According to WP Scan (a WordPress vulnerability scanner), there have been 4618 vulnerabilities (2,355 unique) reported so far to date.
1. 52% of the vulnerabilities were from WordPress plugins.
2. 37% of these came from WordPress core.
3. WordPress themes accounted for around 11%.
These findings were also supported by Wordfence, that discovered that 55.9% of all vulnerabilities came from plugins.
So What Does This All Mean?
Well, put simply, don’t overload your website with loads and loads of plugins and if you are going to use third-party plugins, then make you’re only using plugins built by trusted developers in the WordPress community.
Most importantly, make sure you keep WordPress up to date!
You’re never going to completely prevent your website from getting hacked 100% of the time, but if you love WordPress as much as we do, then here are 5 handy tips that have served us well in the past.
Preventing Your WordPress Site From Being Hacked
1. Reliable hosting
Make sure your website is hosted on a reliable and secure server. At the end of the day, you get what you pay for so if you only pay £9.99 per month for hosting – what did you think was going to happen! Read more about the importance of good hosting for your website.
2. WordFence Plugin
Install the WordFence plugin and stay up-to-date with the latest list of reported vulnerabilities so that your development team can jump onto these as soon as possible. WordFence sends out some great emailers about these, but a more comprehensive list of these issues as when they are reported can also be found here.
3. Keep Your CMS Up To Date
Always keep WordPress core and your plugins up to date. We’d advise that you should always try and keep the number of plugins you’re using on your website down to a minimum and if you are going to use plugins, only use plugins that have been trialled and tested by other established third-party developers in the WordPress community. The best way to gauge this is normally by looking at the number of websites that currently have the plugin installed and always make sure that the plugin you’re installing is compatible with the current version of WordPress you’re running.
4. Strong Passwords
Ensure all of your usernames are smart and passwords are strong – a lot of WordPress hacks come from brute force attacks where people are using stupid passwords like ‘password’. Also, don’t use obvious usernames like admin or administrator. If you’ve already installed WordFence, make a list of some obvious usernames and add them to the options page. WordFence will then immediately block the IP of users who try to sign in with your prohibited list of usernames.
5. Prevent Editing Theme Files
Disable file editing in the WordPress dashboard – this can be achieved by placing the following code in your wp-config.php file (see below). That way if a hacker does manage to get into the backend of the website, they won’t be able to directly edit any of the theme files.