WP Security Course

S1:E1 – 3 Reasons why WordPress is secure but easy to hack

Posted on - 15 min read
Anup Kumar
CTO - NexGi

You must have listened to this a lot of time “Don’t go with WordPress it’s easy to hack”. But the reality is quite very different and far from what we think or listen.

We are providing WordPress Security & Maintainance services for the last 5 years. throughout this journey, we have concluded that WordPress is very secure in itself, but due to 3 top reasons, it doesn’t gain popularity in security like other PHP CMS like drupal or Joomla.

So if you have a similar question in your mind. You are going to get your answer in this article.

3 Reasons why WordPress is secure but easy to hack?

  1. Mass audience are non-technical
  2. Very flexible in modification
  3. Largest shareholders in the market ~ 36 – 40% of websites are on wordPress

So let’s discuss the above three points one by one. This will give you an in-depth understanding of what exactly I mean by the above points.

Reason 1. Mass audience are non-technical

So the first question that should pop up in your minds to whom I’m referring non-technical. So here is a quick checklist to analyze whether you are technical or non-technical:

1.1 What is a non-technical user?

  • If you don’t know about wordpress directory structure e.g how files get saved by wordpress, where is theme files get stored etc.
  • You don’t know client – server architecture.
  • If you don’t about group & permission in operating system.

There is nothing bad but someone belongs from above they do mistakes very easily and hackers take advance of it.

1.2 What mistake generally a non-technical user do?

  • Don’t update the security patches timly.
  • They install nulled theme.
  • Relay on paid plugin without subscriptions.
  • Loose file permissions

There are a lot more that we will cover in this WordPress security course one by one with solutions. But above are top once.

1.3 What if a WordPress site owner doesn’t update the security patches timely?

WordPress and other security companies keep doing penetration testing (finding security loopholes) and keep releasing the secure version of their base code. 80% of WordPress owners don’t have time to do this exercise regularly. (at least on a fortnight basis).
So if you don’t update hackers will use that loophole and take over your website and use it the way they like to.
Now you must be wondering why they hack your worthless WordPress website? They mostly take the SEO juice of your domain. I’ll cover this topic in detail in upcoming sessions.

1.4 What if a WordPress site owner installs nulled theme?

nulled themes are basically free/cracked versions of paid themes. As you know nothing comes in free. Whoever has invested his time in cracking, doing SEO so their nulled theme can reach up to you. They must have to create their revenue source. They do it by adding some additional codes (spams) to it.
In case you want to use it so it must be cross verified with any wordPress expert. But the cost of hiring a WordPress expert in India or outside will cost you more than the theme. So I recommend buying a theme through ThemeForest will be a good choice.

1.5 What is the issue with paid plugin without subscriptions ?

Like WordPress security patches, paid plugins also release their patches. And most of the time due to without subscription. WordPress website owners don’t update it. And it becomes a deadlock. Hackers take advance of it.

1.6 Loose file permissions

Tight file permission can save you in most cases. The majority of malware or spam affects your code, not the database. So by removing the write permission. malware or spam can’t modify your existing file or create a new one.

1.7 What is the solution?

  1. Avoice the above mistakes or you can join our free wordpress security course, which will give you idea about basic to advance topics.
  2. Keep your server permission very tight.
  3. Stop execution in wp-content folder.
  4. And there are many more that we will discuss further in this course.

Reason 2. Very Flexible

WordPress gives endless flexibility to website owners and we can make changes into code without actually touching the codes.

Lots of plugins are there in the marketing for a specific feature. We just install them and things start working.

So let’s quickly do few FAQs

2.1 What do I mean by very flexible?

Flexibility in WordPress means you don’t need special coding skills to make required changes to the WordPress website. Something which is easy to understand.

2.2 Let’s do CMS comparison in flexibility (Drupal, Magento, WordPress, Opencart)

I have done 4 CMS comparisons based on 3 points:

  1. Level of efforts do you need to make changes into existing functionality.
  2. DevOps – Deploying Website on Server & doing related operation to run it smoothly.
  3. Coding skills require to get started in creating website with the WordPress.

The community of wordpress is very large. So if you just think you need a random feature. You will get a plugin for that. I’m 99% sure about it. In case you need to build a custom functionality it’s so flexible in modularity. You can add that functionality without evening touching the actual codes. (through hooks)
In DevOps – The installation process is pretty straightforward. You don’t need many unique extensions to be enabled in the server as we need in magneto or drupal.

A non-technical can’t install magneto, drupal as easily as he can do with wordpress.
But imagine if plugins start modifying the files in the wrong way instead of the right way? Your website can be fucked within the next few minutes.

Even if you don’t monitor your website – the slow killer SPAM like Japanise SEO SPAM can destroy your years of SEO work.

What’s the solution to this?

You can overcome this problem by knowing two things:

  1. WordPress directory sturcture
  2. Correct file permission & how to apply.
  3. & monitoring your website activities.

These are two things I have covered in the upcoming articles. And a brief has been given in the video – click here to watch

Reason 3. Largest shareholder in the market ~ 36 – 40% website are on wordPress.

Everyone wants to solve the problem where the audience is large. Because if they solve a single problem which is suffered by mass. They can earn more profit with the same efforts. Similar formula hackers also apply! They know if they find one loophole in particular WordPress or their famous plugin having installed in millions of websites. They get access to millions of websites at once. 💡 Pro Tip – most important & recommend understanding – chronology of hacking worthless website. Click here to watch

I have explained all these 3 topics in 40 min video. In case you missed watching that video. You can watch this video and understand this topic in depth. If you get any questions in your mind – you can ask in the comment section on youtube.