3 Ways to Self-Test Your Website for Vulnerabilities
ZDNet released a report last week that showed that showed 90% of all CMS’s (content management systems) hacked in 2018 were WordPress websites.
Source: ZDNet – WordPress accounted for 90 percent of all hacked CMS sites in 2018
Two thirds of those sites where vulnerabilities were found had backdoor trojans/malware and half of them had SEO spam.
Website maintenance is not just about updating content
We often come across a lot of clients that either had WordPress websites and decided to maintain them themselves to save money. But then had to have them rebuilt from scratch because they didn’t regularly––or know how to––update plugins, themes, etc. Let alone secure the website from vulnerabilities.
“Sucuri experts blamed most of the hacks on vulnerabilities in plugins and themes, misconfiguration issues, and a lack of maintenance by webmasters, who often forgot to update their CMS, themes, and plugins.”
Source: ZDNet, WordPress accounted for 90 percent of all hacked CMS sites in 2018
We love to empower our clients to use their websites themselves! But as with anything on the web, its vulnerable to attack. That could be a large banking site with sensitive customer data or a big-brand shopping site. No one is really safe. Website maintenance is not just about content updates to your pages, blog posts, design, etc., but for backups, reporting and most importantly, security. Security is about protecting your investment, your business’ digital storefront, from very real and costly threats.
For example, back in early 2017, over 60,000 WordPress websites were hacked and defaced by malicious scripting bots that look for vulnerabilities. No one really picked up on it until it was reported here, and it was primarily due to unmanaged sites.
We cleaned up several of those back then due to that and because we’re subscribed to these reporting outlets, we’re instantly aware and can hop into action.
Within the last 2 years, we've had several of our clients' new websites we built, defaced and destroyed because they didn't opt for a website care plan. Ultimately, they had to invest in rebuilding those sites again, this time under new care plans.
“It’s not because we didn’t secure their websites, it’s because security is an ongoing job and you, as a business owner, should be more focused on running your business“.
Here is how you can self-test if your website is vulnerable or compromised:
Option 1:
If you have have a WordPress website, and currently have someone managing it or not, here’s the simplest way to test if you may already been compromised, or are wide open to a vulnerability:
Visit https://yourdomain.com/loginand replace yourdomain.com your WordPress website’s URL. And if you see this page:
You’re in trouble.
The /login URL is the default WordPress login URL used for all installs, and prior to launching your website, your designer/developer should always change that to something custom and ambiguous. It’s the primary way malicious hackers, malware, etc. can begin using a series of automated username and password combination attempts to access the backend of your website without you knowing.
Option 2:
Another bad sign is if you see this:
“Hi ? there! Just letting you know I'm an unprotected website and all your private details could possibly be seen by someone other than my server and you”.
Which means your WordPress website doesn’t have an SSL certificate to encrypt data, which we talk about in great detail here. Which means, your WordPress website is wide open to threats like customer forms, credit card information, sensitive business information and more to be intercepted by a malicious third-party, because the data being sent/received isn’t encrypted using SSL.
Option 3:
The third test is using Sucuri SiteCheck –– a free website malware and security scanner. Sucuri is a global leader in internet and website security and the primary resource we use for our clients for up-to-the-minute security notices and protection solutions. You can use their free tool to scan your website for potential vulnerabilities: https://sitecheck.sucuri.net/
So make sure you have a capable team, experienced with WordPress website security to protect your investment and your business’ digital storefront at all times. If you don’t, we can be that capable team. Learn more about and sign up for one of our WordPress website care plans––which include WordPress security, so that we can keep you covered.
Until next time!
Brinard Sweeting is the Digital Director of Visionary Pro Digital, certified web design specialist and a digital positioning strategy connoisseur. The majority of Brinard’s experience as a web & mobile application developer comes from his previous and current work with local & international clients who require a web expert with steady focus to implement and provide top-notch work and effective solutions to solve their day-to-day business needs that relate to having a greater internet presence.