Published on May 24th, 2021
No system is perfect. Any website hosted anywhere in the world can be attacked by hackers, and the bigger a website is, the more likely it is to be attacked.
That makes WordPress a very big target. Given the size and scope of WordPress and the websites built on it, we should be surprised that WordPress isn’t attacked and taken offline more often than it is.
The fact that more attacks don’t happen is actually reassuring, as it tells us that most of what WordPress does in terms of security works very well.
A fence is only as strong as its weakest link, though, and within the last week, we’ve seen WordPress breached badly by a malicious hack.
The vulnerability exploited in the attack was within WordPress’s extremely popular Elementor website builder and was about as dangerous as vulnerabilities can be.
Through targeting the vulnerability, hackers would theoretically be able to edit, delete, copy, or otherwise alter any aspect of any website built using Elementor.
They could also have changed ownership details and logins and effectively stolen the website, which would have been a disaster for many commercial sites built using the service.
At last count, it was thought that more than seven million websites were built using Elementor, and so all seven million of them were briefly vulnerable.
Wordfence posted a fix within 24 hours, and the vulnerability no longer exists. It isn’t immediately clear how many websites were vandalized or exploited before they issued the patch.
Even contributors were vulnerable to the attack despite having restricted access to website editing facilities. The vulnerability’s existence was down to elements within Elementor not being verified on the server side, which allowed administrator and contributor accounts to be cloned by the malicious party without the usual server checks stepping in to prevent such a process from taking place.
While the patch has closed this loophole for now, attackers will inevitably find other loopholes in the future. Wordfence has issued some guidance for users and website owners worried that they might be vulnerable.
It’s possible to completely prevent this kind of situation from occurring by duplicating your list of enforced permissible HMTL tags on the server side as well as the client side.
This is likely to become standard Elementor practice in the future, but it’s better to be safe than sorry. If a user takes personal responsibility for security measures like this, it reduced their vulnerability in the event that software lets them down in the future.
Attacks on WordPress are likely to happen more frequently as more commercial companies and money-making websites use the platform.
From its humble beginnings as a blogging website, WordPress is increasingly relied upon by people building business websites for their companies.
An increasing number of online slots websites – one of the fastest-growing sectors on the entire web – are now hosted on WordPress.
If a WordPress site can host something as mathematically complex and challenging as the Rose Slots IE website, it can handle just about anything.
Given the amount of money that online slots websites make – and the huge legal implications of such a site being breached – it will be interesting to see if that developing trend continues.
One thing that makes online slots websites attractive to web-based entrepreneurs is that the sites are relatively easy to put together. If that changes because WordPress is seen as compromised, those webmasters might look elsewhere.
At the risk of sounding sensationalist, an attack on WordPress is an attack on the internet itself. That’s because the internet is increasingly built on WordPress.
Back in 2018, web technology company W3Techs estimated that as many as thirty percent of all the sites on the entire internet were built using WordPress.
That startling figure represented a five percent jump from three years earlier. Here in 2021, that figure is thought to be edging closer to forty percent.
While that figure is impressive on its own, what’s even more remarkable is that the figure jumps up to sixty percent if we focus only on the most-viewed ten million websites on the internet.
Finding a vulnerability in WordPress is like finding a “magic key” to unlock the whole internet. An exploit that works on any one WordPress site is likely to work on millions more. That’s why hackers will never stop looking for them.
That’s also why hackers will look harder than ever before as those percentages creep up. We all need to be vigilant against the threat.
Should this hack make you lose trust in WordPress? We say no. There isn’t a hosting or tech company anywhere out there that hasn’t had at least one issue in the past.
We should rate companies not on how often they’re attacked but how often those attacks are successful and how quickly they do something about it afterward.
In this case, the patch was issued, and the problem was resolved long before most people even became aware that an attack had occurred.
There’s no reason to believe that millions of websites were materially affected even if such a thing were technically possible.
This won’t be the last time someone finds a hole in WordPress. The nature of the platform and the service, with its thousands of templates, plugins, and associated features, leaves it wide open to such problems.
The fact that they don’t occur more often is a testament to how good WordPress and Wordfence are at getting ahead of any such issues. We’ll be keeping all of our sites with WordPress, and we don’t believe that consumer confidence ought to be affected.
If you have any reason to believe that your WordPress site was compromised in any way during the attack, contact technical support immediately.
If, on the other hand, everything is normal, you almost certainly have nothing to worry about. Should there be any further developments in this story, we’ll keep you posted, but for now, it seems that the matter has been resolved, and it’s business as usual. For the millions of businesses that rely on WordPress, that’s a relief.