Cybercrime is doubling year-on-year, cyber-crime is continuing to grow at alarming rates, and this trend will continue. Do you know that over 30,000 WordPress websites hacked every day, and recently hackers launched attacks from 24,000 unique IP addresses and tried to break into over 900,000 WordPress sites?
Every website owner should be knowledgeable by the alarming state of website hacking statistics. Criminals can exploit almost every software-built vulnerabilities, just the nature of the game, developers are working night and day to fix and patch-up any vulnerabilities found in their software.
Cybersecurity is now an every-day issue for companies, websites get hacked every day. And some of those hacks seriously damage businesses, loss of sales, customers and reputation.
Why is WordPress one of the primary targets for hackers? Maybe because it has a massive user-base, WordPress used by over 35% of all websites worldwide, then it’s not a surprise also registered as the one with the highest number of vulnerabilities each year.
The primary security threat is not WordPress itself, but the wide range of third-party plugins and poor security protocols (weak password) used by WordPress users.
Whether or not, WordPress makes its core more secure, the effectiveness of these security tactics does not apply to its plugins. It’s because WordPress allows users to extend the basic functionalities of the platform using all these unique kinds of components.
The vulnerabilities most commonly found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.
Next the vulnerabilities most commonly found with username and passwords. Did you know every 39 seconds on average on the web? And the non-secure usernames and passwords that are being used give attackers more chance of success? Over 23 million people use the password ‘123456’.
If you would like to find-out about the importance of username and passwords, click below;
The hiscox.co.uk study of over 4,000 organisations across Europe found that most organisations are unprepared and would be seriously impacted by a cyber-attack. It states that a whopping 73 percent of companies are not ready for a cyber-attack.
It highlights how important it is to always be on top of what happens with your company website or personal blog. If you are worried about cyber-attack, Blue Elephant has the solution to help you sleep better at night.
Blue Elephant offer as an add-on to our maintenance care-plan WebARX (WAF) Web Application Firewall. WebARX is an advanced firewall focused on prevention, making sure malware will not end up on your site. The WebARX smart firewall engine which will protect your website from software vulnerabilities and separates true visitors from fake traffic.
Ok, let’s get down the nitty gritty, know you want to know how will WebARX protect your WordPress website, here an overview list of key protection areas that WebARX will protect your site;
WebARX smart firewall engine will protect your website from software vulnerabilities and separates true visitors from fake traffic malicious bots and spam, Protecting against malware infections.
WebARX web application firewall (WAF) applies a set of filtering rules to the exchange of requests and responses that make up the conversation between the web client and server. These rules cover common attacks such as cross-site scripting (XSS) and SQL injection. WebARX includes rules to block common attacks and also has just-in-time patches to protect against new WordPress vulnerabilities.
Best of all, WebARX will not slow down your website, unlike other security competitors.
Besides the (WAF) firewall, WebARX constantly monitoring your websites for security issues and vulnerabilities. WebARX also include some unique types of monitoring: plugin vulnerability, checking if your site is on a blacklist, watching for site errors, and domain and SSL certificate expiration monitoring. Actively updated and helps you adapt to the latest security practices.
WebARX also offers WordPress site hardening options, here is a list of just some hardening features you can expect to protect your WordPress site;
Disable plugin/Theme editor: By default, WordPress has a file editor under the Plugins menu. This will disable it, it prevents hackers from modifying source files.
Disable WPScan: WPScan is a vulnerability scanner popular among hackers (and security researchers). This setting will block WPscan’s.
Disable user enumeration: WordPress has what and many others consider a security Blackhole because it is easy to get user information about anyone who has published an article, this will help reduce brute force attacks on your login page.
Hide WordPress Version: Removes the WordPress version in the <meta> tag in the HTML output. By hiding what CMS you are using, you make it harder for hackers.
Enable activity logs: Activity logs will help you in the event of a break in to diagnose and figure out how the hacker got in.
Disable XML-RPC: RPC stands for Remote Procedure Call hackers can brute force a login through XML-RPC.
Add security headers: This option tells WebARX to include security headers in the response sent to web browsers.
Prevent default WordPress file access: It prevents visitors from reading the wp-config.php file, which has your database login information in it.
Block access to debug.log file: The debug file could contain sensitive information so block outside access to it.
Disable index views: By default, if you browse to a directory under your website, PHP will list the files in that directory. WebARX uses a web server directive in the .htaccess file.
Forbid proxy comment posting: when you submit a comment within the online form, the page refers to where the form is located and included in the submission. When bots try to hijack forms, they sometimes submit the form remotely and there is no referrer, which is what this setting will block.
Prevent Image Hotlinking: Other website will link to images on your site and show them on their own site. This uses up your bandwidth capacity and you get no value from it.
Automatic brute-force IP ban: After a set number of failed logins attempted, they will block the user from trying to log in again.
Logon hours: If you know that you won’t be visiting your site in the middle of the night then you can set admin lockdown hours, allowing you to sleep easy at night knowing back-end in full lockdown.
Two Factor Authentication: Especially if you have an ecommerce store, are the administrator of a membership site, or have sensitive information on the site then 2FA is a requirement. This setting turns on the option of 2FA.
Blocked and Whitelisted IP Addresses: IP addresses blacklisted or whitelisted on the Firewall settings page. This list is helpful if you, for instance, have a user who cannot log in. You can manually remove them from the blacklist if they had forgotten their password and got locked out.
Cookie Notice: The cookie notice banner is especially useful for users in the European Union. This is a convenience feature that saves you the need to install another plugin.
Each month you will receive a detailed report via email, WordPress maintenance and WebARX security report included in your Blue Elephant care-plan.
The WordPress Back-End can be a scary place when there’re dozens of notifications saying things are out-of-date or plugins that need upgraded. Blue Elephant’s care-plans takes care of you. So, you’re free to focus on your own personal agenda and/or growing your business. We’ve got you covered, please feel free to review our care-plan offerings;
Do you know anyone who may find this blog/guide helpful? Send them this page URL or click on the share buttons below.
You’ll be helping us out by spreading the word about Blue Elephant website, and you’ll be helping someone out!