Facts & myths about securing WordPress

Facts & myths about securing WordPress
datum-geschreven 7 Jan 2024

There are many WordPress users, even website developers, and hosting companies who are not aware of the following:

Fact: Restoring an old backup is NOT a permanent solution for a hacked website

This may seem like a solution to many, as they often think that the hacked files are removed from the server. However, they are surprised when signs of the site being hacked reappear within 1-7 days. How is that possible?

Often, only the file responsible for spam or data transmission is removed, but the vulnerability still exists. This vulnerability could be an old version of WordPress, a theme, or a plugin.

What to do

After restoring the backup, you cannot sit back; that’s when the real work begins!

  1. Update/replace all plugins
  2. Update/replace WordPress
  3. Check for theme updates
  4. Secure the website
  5. Secure the server
  6. Change database and user passwords

Fact: Updating plugins does not solve the hack

When you click “update” in your WordPress plugin area, only the files are updated (at the time of writing), not the entire plugin.

plugin updaten wordpress

In short, hack files may still remain, and they are not removed.

Myth: Once secured, always secured

If only that were true. No matter how well you secure the website now, the plugins you currently use are tested by many hackers for possible exploits. If they find a vulnerability that bypasses WordPress rules, there is no security measure that can stop them. This is simply because a plugin has administrator rights, allowing it to write files in intended folders.

Myth: There is a known or hired hacker personally targeting my site

wordpress hacker

No, in 99% of cases, no one is specifically targeting your website. Unless you are Porsche, Nike, or royalty.

These are automated programs trying thousands of WordPress sites and entering those that are not properly secured or not up-to-date.

So, why was my WordPress website hacked?

Someone wrote a script a while ago that searches for WordPress websites and places advertisements using known vulnerabilities.

Fact: A hacker can manipulate the website regardless of server security measures

The hacker doesn’t need to upload or modify files on the server to hack the website.

Even if your entire server is blocked so that each file is only readable and not modifiable…

The hacker can give commands to existing files through vulnerable forms (XSS) or the navigation bar of your website. In this way, they can add information to the database, leaving your site open or adding unwanted texts & links to your website.

Myth: A more expensive hosting provider guarantees a safer website

You can think of it like a Ferrari dealer; no matter how well the car is developed and maintained, they have no control over how you drive it and cannot prevent accidents or theft.

Myth: Paid premium plugins are safer than free plugins

We often come across cases where paid plugins are hacked. These plugins are widely used and promoted on various websites, reaching a large audience.

Also, creators of paid plugins often have just as busy schedules, if not busier, than hobbyists creating plugins. This means that security updates may be delayed.

Myth: More registered members mean a higher risk of being hacked

Each additional member is an additional entry in the database, but members with the roles of subscriber, writer, or editor have specific rights and limitations that prevent them from accessing plugins or settings.

De meeste artikelen worden geschreven door Mathieu Scholtes, de eigenaar van WPBeveiligen. Op de hoogte blijven van het laatste WordPress nieuws? WordPress tips? WordPress aanbiedingen?
Connect dan op Linked-in!

Heb je een vraag? Tip of gedachte? Deel die!

Breng me op de hoogte
0 Reacties
Inline Feedbacks
Bekijk alle reacties