How many out of those approximately 63% websites use WordPress?

What % of websites don't use a CMS that we know of and monitor? 

37.1%

45.5%

40%

37.1%

50%

40.5%

65.5%

40.5%

Which means 37.1% are static or use custom CMSs. And rest of them use WordPress, Joomla, Shopify, Wix, Squarespace, Godaddy CMS etc. That is approx. 63%

• Brute Force Attacks

• SQL Injection

• Weak Code

• Malware

• Denial of Service

• Few more which I haven’t listed here.

This method uses the most simplest way to get access to the website, the login page.

An attacker uses a trial and error method of entering username and password combination until a successful combination is discovered.

SQL which means Structured Query Language is a query language that was designed to manage data stored in relational databases.

SQL injection, or SQLi, is a type of attack on a web application that enables an attacker to insert malicious SQL statements into the web application, potentially gaining access to sensitive data in the database or destroying this data.

For example attackers can use SQL Injection to alter data, extract data, get user credentials, delete records, manipulate data etc.

WordPress Core

WordPress is an open source platform, which is regularly maintained and updated for security and performance optimization of the website. 


WordPress Plugins and Themes

If the plugin or theme developer does not update the plugin or theme for a long time, it’s up to us to uninstall it or replace it.


Same applies if we use a custom theme or plugins.

Malware = Malicious Software

Let's take a look at some common WordPress Malware issues

A backdoor lets an attacker gain access to your environment through methods you would consider unusual — FTP, SFTP, WP-ADMIN, and others. Hackers can gain access to your website via the command line or even a GUI.

Pharma hack is a very common phenomenon and it refers to a type of SEO spam where a legitimate website is used to sell illicit drugs. In this type of attack, hackers hijack websites, injects site with malware and uses site to sell illicit drugs.

As the name suggests basically in this type of malware the website sends a user to a malicious website.

To detect, one of the things you can do is check your .htaccess file.

Essentially when an attacker wants to take down your website or service, they flood it with traffic from various sources to make it difficult to find out the source of the attack. They bottleneck your servers so that your normal visitors are denied service. 

The purpose of these requests is to slow down and eventually crash the targeted server.

So as we discussed earlier SQL injection attack basically takes place by interfering with the queries that an application makes to its database.


Some of the steps to avoid this include

• input field validation

• removing unnecessary database functionality

• encrypting confidential data etc.
  
  In addition to that use a security plugin like Succuri or WordFence,

The .htaccess file is a website configuration file that tells your server how to handle certain requests on your website. For example, how do you redirect users, password protect the admin area, protect specific directories, etc.

To check if its enbaled on your website go to http://xmlrpc.eritreo.it/

add_filter('xmlrpc_enabled', '__return_false');

XML-RPC is a remote procedure call (RPC) protocol that enables communication between different software systems over the internet. It is commonly used by WordPress sites to allow external applications to access the site's data and perform actions on behalf of users.

However, XML-RPC can also be a potential security risk for WordPress sites, as it provides a potential entry point for hackers to launch attacks. Here are some tips for securing XML-RPC on your WordPress site:

You can disable it using the code below or by using a plugin

However, XML-RPC can also be a potential security risk for WordPress sites, as it provides a potential entry point for hackers to launch attacks. Here are some tips for securing XML-RPC on your WordPress site:

1. Disable XML-RPC: If you don't need XML-RPC functionality on your site, the easiest way to secure it is to disable it completely. You can do this by adding the following code to your site's functions.php file:
   
   add_filter('xmlrpc_enabled', '__return_false');
    
   

2. Limit access to XML-RPC: If you need to use XML-RPC, you can limit access to it by using a plugin like "Disable XML-RPC" or "Jetpack". These plugins allow you to block XML-RPC requests from specific IP addresses or user agents.

3. Use strong passwords: XML-RPC allows attackers to attempt to guess usernames and passwords using brute-force attacks. To protect against this, make sure all users have strong passwords and consider implementing two-factor authentication.

4. Use a firewall: A firewall can help protect against XML-RPC attacks by blocking suspicious traffic. You can use a plugin like "Wordfence" or "Sucuri" to add a firewall to your WordPress site.

5. Keep your WordPress site up-to-date: WordPress releases updates regularly to fix security vulnerabilities. Make sure you keep your site up-to-date with the latest version of WordPress, as well as any plugins and themes you're using.

By following these tips, you can help secure XML-RPC on your WordPress site and reduce the risk of attacks.

There are a few scenarios where a WordPress website might need XML-RPC enabled:

1. Remote publishing

2. Mobile apps

3. Jetpack

4. Integration with other systems

Overall, if you don't need to use external applications or services to manage your WordPress site, you can safely disable XML-RPC to improve your site's security. However, if you do need to use external tools or integrate with other systems, enabling XML-RPC is necessary for those use cases.

• Schedule proper backups regularly

• Store backups in the cloud, separate from your website

• Have a easy to use backup restore plugin if possible

It is WordPress' default feature to display the WordPress version of your site for tracking, however this condition can lead to security leaks on your site if you aren't running the most recent version.


To remove the WordPress version in the header do the following

Or add the following to your functions.php

For the WordPress version number to be completely removed from your head and RSS feeds, you must add the following function to your functions.php file:

One of the easiest ways to start with security in mind is to choose a wiser database prefix for your website when you’re setting it up. Because by default the database prefix is wp_. So instead of wp_ just type in something that’s unpredictable for example 29wp_.

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. 

Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to prevent malicious websites from accessing resources on a different domain.

• Limit Login Attempts

• Change the login URL

• Two factor login Authentication

• Automatically logout idle users

• Create a strong password and create a guide for team members

• Remove default Username Admin/User

• Whitelist IPs

• WordFence 

Because WordPress is so popular and even used by huge organizations for mega websites, the hackers keep working to develop ways to circumvent the security updates in WordPress and get access to even the most uptodate WordPress websites.


That’s why it’s really important to keep the WordPress core, themes and plugins up to date. If you’re using custom themes or plugins just make sure that the code is updated regularly.

Website hosting easily plays the most important role in the security of the website.


There are different types of hosting, shared hosting, Dedicated Server hosting, VPS Virtual Private hosting, Cloud hosting etc.


A few things good web hosting companies do, prevent large scale DDOS attacks, keep their software up to date and deploy disaster recovery and accidents plans, have strong firewall and continuous supervision of the network for suspicious activity.