"Now my site got hacked again
Sometimes I feel it's made of glass
But that SQL injection
Took my website down and threw it on its... butt"
These are lyrics from the second half of Verse 2 in the song, "WordPress Got Ran Over By My HubSpot", which highlights one of the biggest and most well-known issues of WordPress... security.
How Real of an Issue Is This?
Sophos reports that over 30,000 websites are hacked every day, and as 43% of all websites are built on WordPress, that means about 13,000 WP sites are hit daily. This of course makes it easy to believe that WordPress is by far the most hacked CMS... by a huge margin.
According to Sucuri, 4.3% of WordPress websites scanned with SiteCheck (a website security scanner) in 2022 had been hacked. That's about 1 in every 25 websites... and of course, not all WordPress sites use SiteCheck, so that is not even a complete picture.
What Makes WordPress So Insecure?
Well, it could be due to not getting enough love and attention as a child. Wait, wrong post. There are actually a number of reasons...
Highly Used, Larger Target
As noted above, WordPress is the most used CMS platform and commands a hefty lead in market share. While that lead seems to be showing signs of a slow down (as it should), the fact remains that there is no other CMS at the moment serving as the foundation for more websites than WordPress currently does. That being said, it puts an easy target on its back. A predator wants to go where the eating is good and there are plenty of options to go after. The same goes for a hacker. They're going to take their hacking skillset to where they can exploit the most possible victims and fully take on that Grinch role in this Christmas season.
Insecure Passwords
WordPress is open source, so most people are installing it and setting it up on their own. You have passwords for your MySQL database, your hosting account, and your WordPress admin login account. In many cases, there are multiple admin level accounts! Each of these logins are a potential gateway for a hacker to gain access to your site and cause significant damage, so if your passwords are weak and easily hackable, you're in trouble.
Outdated Plugins, Themes and Software
Entering the discussion, again... third party plugins. So many people proclaim WordPress' greatness due to the vast amount of plugins available. Yet, every issue that we look at with this platform seems to involve these plugins.
Every plugin, theme, or other integrated software that you are using with your WordPress site is another avenue for hackers to take into your website. As vulnerabilities are found (as they regularly are) from plugin to plugin, the developers release updates and security patches. You have to keep up on those to have the best fighting chance at keeping your WP site alive.
Over 92% of security vulnerabilities in WordPress come from third party plugins.
Types of Vulnerabilities
There are many different types of vulnerabilities, like Cross-Site Scripting (XSS), which is the most common on WordPress sites. Another type, which we have to address as our inspiration song notes it specifically, is the SQL Injection. It is one of the other most common hacking methods, and not just for WP sites.
A SQL injection attack is when the hacker sends SQL commands to the database, usually with the intention of retrieving data. WordPress is a database-driven platform, so that is where everything is housed, from page content to user login credentials. If the hacker successfully exploits a SQL injection vulnerability, they will gain unrestricted access to your database and everything that it contains.
From that point, the hacker can execute code, make changes and cause extensive damage to your website.
What about HubSpot CMS?
As we're looking at the HubSpot CMS in comparison to WordPress, how does HubSpot stack up against these type of security concerns? I'm glad you asked.
- No CMS is immune to security issues. Everyone knows that using a MAC over a PC makes you massively less open to security problems on your computer, although some potential issues still remain. You're never completely exempt from security concerns. The same applies when using HubSpot over WordPress. It is light years better and more secure, but nothing is perfect. However, HubSpot has Cloudflare firewall and CDN, 2-factor authentication options for login accounts, built-in security settings to configure (especially on Enterprise portals), and abilities to lock down your content and file structure from spidering. Lots of options to tighten up what is already pretty solid on its own! Learn more about HubSpot security straight from the source.
- HubSpot has all hosting, security and firewalls built in. There is no need to purchase and manage a separate hosting account. No worries about what version of PHP you're running, updating server software, SSL certificates, or setting up separate firewall solutions. HubSpot has it all covered.
- HubSpot doesn't have (or need) a library of 3rd party plugins. Almost everything you could ever need comes with HubSpot by default. A full user-friendly drag-n-drop content editing system, powerful forms, custom emails, SEO, CTAs, reporting, smart content, integrated CRM, content personalization, privacy content controls, and so much more... ready to go. No plugins needed, so the biggest security issue of WordPress is a non-issue on HubSpot!
I have personally migrated a great number of clients off of WordPress and onto HubSpot's CMS Hub... and the client is always thrilled with their decision!
If you're running a website on WordPress, it's time to stop looking over your shoulder and avoiding dark hacker alleys. Get your site on a more secure environment! We can help. Let's chat.