Converting WordPress to SSL and setting up a CSP (Content Security Policy) does not prevent hacking. We will explain the reasons for this.

Why SSL (HTTPS) does not prevent hacking

SSL encrypts notifications between the web server and the user’s browser so that servers, WIFI, and other devices that mediate data transmission can read the contents of those communications and not know what data is being sent or received.

Incidentally, the following information is not protected even if SSL is used
(1) IP address of the destination
(2) Domain name (SNI) * The URL of the page being accessed and queries under the domain will be kept confidential.
(iii) Timing and traffic volume of the connection

Therefore, it is possible to prevent WordPress login IDs and passwords from being read and exposed in the process of SSL conversion.

Why can’t SSL prevent hacking?

However, most WordPress hacking is done through brute force attacks, in which the administrator’s password is determined by brute force, or by hackers gaining direct access to vulnerabilities in plug-ins and other vulnerabilities.
Such attacks cannot be prevented by encrypting communications using SSL, because the hacker’s unauthorized communications themselves are not filtered out.

Why CSP settings do not prevent hacking

Recently, it has become common to set CSP (Content Security Policy).

CSP (Content Security Policy) is a mechanism for specifying which JS scripts, images, CSS, etc. from which sources are allowed to be loaded in HTACCESS files and other files. Browsers will read these settings and prevent loading of JS, etc. on unauthorized domains.

The CSP setting may prevent users from suffering secondary damage by preventing the browser from loading malicious JS scripts embedded by hackers on the site.

However, what CSP can prevent is the loading of malicious scripts, etc., into the content after the hacker has already successfully defaced the site, and the user’s browser will execute them. (This may not be prevented if the CSP settings and the malicious embedded scripts are on the same server.)
CSP is an insurance policy that may prevent users from accessing the site and suffering secondary damage in the event that the site is hacked.

How do I prevent WordPress from being hacked?

To prevent WordPress from being hacked, it is important to take basic security measures, such as using plug-ins that specialize in preventing hacking, in addition to SSL and CSP settings.

Security Plug-ins
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Basic Security Measures
What are some meaningful and not-so-meaningful security measures in WordPress?

We hope you find this information helpful.

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. Can converting a WordPress site to SSL (HTTPS) prevent hacking?
    We will explain whether or not hacking (tampering and malware infection) can be prevented if you convert your WordPress site to SSL (HTTPS). Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content...
  2. Log-in-related security measures alone are not enough to prevent WordPress hacking
    We understand that many sites have installed various security plug-ins to prevent WordPress hacking, but some plug-ins are specialized for the login screen only. These plug-ins do not provide much protection against WordPress hacking. We will explain why. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part,...
  3. What to do for your site users when WordPress is hacked, tampered with, or hijacked.
    This page explains how to respond to users (those who use the site) when there is a possibility of damage to users who visit the site, such as being redirected to another site, being sent to a sweepstakes site, or downloading malicious files due to WordPress tampering. This page explains how to respond to users (those who use the site)...
  4. 5 characteristics of sites that are subject to WordPress hacking, hijacking, or defacement.
    At WordPress Doctor, we perform malware removal and security measures on behalf of more than several hundred sites per year. Based on this experience, we would like to share with you the characteristics of sites that have been hacked, hijacked, or defaced. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in...
  5. Motives of Hackers to Tamper with WordPress, Effects of Hacking
    Why do hackers (crackers) hack and tamper with WordPress? We will explain the motives of hackers who tamper with WordPress and the consequences of being hacked. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the...
  6. Can the hacking (defacing) of a WordPress site lead to a case for damages for users who accessed the site?
    We would like to talk about whether hacking (tampering) with a WordPress site can lead to a case for damages for users who access the site, based on our experience. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following...