The Wordfence 2022 State of WordPress Security Report was released today, giving us WordPress security analysis of the year just past, and important insights on how to keep your website secure in 2023.
It highlights the growing threat of persistent infections (old undiscovered or unfixed infections / hacks) and the importance of regularly maintaining and updating your WordPress site to avoid any vulnerabilities. Here’s the main points:
The Most Common WordPress Security Risks
One of the main findings in the report is that ‘persistent infections’ have become a main attack method, known in the security space as an ‘intrusion vector’. A persistent infection is a type of infection (malware) that remains on a WordPress site after attempts have been made to remove it. They are generally difficult to remove and often enable hackers to exploit further vulnerabilities in sites and perform more elaborate hacks.
In 2022, most attacks that Wordfence monitored were looking for easy access via reused passwords or by ‘piggy backing’ off of the aforementioned persistent infections. It’s becoming an increasingly common attack method as websites age and become unmaintained leading to persistent infections becoming more widespread.
Even hacking groups such as Anonymous sell code designed to search for persistent infections to gain even more control over compromised sites. Keep in mind that while the Wordfence scanner is fully capable of detecting these type of attacks, the site owner still needs to be aware and clean any site where an infection has been detected.
The report also addressed the risks from re-using passwords across multiple platforms. Each year, thousands of leaked passwords from the ever growing list of data breaches become available to hackers, making it simple to gain access to WordPress sites.
And it’s not just your WordPress admin passwords…. It includes your cPanel, Cloudflare (DNS), or even your email passwords. If you are reusing passwords, or if they were created by anyone else for you, then it’s highly recommended to change them ASAP. Despite the recent LastPass breach (which did not actually reveal any password data to hackers) it’s still a great idea to use a password manager as they not only remove your need to remember complex passwords (You just remember 1 password for all your passwords), but they also provide an on hand method to generate secure passwords of any length and complexity.
Increasing Security with Two-Factor Authentication
Two-factor authentication (2FA) is also highly recommended on as many of your platforms as possible, including WordPress. The Wordfence plugin includes 2FA on your WordPress login. It’s as simple as having one extra app on your phone and entering a six digit code from that app every time you want to log in to WordPress. Ten extra seconds when you log in will give you exponentially better security on your website.
Avoid Website Neglect With Regular Maintenance
The report also highlighted a recurring factor that we all know by now… Regular updates are essential. Keeping WordPress core, plugins and themes updated is best practice to minimise risk. Backing this up is the Wordfence firewall which stops the vast majority of critical ‘0-day vulnerabilities’. A ‘0-day vulnerabilities is a serious threat where the vulnerability is as yet unknown to the author of the software (plugin / theme etc), and it is being actively exploited for malicious purposes.
Only the Premium version of Wordfence has up to date protection against newly discovered types of serious vulnerabilities such as these. The free version that many of us use gives the same protections, but it’s with a 30 day delay. It’s worth upgrading to ensure your website protection is as strong as it can be.
The moral of the story?
In conclusion, the greatest threat to WordPress security in 2022 was website neglect. Either by not updating sites, not properly cleaning old infections, or by being lazy and reusing passwords.
Stay up to date with your WordPress maintenance, and don’t get lazy with your logins! – Minimise the risks!!
Check out the full report here: https://www.wordfence.com/wp-content/uploads/2023/01/The-Wordfence-2022-State-of-WordPress-Security-Report.pdf