We will explain five blind spots that are more dangerous for WordPress operators who think they have security measures in place.
They are taking security measures only for the login screen.
Around 20% of WordPress hacks are caused by weak passwords for administrative privileges, which allow hackers to take away administrative privileges.
Hackers use brute force attacks, which are often used to test the administrator’s password one after the other to see if it can be used to log in.
In fact, the most effective way to counter this attack is to strengthen the password for administrator privileges rather than increasing the security of the login screen. Since it takes more than a thousand years to match a strong password, which is logically a random string of 12 or more characters, with a brute force attack, it will be impossible to break a strong password.
A strong password is a random string of nonsense characters that contains at least one uppercase and one lowercase symbol.
We also hope you will note that changing the URL or captcha of the login screen is effective in preventing brute force attacks, but it alone will not prevent the vulnerability attack, which is the biggest cause of WordPress being hacked, as described below.
Only enabled plugins care about vulnerabilities.
It is said that 60% of the causes of WordPress being hacked are vulnerabilities in old plugins. Therefore, it is an extremely effective security measure to always be aware of the vulnerabilities of your plugins and update them on a regular basis.
However, although WordPress allows you to enable and disable plugins, there are many vulnerabilities that can be exploited even if they are disabled.
For this reason, we recommend that you remove deactivated plug-ins if possible, or update deactivated plug-ins as well.
Please use our vulnerability database to check the vulnerability of plug-ins.
No security measures have been taken for the test site or other sites on the server.
We often see cases where a company has taken all the necessary security measures for its main WordPress site, but has neglected to secure its test site or other WordPress sites on the server.
However, many of today’s malware reads the folders on the server from the top and spreads itself to other WordPress sites.
This can lead to the spread of malware to other WordPress sites that have good security measures in place.
We recommend that you remove abandoned sites from your server and implement security measures for all WordPress sites on your server.
Five free WordPress security measures
Backups are a good thing!
Some people think that if they keep a backup of their WordPress site, they can revert to that point in time in the event of a malware infection, but in reality, the site may already contain malware at the time of backup, or the vulnerability at the time of backup is an entry point that hackers can quickly use to re-infect the site. Hackers can use the vulnerability to re-infect the system repeatedly.
For this reason, it is not always safe to say that backups are secure, and we recommend that you always pay attention to the security measures of the sites you publish on.
The key setting in wp-config.php is set to the default or the same value.
Many sites that have been successfully hacked have left the AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY in wp-config.php with default values or the same string of characters.
We recommend that you always use these values for this key setting, which is automatically generated when you access the @link in the comment section.
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
For more information on why this key is important for security, please refer to the following article.
Reference
What is the unique key in wordpress wp-config.php used for and what is it used for?
What is a unique key used for?
Security measures, malware testing, and vulnerability testing for WordPress sites are available with a plugin developed by WP Doctor. Please use it if you like.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
