Nothing online is 100% secure and your WordPress is no exception to this rule. Since WordPress is powering at least a quarter of all websites worldwide, the platform is naturally an irresistible target for many attacks over the years. In this post - Never let your WP become an attack vector - we explained the hows and whys. Now, let's explore scenarios, where you are a vulnerable
You or somebody from your team is in charge of the updates. We bet for both cases, that experience in WordPress Security is not a strong suit. Also, we assume, its recurrence is also a problem. Also, we assume, there are other factors (explained below), that erode these competencies. Please understand: people who hack websites use automated tools that allow them to scour thousands of websites for vulnerabilities. Your WordPress is one of those targets. So even if your website isn’t popular, you could still be a target.
If you are not constantly informing yourself about the latest security issues, you cannot prevent nor resolve the latest problems. If you are not monitoring constantly the server and your WordPress, you cannot prevent nor stop these problems. If you do not have a defense strategy for the most common issues, you cannot prevent nor mitigate these problems. So yeah, you're vulnerable and your WordPress Security is an urgent problem.
You choose WordPress because it's the best solution for your needs. When you have a new request for your business everybody tells you "Don’t Worry, There’s a Plugin For That". And they are right. Anything can be resolved with a plugin, and it is good for business. Now, here comes the reality. At least half of your plugins are older that one year. This means, that the latest vulnerabilities discovered are not patched in those plugins. Here comes an even harsher reality: you have at least one or two plugins older that 2-3 years. Statistically, above 50% of all hacked websites in were compromised by themes or plugins they were running. Contact us immediately if any of the last two sentences is true!
For the sake of better understanding, let's compare WordPress Security with an industry standard, high-security grade padlock. While for you or me, cracking these padlocks would be impossible, for somebody who knows what he's doing - it's child's play.
This is a video of an automated attack (brute force - first 40 seconds) on your padlock:
This is a video of a specific attack with a known vulnerability on your padlock:
This is a video of a low budget attack on your padlock:
False security sensation:
There is nothing worse than a false security sensation! Even the definition explains: False security sensation - the feeling of being safer than you really are. All of our customers, who ordered the - Undo disasters - on-demand WordPress Service to recover their crashed WordPress, or to clean their infected WordPress or to secure their hacked WordPress - had the same origin of the problem. They relied upon on a false sense of security, that the hosting/m@rketing company or the development/SEO team will resolve all the security issues. Each of these service providers was hired for something totally different, then security. They delivered those services. Security is not their concern.
The second issue with this: time constraints or budget limitations (or both). We all want to deliver the latest business challenge fast and within a reasonable price. When the service providers are pressed to deliver the agreed upon services with these limitations, then security is ignored. It is the least of the concerns, and nobody is focusing on this since all attention is on time/budget constraints.
Back to the padlock analogy. You cannot blame your local store that it has only one type of padlock and it was cracked. You cannot blame your local store that it sold you the cheapest padlock. You cannot blame your employee that it put the padlock where you asked - and it was cracked. You cannot blame anybody else, that you have 3 doors and a single padlock.