We will explain the five most dangerous ways to operate a WordPress site that can lead to it being hacked, defaced, sent to another site, or in the form of embedded malware. We hope that you will use this information as a lesson to the contrary.
1 There is an unused plugin and an update is being applied to that plugin.
60% of all WordPress hacking is done through vulnerable plugins.
Therefore, if a plugin is unused (not enabled or not used) and not updated, it is a security disadvantage.
It is 99% safe to remove any plug-ins that are not activated, and we recommend that you remove them immediately, and also deactivate and remove any plug-ins that are not in use.
2 Vulnerable plug-ins exist.
Vulnerabilities in WordPress plug-ins are disclosed by public organizations for the purpose of alerting the public.
Examples of vulnerability disclosure sites in Japan
https://jvn.jp/report/index.html
However, based on this information, hackers also develop tools to exploit dangerous vulnerabilities and launch attack after attack against a large number of WordPress sites. Therefore, if you continue to use vulnerable plug-ins, hackers may one day be unlucky enough to get into your site.
If your WordPress site has outdated or long out-of-date plugins, we recommend that you check for the most dangerous vulnerabilities (i.e., the types of vulnerabilities that allow remote takeover of your site without logging in).
Some plug-ins make it easy to check for dangerous vulnerabilities.
Free WordPress:Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].
We hope you will consider using this service.
3 There are other WordPress sites left in the server.
Recently, there have been an increasing number of cases of malware spreading to sites that are not vulnerable at all, via other sites on the server.
Once hackers are able to break into a particular site, they can reach out to other sites on the server (within the same account) and embed malware and backdoors.
If you have other sites on your server that are rarely accessed, updated, or otherwise maintained, we recommend that you delete all files from those sites from your server, making backups as necessary.
4 WordPress administrator password is not complex.
Around 20% of the reasons why hackers take over a WordPress site is to steal administrator privileges.
Hackers can figure out the WordPress administrator’s password through an attack technique called a brute force attack, in which they mechanically try to log in to WordPress tens of thousands of times with various password combinations.
For this reason, we recommend that you set your password using the automatic password generation feature on the WordPress user edit screen, or use a password of at least 12 characters and a random string of characters including single-byte alphanumeric symbols.
5 WordPress itself or plug-ins have not been updated for a long time.
Even without the aforementioned dangerous vulnerabilities, sites that have not updated WordPress or plug-ins for a long time (i.e., sites that are not in the habit of updating) are vulnerable to attacks if and when vulnerabilities are revealed.
We recommend updating WordPress and plug-ins at least once a year.