WordPress Security: Is Your Website Safe?

Without WordPress security, your website is in jeopardy. Even the most obscure site is a target for backend attacks. Protecting your WordPress website starts with keeping an eye out for vulnerabilities as they emerge and ensuring everything is always up-to-date. Even then, the dark traffic on the web is actively seeking weak spots on every site they locate.

Last week, I saw some really bizarre antics on one site I maintain. Over 400 various attempts to breach the backend simultaneously from almost as many IP addresses. Hundreds of hacking attempts at the same time. Not one bot in the mob, they were all humans. Are they all organized on some Facebook Group or Slack channel, each poised to commit an assigned strike in unison?

WordPress hackers never stop trying to kidnap or destroy your blog or business. They try to login using the author names or the classic user name: admin. Never create a user called “admin!” Unless, of course, you just want to see how fast hackers can break in. It was not a safe choice 10 years ago! Furthermore, don’t use the URL as a user name either. Who does that? Apparently, it’s pretty common, because it’s a popular thing for hackers to use on failed login attempts. But none of February 25’s battalion tried logging in.

This organized and devious army from 10 countries tried to attack 36 plugins and Windows Live Writer. If you’re using Live Writer to make posting easier – STOP! It apparently has a WordPress vulnerability, one that could very well migrate into your computer as well.

I can identify all but two plugins because of the path those particular hackers used. One tried to access a “DG lobby page” and the other wanted to get into “ave_publish-post” inside the WordPress admin. Googling didn’t deliver any identifying clues on what plugin or theme was targeted. The rest of the plugins under attack are as follows:

Bad for WordPress Security

  • A B Test
  • Advanced Custom Fields
  • All Web Menus
  • Annonces
  • App the Slider Gallery
  • Back Up
  • Bookz
  • Cloudsafe 365 for WP
  • Crayon Syntax Highlighter
  • Disclosure Policy
  • DM Albums
  • DZS Video Gallery
  • Enigma 2
  • Gwolle Guestbook
  • Jquery Mega Menu
  • LiveSig
  • Localize My Post
  • Mac Photo Gallery
  • Mailz
  • Mini Mail Dashboard
  • Miwi FTP
  • My Flash
  • My Gallery
  • Old Post Spinner
  • Omni Secure Files
  • Page Flip Image Gallery
  • PictPress
  • Photo Cart Link
  • Post Recommendations for WordPress
  • Relocate Upload
  • SE HTML 5 Audio Player
  • SF Booking
  • Sniplets
  • Spicy Blogroll
  • Tera Charts’
  • The Cart Press
  • Thinkun Remind
  • WordTube
  • We Chat Broadcast
  • Website Contact Form with File Upload
  • WP Custom Pages
  • WP DB Backup
  • WP Easy Stats
  • WP GDPR Compliance
  • WP Lytebox
  • WP Mini Audio Player
  • WP Publication Archive
  • WP Source Control
  • WP Table
  • Zingiri Forum
  • Zingiri Web Shop

Yes, the list includes old plugins, but out-of-date websites are pretty common online. Some people think that the if-it’s-not-broke-don’t-fix-it rule applies to their website too. As long as it shows up when they type in the URL, all is well in their world. So, no, the hackers aren’t out of touch, but many website owners are.

A lot of small businesses have the same website they started out with… 5-10 years ago. And none of the content has changed much either. Not a wise approach. Google doesn’t give stagnant websites any love, so it’s costing the business owner possible new customers. But hackers? They adore an out-of-date website and can sniff them out from the other side of the world.

Should you still have any of these plugins installed, remove them. Even if it’s not active, it is still offering a backdoor for WordPress hackers. The website this happened on, however, never had a single one of them in place. The hackers can’t see that, but are hoping something useful is available. Your website needs protection from these people. What do you think normal visitors experience if hundreds of backend hits are happening when they land on your website?

These attacks can last a long time. The hackers usually attempt breaking in repeatedly. An event that in turn might create issues with your hosting account. It also makes you a sitting duck. If you don’t have a WordPress security firewall installed on your website, the hackers might find success before transferring their malicious attention to someone else’s website.

I highly recommend installing WordFence security. The plugin offers a powerful defense against bots and bad people, even the free version works like a charm. If it wasn’t there blocking IPs for malicious activity, that website might have been toast. Thankfully, none of the target plugins was present, but they only get one chance with WordFence in place. It blocks them from accessing any part of your website after that for a set amount of time.

By the way, the vulnerability target in Advanced Custom Fields (ACF) is in an old version. Unless something new popped up, what the hackers were looking for was patched in December 2018. But as you can see, that doesn’t stop them from trying to access it. Sooner or later, they will locate a site with that old version and succeed.

Improve Your WordPress Security

If you don’t have the time to keep your WordPress security and website up-to-date, you need some assistance. I’m always happy to help, offering monthly maintenance packages and continual administration service. Delegating is far better than a total loss, especially if your website is generating income.

Of course, there are other ways a hacker can bypass even WordPress security as solid as WordFence. Choose your hosting provider wisely. The cheap hosting places may have enticing offers, but are the other site owners on your shared server serious about what they’re doing too? A hacker can exploit one website and once inside the server files, run amok through all the sites stored there. It’s kind of like the choice between renting an apartment on the shady side of town versus the higher priced ones in more affluent neighborhoods. Crime is everywhere, but some locations can put you in the wrong place at the right time.