It is our belief that WordPress sites should never get hacked.

But the vast majority of the WordPress ecosystem would say that this is a pipedream. 

Every few weeks, a major vulnerability is discovered in a popular plugin, and thousands of sites are crippled. Credentials are leaked. Data is compromised. Losses pile up. 

We’ve all seen this situation play out time and again. The WordPress ecosystem has become resigned to it, thinking that security is the price to pay for building unique websites. 

We disagree. Security is never negotiable. 

As security providers, we have seen threats and hackers constantly evolving. They are becoming more and more sophisticated. 

But the answer wasn’t to be resigned to the status quo. It was to disrupt it.

The anatomy of WordPress hacks

Disrupting the status quo meant revisiting the problem from its first principles. We started with the root cause of all hacks: vulnerabilities. 

We put every major vulnerability of the last 5 years under a microscope. These vulnerabilities collectively took down over 2 million WordPress sites. 

Our analysis uncovered very clear, distinct patterns. 

Next, we studied the architecture of WordPress sites to correlate the patterns to areas that are targeted by hackers. We examined thousands of individual sites to see how their unique aspects—plugins, themes, database tables, users, settings, options, and more—impacted their security. 

Take user registration for example. It is perfectly valid, and a feature of the WordPress core. By default, there are severe restrictions on who can register and the capabilities they have. Hackers are on the prowl to find vulnerabilities which allow them to override these restrictions. The eventual goal is to create admin accounts, and thus take over the site.

Even though attacks and malware are varied, the goals of hackers are conversely simple: they want to gain unauthorised access to sites. To accomplish this, they target specific areas of a WordPress site. And very often, they manipulated core WordPress features to do so. 

Atomic security, customised for WordPress

When we broke down WordPress hacks, it was evident that effective security had to be deeply integrated with WordPress. It could not exist as a layer distinct from a site. 

An external security layer cannot identify and block attacks targeting vulnerabilities seen in plugins, simply because the attacks are diverse and do not have common patterns by which they can be identified.

This idea forms the crux of why Atomic Security is such a paradigm shift. Integrated security is contrary to all previously-held beliefs about firewalls existing outside of sites.

Only a security layer that is deeply integrated with WordPress has the context of WordPress APIs and the underlying system.

For example, at a broad level, blocking new user registrations would be one way to stop a privilege escalation vulnerability in its tracks. 

But, as we noted before, creating new users is a core WordPress feature. On the surface, it looks perfectly innocent and even desirable, but it can be manipulated to give a hacker unauthorised access to a site.

Additionally, broad level blocks cannot be applied universally. We want to preserve the functionality, flexibility and features of WordPress, not remove them. 

Consider two common types of WordPress sites: a WooCommerce store and a brochure site. User registrations are necessary for ecommerce stores, so customers can track their purchases and make payments safely. On the other hand, a brochure site has no need to have open user registrations. 

On both, only admins should be able to change roles, and that too only from legitimate areas, like wp-admin.

These distinctions and similarities are based on the site architecture: the plugins and themes in use, database tables, users, settings, and more. 

We analysed thousands of individual sites to engineer Atomic Security, an intelligent defence that can analyse a site based on these factors, and create customised security for it each time.

Making WordPress hacks a thing of the past

WordPress’ flexibility is no longer its biggest security liability. 

The reality is that there are vulnerabilities that exist today on millions of sites, but they haven’t been discovered by security researchers let alone patched. 

They may well have been discovered by hackers, and are being exploited as we speak. 

MalCare’s Atomic Security puts an end to all of this.

Put WordPress security to the test

Don’t take out word for it either. Put your site’s current defences to the test with our open source tool, WP-Radar. It will expose any weaknesses; if they exist. 

WP-Radar is a 100% open source testing tool which addresses a huge gap in WordPress security: a deterministic way to evaluate site security. 

Whether you rely on your web host, have a battery of security plugins, use a firewall, or even employ a mix of security strategies, WP-Radar will check if your security stack will protect your site against attacks targeting vulnerabilities. 

At the end, you have a definitive answer to the question: is my site secure?

The future of WordPress is secure

Our research has yielded many insights which has enabled us to create Atomic Security, a major milestone in WordPress security. However, more work needs to be done. 

We continue to delve deep into vulnerabilities, adding capabilities to Atomic Security as we progress. Our goal is to evolve intelligent security, in order to deal with threats effectively and proactively.

Hackers only have to win once, while security has to win every time. The key has always been to stay ahead of hackers, and we continue to increase that distance manifold with Atomic Security. 

Atomic Security has flipped the script. So, be bold and build on WordPress with confidence. Because the future of WordPress is secure.