- Being Open source – Unlike closed source/proprietary software, Open source software are public – it is free and publicly accessible, so allows easy inspection and modification of the source code by any one. Which means, find loopholes too. Thus, although CMS built on an open source framework supports collaborative environment, it is more vulnerable.
- Using outdated CMS, Themes, Plugins etc – Most bug once identified would be resolved in a newer version. But if site administrators continue to use outdated versions those sites a vulnerable to attacks should hackers exploit the loopholes in the previous version. Thus, it is imperative that site admins always check and use latest versions of CMS, plugins and themes. It is not just the core CMS but any add-ons – modules, themes, any third party apps – should be checked for latest updates and install them sincerely.
- Insecure plugins and modules – Themes, Plugins or Modules extends CMS to add additional features. Since the default base package of any CMS does not meet most needs of users, plugins become necesary to use. However, cross site scripting and SQL injection are the most popular infection types in various CMS plugins, themes, modules, templates etc. Always check reviews of plugins/ modules and themes before installing, always update them regularly, use reputed themes and plugins.
- Predictable and weak passwords – In some cases, websites get hacked because admins and users keep weak passwords which hackers can guess or crack an breach the security. Some may also use default or simple login IDs such as “admin” or a”administrator”. Never keep predictable login ID and never use weak passwords.
- Use of protocols – WordPress and other CMS platforms use a protocol known as XML-RPC to provide services such as ping-backs, trackbacks and remote access to users but the hackers can use this to initiate DDOS attacks
Steps to take to secure your website from hacking:
1) First of all, install and use only reputed CMS platforms.
2) Use only reputed themes and plugins that you fixes bugs regularly.
3) Keep CMS platforms up-to-date (newest versions)
4) Keep themes and plugins up-to-date
5) Perform backup of the site regularly – website files (CMS), database – weekly at a minimum
6) Opt for a Web Application Firewall (WAF), the enterprise-grade website security product, which automatically protects against all vulnerabilities.
7) Install security plugins to actively prevent hacking attempts. These plugins notify the weaknesses inherent in each platform and foil the hacking attempts that could threaten your website.
8) Use strong passwords for your website’s admin area and server to fight against the brute force attacks. Also change passwords regularly.
9) Install SSL on your web server. SSL is the technology that establishes a secure connection between your server and the browser. SSL is installed on web servers in the form of SSL certificate. Check with your webhost.
10) Test your website security via the use of some website security tools like Netsparker, OpenVAS, Google Transparancy Report (https://transparencyreport.google.com/safe-browsing/search?url=your domain name here) etc.
Keep your website safe from hacking. Always keep backups to restore just in case.