WordPress a popular target: WordPress is the most popular CMS in the world powering over 30% of the global websites. Whether it’s a small business or a large enterprise, anyone who thinks of building a website will consider WordPress. And for good reason too because it’s an open source software, it’s customizable, and backed by an active global community. But such popularity also puts a target on the back.
How Popular is WordPress Exactly?
To understand the reach of WordPress, let’s look at some of the stats. Right now there are 75 million WordPress websites in the internet. And as per W3Techs, 714 new WP sites are created each day.
It demonstrates the reach of WordPress which is always expanding. It’s been named the fastest growing content management system for 8 consecutive years which proves that WordPress isn’t slowing down anytime soon.
To understand WordPress’s rapid growth we need to understand it’s not-so-secret success recipe. Its open source nature makes it transparent, anyone can learn about how to use it effectively. What makes it better than other open source website building platforms like Drupal and Joomla is its simplicity. WordPress is designed to be user-friendly especially for people without any technical knowledge.
WordPress was first launched in 2003 and as an open source project, they welcomed people’s contribution with the goal of meeting different needs. Soon a community spun around the platform and it’s one of the key reasons behind the platform’s popularity. In the last 15 years, the WordPress community has grown in number which has helped WordPress become even more popular. But such popularity makes WordPress an obvious target.
Reasons for Being an Obvious Target
When WordPress was launched as a publishing platform it could be used by anyone with a bit of technical knowledge. With WordPress’s entry, website building was no longer a privilege limited to web developers which made the platform very popular. But WordPress went one step ahead and invited people to contribute to its code. People joined the bandwagon and a community came into existence. Add-ons like themes and plugins made the platform customizable and more functional, thus adding fuel to its popularity. In this way, WordPress rose in fame and caught the attention of the hacker community.
Stats from W3Techs shows that out of all the websites in the world, 48.1% don’t use a content management system. And of the rest, WordPress is the preferred CMS used by 31.1% of the websites.
It’s not surprising that with popularity brings widespread reach which is why we have actors selling products for companies. Product X will sell far better if it was advertised by a popular actor than if it were being promoted by a random person. But one doesn’t just draw the attention of target audience but also of agents with malicious intention. Since the CMS is being so widely used, hackers look for vulnerabilities that’ll help them break into hundreds of thousands of websites. Targeting WordPress sites ensures that they’ll be able to damage more websites than if they targeted other less-popular CMS’.
In order to get the most out of hack attempts, hackers would often automate the process. Rarely do hackers manually target and hack a website. They program robots to find and exploit a vulnerability in WordPress websites. The bots then replicate the process in other websites with the same sort of vulnerability. Suppose there is a vulnerability in a plugin. Because of the open source nature of WordPress, the vulnerability becomes public very soon. If hackers quickly learn to exploit the vulnerability before the plugin developers could release a patch, then thousands of sites could fall victim to hack attacks. A lot of times websites are compromised because the sites are not updated. Once developers release a patch to a vulnerability, it’s up to the site owners to update the plugin that’ll fix the vulnerability. Failing to do so leaves the site vulnerable to a hack attack. Unsurprisingly, outdated themes and plugins are the number one cause behind websites getting hacked.
We can break down the exact reasons as to why WordPress websites are the chief target for hack attempts in three parts: 1. Wide scope, 2. WordPress user-base and, 3. The developers. Let’s dig a bit deeper to understand each of these points.
Reason 1: Wide Scope Ensures More Opportunity to Cause Damage
As per WordPress, over 409 million people view more than 21.9 billion WordPress pages each month. This makes WordPress a perfect platform to exploit. Suppose a political hacker group wanted to promote their political agenda. Exploiting WordPress websites will help them reach a large audience.
That said, different hacking communities have different reasons for launching hack attempts. Depending on the kind of gains hackers are looking for, the scope of damage may vary but the fact remains that with each exploit, hackers aim to gain as much visibility or extract as much information or use as many resources as possible.
Therefore hackers look for vulnerabilities that will hit the maximum amount of site. Take, for instance, the TimThumb case (it was an image resizing plugin). Since it was a popular tool, a lot of themes offered TimThumb as part of their package. This means you don’t have to install TimThumb separately. It’s installed when you install the theme into your site. Getting bundle tools may seem like attractive but many site owners don’t know what specific tools they are getting in the package. When TimThumb fell victim to an exploit, several sites were hacked because the site owners were unaware that a malicious code was on their site. Choosing to exploit tools (plugins) or CMS that has a wide reach helps maximize the range of damage.
Reason 2: WordPress Users Fail to Maintain Site
Given that it’s so easy to create a website with WordPress, it attracts all kinds of users. Although designed to be easy to use, maintaining the security of a WordPress site requires attention to details and vigilance. Many websites owners are not ready to put in the effort and time required to keep their site safe. Some are not even aware of the risks involves because a popular product must be safe, or else it won’t be as popular.
While the community focuses on making WordPress usable by people without technical expertise, maintaining the site requires some amount of idea of the basics of a WordPress site. For instance, updating plugins and themes is the most advisable security precaution but a lot of time updates can break a site. If one acquaints oneself on how to test updates before making them on the site, one may be saved from a lot of hassle.
A large portion of WordPress site owners don’t have any technical know-how and many are not bothered about learning how to maintain their websites. This makes them an easy target. Hackers these days are not hung up with big websites alone. They have devised ways to use small sites too which means if you own a small website, it has a probability of being targeted as much as any other site. This is why using a security plugin like MalCare makes sense. If you don’t have the time to learn how to manage a site, why not automate the process by using a security solution.
Reason 3: Different Sorts of Developers
As a result of its open source philosophy, WordPress has several developers contributing to its code. It attracts both experts or novices which leaves room for error. Of course, there are guidelines, useful resources (like WordPress Codex, forums, etc) that people can follow but there’s no guarantee that contributors are really following them. With hundreds of thousands of contributors distributed across the globe, there is no way of monitoring each and every contributor.
WordPress keeps a public record of all vulnerabilities and their patches. Anyone who wants to study a vulnerability and how they work can easily access them. Using this information, hackers can exploit websites that still retain those vulnerabilities.
So How Secure is WordPress?
Now that you know WordPress better, it’s natural to wonder if WordPress is a secure platform. It’s a tough question with no definite answer. All the things that we discussed above do not make WordPress as a platform insecure. But it’s clear that WordPress works in an ecosystem (where one can use plugins and themes) that are partly responsible for its popularity are also responsible for making the CMS susceptible to hack attempts. To ensure the safety of your WordPress site, educate your admins on how to use WordPress properly (here’s a good resource for WordPress tutorials), take precautions and stay vigilant. That said, it’s also true that there is no such thing as a completely secure website. Security is never absolute therefore the goal of security measures is to reduce the chances of a security breach. Keeping your website updated and using security plugins will go a long way in keeping hackers at bay.