With the number of CMS vulnerabilities reported over the last few years, site owners might feel they are under siege. Online criminals love nothing more than a juicy vulnerability in a popular content management system.
The underlying motivation of most criminals is easy to understand — they want to make money.
The online criminal economy is huge. Successful hackers — now more like organized crime syndicates than the traditional hacker in her basement — do what they do because it’s profitable. Online crime is a business like any other: any effort has to be justified by the revenue it generates.
Hackers don’t want to expend more effort breaching a site than they can make from it. Unless your site stores large amounts of private information or data valuable to a person willing to pay for it, it’s unlikely that it will get the individual attention of a serious criminal. The average business site or blog is not Ashely Madison or Mossack Fonseca.
Online crime at this level is a volume business. It pays because the hacker can exploit hundreds or even thousands of sites for their botnet or as a malware distributor. It doesn’t pay if they have to spend hours or days engineering complex targeted exploits.
That’s why most attacks against WordPress sites are essentially automated. Bots scan the web looking for sites with known vulnerabilities that are easy to exploit. The bots vary in sophistication, but, for the most part, if your site makes life difficult for the automated scripts hackers use, they’ll move on to an easier target. After all, there are thousands of sites that aren’t secure.
As Sucuri point out in their recent Website Hacked Report, the majority of security breaches happen because of outdated plugins or user error. Properly configuring your WordPress site according to security best practices and keeping it up-to-date will usually be enough to discourage the vast majority of attackers. It would cost too much time and money to breach a properly secured site, so they don’t bother trying beyond an initial probe.
With a little effort, you can make your WordPress site so secure that criminals aren’t willing to invest the time and effort. In fact, by following best practices, you can make your site secure enough that even targeted attacks aren’t successful.
How can you make your site too expensive for hackers?
- Update WordPress and all plugins as soon as a new version is released.
- Make sure the underlying operating system is up-to-date. We’ll take care of that for you on most hosting accounts.
- Move the login page of your WordPress site so that bots can’t easily find it.
- Don’t advertise the version number of your WordPress installation.
- Ensure that all users — especially administrators — use long random passwords to prevent successful brute force attacks.
- Use Two-Factor Authentication where possible.
If you follow these rules, and choose a hosting company that is diligent about updating and securing the underlying hosting environment, the vast majority of automated attacks against your site will fail and attackers will move on to easier pickings.