In August, 2021, Wordfence and WPScan released their 2021 Mid-Year WordPress Security Report (PDF) which contained information from the first 6 months of 2021. By looking at this report, we can see how WordPress sites are attacked, and advise on how you can defend against attack.
The report states,
One of the most common methods threat actors use to compromise WordPress sites is password attacks. Taking advantage of widespread password reuse across a variety of sites, threat actors targeting WordPress sites typically use lists of compromised passwords to attempt site access. Referred to as a “credential stuffing attack,” these attacks are often very successful due to individuals reusing passwords that have been compromised across sites.
For each account you have, you should have a unique password. This can seem overwhelming, but a password manager like BitWarden makes it simple to generate and store passwords, even if you have hundreds of them.
The report states,
Another common password attack method that threat actors use to target WordPress sites is a dictionary attack. In this scenario, attackers use a list of dictionary words to guess a password. Moreover, hybrid attacks that use a combination of a dictionary attack and brute force methods are popular. These password attacks are often successful due to individuals using weak passwords containing dictionary words with minimal complexity.
To create strong passwords, use 20+ characters, and use uppercase, lowercase, and special characters. How will you create and remember passwords like these? Use a password manager like BitWarden.
The report states,
Moreover, hybrid attacks that use a combination of a dictionary attack and brute force methods are popular. … In addition to maintaining good password hygiene, brute force protections on a WordPress site can help minimize the impact of password attacks and stop attackers in their tracks.
A brute-force attack is when an attacker rapidly tries password after password, hoping to eventually land on the right one. You can stop these attacks by limiting the number of login attempts that are allowed before a user's IP (Internet) address is blocked, and they can no longer attempt to log in.
If you're using a security plugin, see if it has a brute-force protection option. If it doesn't, you can use the Login LockDown plugin.
The report states,
As password attacks appear to be on the rise, it is important that site owners continue to perform password hygiene best practices. This includes using 2-factor authentication on all available accounts, using strong secure passwords that are unique per account, and disabling XML-RPC when not in use.
2-factor authentication (2FA) means that in addition to your username and password, you'll need to enter a code when you log into your site. That way, even if a hacker acquires or guesses a username and password, they won't be able to log in without a 2FA code.
If you're using a security plugin, see if it has a 2-factor authentication option. If it doesn't, you can use Two-Factor or a similar 2FA plugin.
The report states,
Our data also suggests that password attacks targeting XML-RPC and the standard /wp-login.php login page occur at nearly the same rate. This serves as an important reminder to disable XML-RPC if not in use …
If you're using a security plugin, see if it has an option to disable XML-RPC. If it doesn't, you can use the Disable XML-RPC plugin.
The report states,
Vulnerabilities are frequently discovered in WordPress plugins and themes and therefore, continue to remain one of the top targets for threat actors targeting WordPress sites.
Between January - June 2021, WPScan recorded 602 new vulnerabilities across WordPress plugins, themes, and core, with only 3 of those found within WordPress core.
… ensuring that plugins, themes, and core remain up to date, while following security hardening guidelines, will ensure a site safe from virtually all WordPress vulnerabilities. It is also recommended to stay in tune with the latest WordPress vulnerabilities …
Every time we've cleaned up a WordPress site that's been compromised, it has been running outdated software, and that outdated software has often had known vulnerabilities. It's important that you stay on top of updates to plugins and themes, but also to WordPress itself (WordPress core).
Because updates can occasionally cause problems, ensure that you have a backup before updating. If you don't have one already, you should set up an automatic backup for every day or week, depending on how often your site changes.
If this is all over your head or uninteresting to you, do yourself a favor and let someone else worry about keeping your WordPress site secure. Contact OptimWise and move on to a better use of your time.
