WordPress sites are increasingly being infected with malware from pirated themes and plugins, according to a new report on WordPress security.
Security firm Wordfence has published a report detailing threats and attacks targeting WordPress sites, with data collected from the 4 million customers who have its software installed.
The major threats facing WordPress sites fall into three categories:
- Malware from pirated themes and plugins
- Malicious login attempts
- Vulnerability exploits
Here’s a summary of key highlights from the report.
Malware From Pirated Themes & Plugins
The most widespread threat to WordPress security is malware from pirated (nulled) themes and plugins. Wordfence detected more than 70 million malicious files on 1.2 million WordPress sites in the past year. Over 17% of all infected sites had malware from a nulled plugin or theme.
The WP-VCD malware was the most common threat to WordPress, accounting for 154,928 or 13% of all infected sites in the past year. When a plugin or theme is pirated, its license checking features are disabled or removed, which makes it easy for hackers to gain backdoor access.
The best way to defend your WordPress site against this type of attack is to purchase your plugins and themes legitimately and keep them updated. If your budget doesn’t permit the purchase of a premium theme, then a free alternative from a reputable provider is the safest option.
Malicious Login Attempts
Wordfence detected (and blocked) over 90 billion malicious login attempts from over 57 million unique IP addresses. That’s a rate of 2,800 attacks per second targeting WordPress sites. These attempts include credential stuffing attacks using lists of stolen credentials, dictionary attacks, and traditional brute-force attacks.
WordPress site owners can protect themselves from malicious login attempts by setting up multi-factor authentication, ensuring that no one can log in without a password and a special code only the user has access to.
Vulnerability Exploits
According to the report from Wordfence, there were 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in the past year. The five most common attacks included:
- Directory Traversal: Made up 43% of all vulnerability exploit attempts (1.8 billion attacks).
- SQL Injection: Made up 21% of all exploit attempts (909.4 million attacks).
- Malicious file uploads: Made up 11% of all exploit attempts (454.8 million attacks).
- Cross-Site Scripting (XSS): Made up 8% of all attempts (330 million attacks).
- Authentication Bypass vulnerabilities: Made up 3% of all exploit attempts (140.8 million attacks).
All 4 million sites tracked as part of this report experienced at least one of each of these exploit attempts.
WordPress site owners can protect themselves against vulnerability exploits with a firewall.
How to Keep Your WordPress Site Secure
For up-to-date advice on keeping your WordPress site secure, see guides on protecting your site from hackers written by experts in the field. New WordPress vulnerabilities are exposed every day, so stay updated with the latest news and recommendations on security practices.
Source: Wordfence
