like any other open-force software, Wordpress left open its platform for the budding developers to design state-of-the-art plugins to strengthen its arm.
Even though many popular plugin developers like Yoast SEO, SMERush, AHREFs, and counting have strengthened Wordpress as a platform, many plugin developers have also left the door open for the malicious actors via a plethora of vulnerabilities.
In early May 2020, eight vulnerable Wordpress plugins had scary vulnerabilities, which let the attackers compromise many websites. And days back, the researchers from Alert Logic has also detected a plugin called MapPress having a frightening vulnerability. The map plugin for Wordpress users has already been downloaded by over 80,000 site admins, which left put at risk.
Although most of the plugin developers work on finding vulnerabilities and fix them accordingly, many users get compromised for delaying the update in real-time. But are there any other reasons which make Wordpress users vulnerable to cyber-attacks? To get all our queries solved, we talked with the Scottsdale, Arizona based cybersecurity solution provider SiteLock's CIO Neill Feather. Here, Neill walks us through the most significant answers a Wordpress user could look for.
IBT: How safe is WordPress as a blogging platform?
Neill: WordPress as a platform is a top-notch platform that delivers essential functionality for its extensive and devoted user groups; it includes the necessary steps to protect users' sites and information.
IBT: Then Why Wordpress makes headlines for available vulnerabilities?
Neill: Things become less secure when users don't update software or plugins, as well as when they use weak passwords. Each plugin is another potential access point for cybercriminals. Because not all plugins are monitored continuously by their developers, many sprout vulnerabilities can go undetected for months. And even if the vulnerability is patched, users must download the update to be protected.
But, when users customize their sites with more and more plugins, they will be less likely to monitor them all sufficiently for security. For example, our data has shown that sites with 6-10 plugins installed are 3x more likely to be compromised than the average website. In contrast, those with 20+ plugins installed are 7x more likely to be compromised.
To ensure their WordPress site remains secure, users should also utilize strong passwords and two-factor authentication, run regular cyber hygiene checks, and update plugins and remove those that are not in use.
IBT: How do you see WordPress as a CMS platform in contrast to Joomla! and other popular CMS software?
Neill: Websites built on WordPress can be a target for cybercriminals. Given the popularity of WordPress, it is a more attractive target for attacks. And a successful compromise can result in a more substantial potential return. Given this attractiveness, our security report shows that WordPress sites are three times more likely to be infected with malware than non-CMS websites.
WordPress's security is relatively similar to other CMS platforms. Still, it requires to take extra steps and add plugins if they want to enhance the safety of their webpage. And like WordPress, Joomla, and Drupal are also a prime target for hackers.
IBT: Can you recommend three easy-to-follow mitigation tips for our readers?
Neill: Awareness: From spotting potential phishing messages to utilizing two-factor authentication (2FA) along with a secure password, ensuring employees are educated and know the facts can be significant mitigation for businesses. Participating in Security Awareness courses and simulations can help make sure all employees develop good cybersecurity habits.
Utilize VPN & website security tools: All users, especially administrators of their organization's website CMS, should use a virtual private network (VPN) when relying on external networks. VPNs protect data by encrypting it as transmitted across shared or public networks, keeping sensitive information, such as SSNs, passwords, and credit card numbers, from being exposed. Additionally, users should be routinely scanning their websites for malware and vulnerabilities. By being proactive with their cybersecurity hygiene, users can ensure that their data remains safe and secure.
Be aware of the data you're sharing: From offering a plugin for customers to input payment information to using a simple contact form, CMS users need to be aware of the private information they are sharing and collecting on the web. By being careful with sensitive information, they can limit the risk for catastrophic data leaks if they fall victim to a hack or breach.