TL;DR;
Wordfence’s latest findings echo previous reports: persistent infections remain a consistent problem, password reuse remains risky, two-factor authentication is a must, and regular maintenance is non-negotiable. Consider upgrading to Wordfence Premium for enhanced protection.
Intro
Being on the front line of WordPress security and maintenance can be a wild ride, with BAU days interdispersed with time-sensitive urgent updates and immediate security actions being carried out to safeguard our client’s websites. As always, it’s Wordfence that we turn to, to have our backs, and keep us informed on the latest threats in the ecosystem. They just released their 2023 mid-year WordPress security review, giving us the lowdown on the WordPress vulnerability scene.
While the report spends a good deal of time diving in to how Wordfence uses Chat GPT to analyse vulnerabilities and implement the protections in it’s product, in this article, I’m going to focus on what actions can be taken by the WordPress website owner, to improve their website security.
At the risk or sounding repetative, its a case of ‘The more things change, the more they stay the same’… Both in regard to the vulerabilities affecting WordPress and the actions we can take to safeguard our sites.
Click to read the full Wordfence report here.
Persistent Infections & 2023’s Vulnerabilities: A Consistent Threat
Diving into the report, it’s clear some threats just don’t know when to quit. Persistent infections, those pesky malware bits that you may be simply unable to completely clean up or remove, continue to be a prominent issue. And it’s not just a flash in the pan; they’ve been a consistent issue for a long time in the WordPress community. It’s like having that awkward relative at Chrissy lunch who just won’t get the message that it’s time to hit the road!
The Password Problem: Old Habits Die Hard
Let’s be honest… We’ve all been there, haven’t we? Using that same trusty password for just about everything. But in reality: That’s a hacker’s dream. It’s only a matter of time before that exact password gets leaked in one of the treasure trove of data breaches out there. So reusing them is akin to leaving your front door wide open.
It’s not just about your WordPress admin passwords. Think bigger. Think cPanel, Cloudflare, email… the whole spectrum. If you’re still running with the “one-password-fits-all” mantra, then it’s time for a rethink. If it’s too hard to remember all the new crazy 16-character alphanumeric passwords you now have for all your platforms, the it’s time to invest in a password manager like LastPass, or use the password features in a browser like Google Chrome.
Two-Factor Authentication: A Small Step, A Giant Leap
In the story of WordPress security, two-factor authentication (2FA) is the unsung hero. It’s straightforward: an app, a code, and a few seconds of your time. But the payoff is a fortress-like defence for your WordPress website. With 2FA, even if hackers manage to get your password, they’re still locked out without that code. It’s a no-brainer. Do it now!
The Power of Regular Maintenance
We all know that prevention is better than cure. It’s abolutely the case for WordPress websites. Regular security checks and preventative maintenance are your trusty sidekicks in keeping those vulnerabilities at bay.
Here’s what it entails: https://juicedigital.com.au/website-design/wordpress-maintenance-plans/
Shutting the door on WordPress vulnerabilities.
A significant chunk of WordPress vulnerabilities rely on hackers getting that initial foot in the door to infiltrate and infect your site. So how do they get that access?…. Through user accounts, especially those with higher privileges, such as contributor accounts.
By reducing the ability for users to register on your site, you’re essentially putting up another ‘No Entry’ sign for potential threats. If you dont have any reason for people to have a user account on your site, then you’re restricting another common attack vector. WordPress sites should only allow user registrations when you provide a service for customers through your site, such as eCommerce, online learning, or a membership of some kind.
In terms of ‘contributor’ accounts and the like, you should only use them when your business model absolutely relies on various individuals contributing to your content. In this case you need to be using 2FA across the board.
When you limit these user registrations, you’re not just preventing potential threat access points but also reducing the risk of existing users elevating their privileges without authorisation, which is another vulnerabity in WordPress plugins that’s not uncommon. It’s a double win. So, if you don’t need user / contributor accounts, don’t have them. Easy!
Benefits of Wordfence Premium
For any business that values it’s online presence and reputation, Wordfence Premium is definitely the way to go. Unlike the free version, there is no 30 day delay in receiving the latest WordPress firewall definitions to protect against the most newly discovered vulnerabilities in the WordPress ecosystem.
It’s a small price to pay for a significant increase in protection… There’s a lot of damage that can happen in 30 days worth of hacking!
Conclusion
The WordPress security landscape might be ever changing, but the essential steps to ensure you’re staying ahead of the curve really do remain the same…. Tight passwords, Do your maintenance, Get your 2FA happening, Restrict site registrations, and if you’re able to make the upgrade to Wordfence Premium, then do it!
They’re all preventative actions that will save your website, and save your business a lot of pain… You just may not realise how many times these small actions may actually save your butt on a daily basis. With threats morphing and evolving, it’s always better to be in front of them, especially when your website functionality and business reputation is on the line.