WordPress Security Threats in 2020 and How to Prevent Them

The dominance WordPress has on the web comes at a price. Being the most popular CMS also makes it the most lucrative and profitable target for hackers. In 2019, 94% of hacked websites cleaned by Sucuri ran on WordPress. Other CMS platforms didn’t even make it into the double digits.

This high number does not mean that WordPress is vulnerable. In fact, the WordPress security team does a great job patching vulnerabilities. But the thousands of plugins and themes that can be installed to customize WP open new routes for potential hacks. That’s not even considering legacy sites that aren’t – or in some cases can’t be – updated. 

As a result, security threats need to be top of mind for any WP website owner. Because hackers are always looking for new vulnerabilities, new threats are constantly emerging. To help keep your sites protected, we’re going to take a look at the top WordPress security threats to look out for in 2020.

To get a better idea, we’ll dig into findings from Sucuri’s 2019 Website Threat Research Report. Our malware research and remediation teams compiled this data from our clients in 2019 to get a more comprehensive look at trending threats. 

SEO spam reigns supreme

When it comes to website attacks, SEO spam is still the most popular method for hackers. This technique involves injecting keywords and content into a compromised website in order to exploit its good standing. Also, SEO spam injections may redirect visitors to scam pages. 

During 2019, our team found that 62% of websites had an SEO spam infection during cleanup, an increase from the 51.3% we found in 2018. The most popular type of infection targeted the database to infect websites with unwanted content. We often found more than one infection, with our SEO spam cases having 12 different infections on average. 

An unresolved SEO spam hack can seriously damage a site’s reputation and ultimately lead to a blacklist by major search engines. Because of this, it is wise for WordPress owners to keep SEO spam attacks top of mind in 2020. After all, it’s the most popular form of attack against the most popular choice of CMS.

Backdoors on a slight decline – but still a problem

Even worse, SEO spam reinfections occurred 15% of the time, thanks to our second most-found type of malware on websites in 2019: backdoors.

Hackers install backdoors to make sure they can regain access to a compromised environment. It’s their way of being able to return to the scene of the crime undetected. While we found them in about 47% of the hacked websites cleaned in 2019, that’s actually down from 68% in 2018.

Backdoors are usually removed during core, plugin, or theme updates. It’s also easier to find and remove database backdoors than other types of malware. But just because they’re on the decline doesn’t mean they’re not a problem.

Website reinfections are becoming more common 

Last year, our team of website security experts found that the largest volume of website reinfections occurred for sites infected with SEO spam and generic malware. 

But for WordPress users specifically, one of the most notable reinfections in 2019 came from WP-VCD infections. In these cases, affected sites saw a reinfection rate of 40% on average. Our team cleaned more than 5,000 websites infected with WP-VCD and found that leaving a single infected file could result in a reinfection.

The initial infection for many of these were pirated or nulled copies of themes or plugins, so make sure to only use legitimate plugins from the official WordPress repository to avoid this security headache. 

Core WordPress files found to be vulnerable at the point of infection

In 2019, we found 56% of our clients’ CMS applications were out of date at the point of infection. This number has not changed since our previous analysis. But, WordPress users have apparently been very good at keeping their CMS updated, as we found 49% of WP installations were outdated. This is much lower than the other popular CMS applications.

Why is WordPress so much lower than the competition? Well, our research found that the automatic background updates introduced in version 3.7 give users an advantage over software that doesn’t contain auto-update features. 

update_option() contributed to more high-severity vulnerabilities

One of the most common bug exploits we saw in 2019 was a rise in attacks that targeted the WordPress update_option() function. This is legitimately used to update any entry in the options database table. But, if permissions aren’t configured well, attackers can gain admin access or inject data. 

Unfortunately, several plugins will allow admin users to edit update_option(). While this is not an issue per se, the lack of security checks let attackers change those values. This opens the possibility of an attacker editing internal options on WordPress. 

To avoid these issues, always update your plugins, themes, and other third-party components. The latest security patches are crucial to protect your WordPress environment from vulnerabilities.

Cryptomining threat decreased significantly from 2018

One positive for WordPress website owners is that cryptomining is becoming less of a worry. A total of nine new cryptominer domains were blacklisted in 2019, down from 100 in 2018. It’s likely because of a decreased price in cryptocurrencies. Also, CoinHive, one of the most popular browser-based JavaScript miners on the market, shut down in early 2019.

But, cryptomining isn’t completely dead. We still saw detections belonging to older infections – most of which were related to CoinHive. In 2019, our signatures detected about 50,000 injected cryptominers on infected websites.

Preventing WordPress website hacks in 2020

When it comes to protecting your WordPress website, it’s like the old saying goes, “An ounce of prevention is worth a pound of cure.” You’ll want to adopt a robust security plan as soon as possible. Because most common attacks are automated, you can’t assume that your site won’t be a target.

Password strength

Use a strong password. A password manager like LastPass, 1Password, or KeePass will make this much easier. These tools will generate and store complex, unique passwords. It takes the guesswork out of creating and remembering passwords for every account. 

Also, enable two-factor authentication (2FA) for all users, limit the amount of login attempts allowed, and use pre-login CAPTCHA to protect your site from unauthorized logins on legitimate accounts.

You should regularly audit your themes and plugins as well. Check to make sure any themes plugins you use are still updated, and remove any plugins that are out of date or no longer used.

Another good practice is to manage your user accounts. Replace the default admin account for your WordPress install. With a unique username for the admin account, you make it much more difficult for attackers to guess their way into your site.

Practicing the principle of least privilege will help as well. WordPress includes built-in roles for Administrators, Authors, Editors, Contributors, and Subscribers. Use these roles as intended to only give access to the users who need it, for the length of time necessary.

Closing thoughts about WordPress security in 2020

While these practices will help keep your WordPress site protected in 2020, there are no guarantees. For a more robust security solution, you’ll want to bring in some third-party security tools.

Sucuri offers website security solutions for WordPress users of all budgets. Our free WordPress security plugin can handle basic scanning and monitoring to help improve your security posture. We also have a Web Application Firewall and platform plans for larger websites and agencies.

Website security is something you always have to maintain or risk a catastrophic hack. With these tips, your security posture will be improved – but there’s always more room to learn. Sucuri has a wealth of free resources, including blogs and webinars, to help everyone learn about website security and make the internet a safer place.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.