WordPress is the world’s favorite software for publishing and e-commerce on the internet. This makes it a lucrative target for hackers and criminals. A range of software tools and services is available for securing WordPress sites, but not all sites are protected and sometimes hackers are simply one step ahead. Here are the most common ways WordPress servers are attacked.
Wordfence, a security product for WordPress developed by Defiant Inc., has collected a massive amount of statistics about the ways people are trying to break in to WordPress servers. The 2020 statistics show how busy the internet is with relaying hacking attempts against WordPress servers. Wordfence says:
Over the course of 2020, Wordfence blocked more than 90 billion malicious login attempts from over 57 million unique IP addresses, at a rate of 2,800 attacks per second targeting WordPress.
Top 5 most common WordPress attack methods in 2020
According to Wordfence statistics:
- Attempts to access WordPress program or configuration files was the number one method at 43% share of all attacks.
- SQL Injection was the second most common type of attack at 21% of all attempts.
- Malicious file uploads at 11% share. They are usually intended to achieve Remote Code Execution(RCE) capability.
- Cross-Site Scripting(XSS) at 8% share was the fourth most common category.
- Authentication bypass at 3% share was the fifth.
2020 statistics from the security program that protects our WordPress servers reflect the trends Wordfence has detected. Attempts to access WordPress core software directories was the most frequent malicious activity. Attempts to login was number two.
Since plugins are a common way to break in to WordPress servers, we have chosen to minimize the number of plugins on our sites. Instead, we run, among others, WordPress security and statistics programs directly on the operating system. WordPress doesn’t have any connection to these pieces of software, so they can’t be used to access WordPress.
For WordPress statistics, Awstats software works well. Awstats is a generic statistics program that collects data from web server log files. Installing and configuring Awstats software requires an effort, but it works like a clockwork after that. WordPress setup doesn’t have to be changed at all.
For WordPress security, we use a program that runs on Linux operating system, scanning for suspicious activity directed towards WordPress installations running on the server. Since the program runs outside WordPress, it can stop attacks before they enter the publishing system. Security plugins installed for WordPress run inside the publishing system.
Basic security settings for WordPress are explained in this article and video talk. Wordfence is producing a podcast series that talks about security, including tips for WordPress users.