Popular things are always a target. Without fail. It’s why the New York Yankees are both the most popular baseball franchise and the most hated, why the world cackled when Tom Brady was suspended for deflate-gate, and why you were given the nickname White Snake when you wore your super fly stonewashed denim jacket on the first day of high school.

Haters gonna hate, attackers gonna target, and popularity is the reason WordPress websites are wearing some of the biggest bullseyes on the internet. Here’s what you need to know about what might be making your WordPress website vulnerable, and what you can do to prevent major security intrusions and DDoS attacks.

The wonders of WordPress

There are many advantages of the WordPress content management system. The words ‘doesn’t cost any money’ immediately come to mind. WordPress is also easy to use, customizable, scalable, and adored by search engines. All of this adds up to a CMS that’s beneficial for websites ranging from corporate sites to your weird neighbor’s cat food taste-testing blog. In total, WordPress accounts for a staggering 23 to 24% of all websites.

The downsides of WordPress

The pros of WordPress definitely outweigh the cons, but there are three main security issues WordPress website owners need to be aware of.

  1. Software vulnerabilities. WordPress is a CMS with an open-source framework. This shared development environment offers plenty of benefits, crowdsourcing the internet’s best and brightest, but it also means a higher number of security flaws or software vulnerabilities due to a lack of testing and accountability.

These vulnerabilities can be exploited by hackers to gain access to or control of the website, inject malware, viruses, or other malicious script. For instance, in December of 2014 over 100,000 WordPress websites were affected by a malware campaign that targeted a vulnerability in the Slider Revolution plug-in.

Finding WordPress vulnerabilities and disclosing them to WordPress is a major business for many internet security professionals. Disclosure is a double-edged sword, however. As soon as a vulnerability is disclosed, attackers also become aware of it. And no matter how quickly a security patch is issued, the success of that patch relies on website owners applying it. There was actually a patch released for the Slider Revolution vulnerability in February of 2014. However, many website owners failed to update the plug-in, leaving it open for attackers.

  1. DDoS attacks. This certainly isn’t an issue that’s specific to WordPress websites, however the nature of many WordPress sites may make them seem like better DDoS attack targets than high-powered websites using custom content management systems.

Fair or not, many WordPress sites have a bit of a less advanced feel to them. Websites that use a free CMS are more likely to be run by individuals, mom and pop organizations, or small companies, and they are therefore seen as less likely to have great security features or professional DDoS protection. This may make WordPress websites more susceptible to not only actual DDoS attacks – which render the websites unusable for legitimate users – but also DDoS ransom notes, in which attackers demand money in return for not launching a DDoS attack.

Not only do DDoS attacks take a website offline for users, but they can also cause lasting damage to hardware and software, and lasting damage to the trust of users and/or customers. Theft of intellectual property, personal information or financial data may also occur as a result of a DDoS attack. And just how common are DDoS attacks? A 2014 survey by internet security firm Incapsula found that 45% of respondent organizations had been hit with a DDoS attack, nearly 1 in 2. Furthermore, seventy percent of those hit had been targeted more than once.

  1. Being used for DDoS attacks. In a way, this security issue combines the first and second ones listed in this article. In order to turn your website into a so-called zombie or a part of a botnet, attackers exploit a vulnerability in order to gain control of your website and use it, along with many other websites, to launch large-scale DDoS attacks on targeted websites. The more resources an attacker has at his or her disposal, the easier it is to wreak havoc via DDoS, hence the need for botnets.

The potential to turn WordPress websites into DDoS attacking zombies was brought to the world’s attention in March of 2014, when attackers exploited the WordPress pingback feature (which is enabled on WordPress sites by default) in order to launch a layer 7 flood DDoS attack. When all was said and done, 162,000 legitimate WordPress websites had been used in the attack, unbeknownst to most of those website owners.


Hi-Res image: Incapsula

What can be done to protect your WordPress website

As stated earlier in this article, the pros of WordPress far outweigh the cons, and none of these security issues is reason to abandon WordPress for another CMS. (Especially since other content management systems are plagued by the same or similar issues, but that’s an article for another day.)

These security issues are reason to start taking your WordPress website security more seriously, however. According to Incapsula, there are a number of steps you should take to increase your WordPress website’s security.

The first and simplest step you can take to increase security is making it harder to get in through your login page. Stop using default admin names, always use strong passwords, and consider using two-factor authentication.

You should also regularly update WordPress as well as apply security patches for WordPress and its plug-ins. Your dashboard will show you when an update has been made available.

You may also want to consider using a web application firewall (WAF), which will provide enterprise-grade protection for your website. Professional DDoS protection should also be a consideration for anyone who owns or runs a website. As long as WordPress stays immensely popular, it will stay a huge target, and it’s a lot easier to recover from a stonewashed high school fashion faux pas than a DDoS attack or security breach.