WordPress hacking has become more and more common since WordPress has been used by many sites around the world. Here we would like to explain in ranking order the most operationally dangerous activities that are most likely to be targeted by hackers.
No. 5 – Access to the login screen and xmlrpc.php as many times as you want
Hackers can launch a brute force attack on the login screen and the file xmlrpc.php with your login ID and password in order to take over your WordPress administrator privileges.
To prevent brute force attacks on the login screen, it is advisable to install a plugin such as limit login attempt that will repel IPs after several failed login attempts, and to edit the htaccess file in xmlrpc.php so that it cannot be accessed from outside.
No.4 – Lax permissions are set so that themes and plug-ins can be edited from the administration screen.
WordPress themes and plugins can be edited from the admin screen by setting permissions to writable. However, while this is convenient, it is not good for security. Set the permissions tight so that they cannot be edited from the admin screen.
No. 3 – Not updating WordPress plug-ins for more than a year
Eight percent of WordPress hacks are based on vulnerabilities in plugins. The more popular plugins are the most likely targets, and it is important to keep them up-to-date, especially if they are installed on a large number of WordPress sites.
No. 2 – WordPress is running at version 3.5 or lower.
The main body of WordPress has been studied more by hackers than by plugins. Many older WordPress versions have obvious vulnerabilities, and if left unchecked, the program code can often be modified to cause damage to site visitors, such as cross-site site scripting, spam email springboards, and embedded malware. Be sure to keep the latest version of WordPress.
No. 1 – Username is admin and password is an English word only
Weak IDs and passwords are the cause of 22% of WordPress hacks. Hackers use a dictionary of commonly used administrator IDs and passwords, which they programmatically type into the login screen over and over again to gain administrator privileges. The administrator’s user name should be coined, and the password should be at least 12 characters long, including alphanumeric characters.