Website design can, of course, make or break a website. When a site truly creates a positive customer experience, it can lead to higher traffic, engagement, and sales. Alternatively, poor UX can substantially limit a site’s potential to convert. All sites require top-notch design. However, when it comes to WordPress website, design pitfalls harm security as well.

WordPress vs. Cyberattackers

A cyberattack, also known as a CNA or computer network attack, is a deliberate attempt to gain illegal access to a computer to deliberately cause harm or damage to the system or the information on it, using the internet. Cyber attacks can be grouped into two categories: those where the goal is to disable the target computer and those where the goal is to access the target computer’s data. Both types of attacks can be achieved by hacking a poorly designed WordPress site.

How? Broken, outdated, or hacked plugins are the most common site entry points for WordPress hackers. Designers must be aware of the danger signs, or else be held responsible for opening the virtual door to attacks.

The consequences of a cyber attack are varied, as are the techniques used to achieve the goals mentioned. Identity theft is a widespread motivation, as well as fraud and extortion. For example, when malicious software is embedded in a WordPress site, it can do anything from encrypting files and demanding a ransom to steal data, spyware, spamming, Trojans, and viruses.   

A breach can also result in denial of service, and DDOS attacks overwhelm your server with ‘bogus’ traffic, which can mean your network or website is made unavailable to you. Cybercriminals might breach access for many reasons, to infiltrate your systems for information, deface your website. There’s also the threat of a man in the middle attack, which fools a target computer into joining a compromised network. Cyber attack techniques are often used in tandem.          

Common Type of WordPress Attacks

Since the dawn of the internet age, each year brings new forms of cyber attack. Statistics from 2017’s cumulative cyber attacks valued the damages at $5 billion, that’s 15 times the amount recorded just two years ago. There is no escaping the fact that businesses need to take steps to protect themselves from cybercrime. No matter the size of your website, you are a potential target of certain types of cybercrime.

Pharming

Pharming describes the practice of directing someone who is browsing the internet from a legitimate website to a fraudulent one. This deception is done to extract confidential data. While phishing is concerned with capturing personal information by getting people to visit fake, look-alike websites, pharming is even more sneaky. Pharming victims are redirected to fake sites without them even knowing about it.

Typically, when you want to visit a website, you type in a legitimate domain name into your browser, hit enter, and a browser looks the IP address up through the DNS system to load the web page data. If you’ve visited a site more than once, this is stored in the cache, so the computer doesn’t query the DNS server when you want to visit the site.  

With a pharming scam, a virus is planted that poisons your local DNS cache. Poisoning means it modifies the DNS entries, so when you visit a legitimate WordPress site you will be redirected to another malicious site instead.          

Pharming isn’t the most common form of cyber-attack because, fortunately, most DNS servers have security measures to detect and protect against these types of attacks. Given the deference and perseverance of hackers, these features don’t make anyone immune, since there are always new ways to access DNS servers.

Phishing

Phishing is computer jargon for the practice of trying to trick people into giving away sensitive information. Like actual fishing, it’s there to capture you, and this type of scam is exceedingly common. If you have an email account, chances are you’ve received an email from someone you didn’t know. This same type of hack is common in WordPress comments.

On a WordPress site, phishing is carried out through a combination of social engineering techniques and computer programming expertise. To trick people into cooperating, fraudulent comments are left on a WordPress blog that appear to link to legitimate sources. These links have authentic-looking URLs, but they will link to forged or ‘spoofed’ websites to fool people into thinking the site is genuine or legitimate. These fake sites are designed to extract personal identification such as usernames and passwords, credit card numbers, and any other financial data. The phishing victim will later discover that vital information has been stolen.

Protect Your WordPress Sites with Strong Design

At a general level, lean WordPress sites with a low number of plugins are the most secure. The popularity of WordPress means an extensive library of plugins — each one having the potential to open up additional vulnerabilities. Therefore, it’s safest to stick to trusted plugins and themes from the WordPress repository or well-known design firms to avoid future predicaments.

Established theme providers and plugin developers are more likely to take a proactive approach to security. For example, many of the top WordPress plugin or theme developers are audited by a third-party before release.

When you install a WordPress security plugin, you’re allowing it access to your WordPress files and media. You can’t restrict this access, which is why it’s essential to understand what details a plugin will be obtaining.

In addition to the software used to design a site, designers must also use safe security practices while building and maintaining a WordPress site.

The hosting service plays a vital role in the security of your WordPress site. Managed WordPress solutions offer proactive security standards, such as blocking an IP address after a supplied number of failed login attempts, automated backups, and advanced back-end configurations.

For those who work with a team of designers and content creators, limit access to your site by granting user roles strategically. This practice is even more crucial if you have multiple teams working on a site. Create individual login credentials appropriate to each person’s work, from the contributors to the authors, editors, and developers.

Bonus Tip: WordPress creates a default user on each new install named “Admin.” Hackers know this, so once individual users have unique login credentials, including one or more with full administrative access, delete the default Admin user, so hackers have one less way to attempt an attack.

Maintaining Security After Launch

One the initial website design is complete, it’s essential to keep a WordPress site current. Keep all themes, plugins, and WordPress itself up-to-date at all times. Pay close attention to WordPress news, and be ready to take action if you hear of a newly discovered vulnerability.

For designers who act as webmasters, as well, your primary defense line against pharming and phishing is to scan comment links before approving them using anti-virus software. These security programs must also be kept up to date to ensure they are in sync with the latest attack methods. It’s also smart to connect your computer to a virtual private network when you investigate suspicious links, as VPNs protect your true IP address, thereby concealing your physical location and identity. Even freelance designers can enjoy the benefits of a secure VPN service, with fast, low-cost solutions readily available.

A Designer’s Work is Never Done

WordPress is arguably the most versatile content management system in the world, but widespread popularity also makes it a prime target. As long as businesses and consumers freely share and store their private information online, hackers will continue their efforts to obtain it. Responsible design is crucial for creating secure websites, and maintaining client satisfaction.

About the Author

author photo

Mirko Humbert

Mirko Humbert is the editor-in-chief and main author of Designer Daily and Typography Daily. He is also a graphic designer and the founder of WP Expert.