WordPress is the most popular CMS in the world, and it’s not hard to see why. It’s incredibly user-friendly, and because there are hundreds of thousands of themes and plugins, WordPress websites are also endlessly customizable. That’s why WordPress is used to power all kinds of websites, from online marketplaces to university and government sites. But this popularity comes at a cost: WordPress websites are also a huge target for cyber-attacks.
In this guide, we’ll talk about why WordPress website are such a prime target for cyber-attacks, one particular vulnerability that’s currently affecting WordPress users, and how you can protect your own WordPress website from cyber-attacks.
Let’s begin, shall we?
Why WordPress websites fall victim to cyber attacks
If you know anything about WordPress, then you know that the developers take security really seriously. If they didn’t, WordPress wouldn’t be trusted by so many organizations that list security as their top priority. And yet, every year, millions of WordPress websites fall victim to cyber attacks like the one we’re going to talk about later in this guide. Why?
The answer lies in two things: First, it has to do with the way WordPress developers ensure its security and second, with the popularity of WordPress.
Let’s take the first factor first: how do WordPress developers keep WordPress safe?
How WordPress developers keep WordPress safe
They do this by patching security vulnerabilities as soon as they notice them. So, to keep your WordPress website at optimum security, WordPress users need to stay on top of their updates. And that’s the problem. Many WordPress users start out being very dutiful about their updates, but as time passes without their website crumbling due to cyber-attacks, they get complacent and forget. And that’s when the cyber-attacks begin.
Why the popularity of WordPress makes it a huge target?
WordPress’s popularity makes it a prime target for cyber-attacks because it means hackers can figure out how to exploit one single vulnerability and suddenly gain access to the sensitive data contained in millions of websites. So, you can see why if you were a hacker, you’d prefer to focus your energy on a CMS with millions of users rather than on one that’s more obscure.
Now that you understand why WordPress websites are often targeted by cybercriminals, it’s time to take a closer look at one of their latest cyber-attacks, so you can see if your own website is at risk.
Cyber-attacks currently hitting millions of WordPress websites
The recent spate of cyber attacks have focused on a WordPress vulnerability that’s present in millions of WordPress websites, and because the security flaws have only recently been patched, some websites haven’t yet been updated, which means millions of WordPress sites are at risk right now.
This vulnerability can be found in WordPress websites with Epsilon Framework themes.
Ram Gall, a Wordfence QA engineer and threat analyst had this to say about the vulnerability:
“On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites… So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites…”
WordFence has kindly provided a list of the versions of the Epsilon Framework themes that are still at risk. Look through the list to see if your website is at risk:
- Shapely <=1.2.7
- Regina Lite <=2.0.4
- Transcend <=1.1.8
- Affluent <1.1.0
- Bonkers <=1.0.4
- Antreas <=1.0.2
- NatureMag Lite <=1.0.5
- Illdy <=2.1.4
- Allegiant <=1.2.2
- Newspaper X <=1.3.1
- Pixova Lite <=2.0.5
- NewsMag <=2.4.1
- Activello <=1.4.0
- MedZone Lite <=1.2.4
- Brilliance <=1.2.7
That’s pretty scary stuff, but it’s par for the course when you have a WordPress website.
But there are some WordPress website owners who never lose sleep wondering whether their website might have fallen prey to the latest cyber-attacks. How are thousands of WordPress users so confident in the security of their website?
Because they know how to protect their website from cyber-attacks. And you can protect your WordPress website too.
Here’s how:
Convert your WordPress website to a static website
WordPress websites are dynamic websites, which means they can be changed on the user end. A static website can only be changed on the backend by you, the website owner. This makes static websites a lot more secure than dynamic WordPress websites, and static websites have many other security benefits as well.
When you use FLATsite to convert your WordPress website to a secure static site, you get to enjoy all the benefits of a WordPress website on the backend, because your website will still be running WordPress underneath. But FLATsite removes the biggest target of your WordPress site: the database. Most cyber attacks rely on the presence of a database to work. With a static site, there is no database to hack, which makes your website almost impenetrable.
Wrapping up
Cyber attacks are a common nightmare for WordPress website owners, and the Epsilon attack is only the latest in a long line of cyber-attacks that have targeted WordPress websites. It’s not the first, not the scariest, and certainly not the last.
So, be sure to check your WordPress website to see if it’s vulnerable, and if you want to protect your WordPress website for good, migrate your WordPress website to a static website framework, so you can have all the fun of WordPress, with none of the vulnerability.