WordPress Website Vulnerabilities

Home / Guides / WP Engine for WordPress Administrators / WordPress Website Vulnerabilities
Updated on
Lesson 6 of 10
4m read.
Intermediate
Care Plan Feature - WordPress Security Updates
WordPress care plans should include security updates

WordPress Cyber Security Attacks

Like any other computer system, WordPress Websites are vulnerable to cyber security attacks. Vulnerabilities are weaknesses that hackers exploit to break into your site. They use these to gain unauthorised access to your WordPress website.

WordPress is open-source, allowing developers and users to customise their websites. Child themes and custom plugins have come into play to extend WordPress functionality. This flexibility, yet, raises security concerns about whether these WordPress products are secure. Are these kept up to date to ensure they are free from vulnerabilities?

Outdated and poorly maintained plugins and themes have stood out on top of the list of WordPress site vulnerabilities.

You, therefore, have to be careful on what plugins and themes you add to your WordPress sites.

Any addition has a long term commitment because you must ensure plugins and themes are always up-to-date and free from any vulnerabilities.

Outdated WordPress core and PHP versions can also be other sources of vulnerabilities.

After exploiting vulnerabilities, hackers can launch various attacks on your WordPress site. Examples of these attacks include;

  • Brute force attacks
  • Structured Query Language (SQL) Injections
  • Distributed Denial of Service (DDoS) attack
  • Cross-Site Scripting
  • Cross-site Request Forgery (CSRF)

WP Engine comes with Global Edge Security (GES) service solution for all its plans. It comes with features that protect your site against common attacks.

Global Edge Security (GES) service comes with;

  1. Managed Web Application Firewall (WAF)
  2. Advanced Distributed Denial-of-Service attack (DDOS)Mitigation.
  3. Cloudflare Content Delivery Network (CDN),
  4. An automatic Secure Sockets Layer (SSL) Installation.

All these can mitigate common WordPress site attacks.

Global Edge Security tool
WP Engine’s Global Engine Security

As a WordPress site Administrator, you also have a role to play in enforcing your website’s security. Therefore, you should not entirely leave website security management to WP Engine.

One of the main tasks is to ensure that your site is well-updated. WordPress core, themes and plugins. These should always be on their latest versions and secure to run on the site. In the coming lessons, we will look at how you can manage these updates on your website.

Another tip when it comes to managing security for your site is to install some security plugins. These can monitor and scan your website for any vulnerabilities. They also report (through email) any other security issues on your site.

At MRK WP, we use the WPMU Defender Pro plugin to watch security on our sites. The plugin runs scans from time to time. It notifies us about any vulnerabilities that may be on our website.

Note

Here are some of the links to resources on WordPress Website Security and Vulnerabilities

Frequently Asked Question

Can you run a penetration test on WP Engine shared plans?

No. WP Engine only allows penetration testing on P1 server plans or higher. You will need to upgrade to one of these plans if you need a penetration test audit.

Is Global Edge Security Worth It?

It depends. If you have a large account with many sites on a shared plan, it is good value. If however you have 2 or 3 E-Commerce sites and are looking at getting one of those for the 10Up elastic search, I would not recommend it. You can instead use the CloudFlare APO service.

Do I get access to the CloudFlare admin panel with GES?

No. For any CloudFlare issues you will need to contact WP Engine support.