WordPress site owners should following these best practices to avoid a site compromise:
Update third-party plugins and themes:
Typically, site compromises occur when cybercriminals find an out-of-date plugin on their target site that has an exploit available which can be leveraged to compromise the site. The best way to avoid this method is to ensure that all plugins are kept up-to-date. WordPress makes this easy on the Updates tab of WordPress’ dashboard.
Some recent vulnerable plugins:
• Duplicator – Current Version: 1.3.30, Vulnerable version: 1.3.28 – Allowed hackers to export site contents.
• Profile Builder – Current Version: 3.1.6, Vulnerable Version: <= 3.1.0 – Allowed for total site takeover.
• OneTone Theme – Currently vulnerable to a Cross-Site Scripting attack that leads to total site takeover. Theme has not been updated since 2018 and no patch is expected, but attacks against sites using this theme are ongoing.
Some developers may not issue patches immediately for bugs found in WordPress plugins (such as the OneTone bug), so its recommended to be aware of recent vulnerabilities and disable vulnerable plugins if no patch is available. https://www.exploit-db.com/ provides a huge list of many recent exploits with helpful explanations that can be useful when deciding if a plugin needs to be disabled until a patch is issued.
Regularly check server logs:
It is important to monitor the logs on the WordPress server and search for patterns of unusual access that indicate a SQL injection attack or the presence of a web shell (a rogue PHP file that allows attackers to completely control the server). Any new and unexpected PHP files that are added to the server, especially those uploaded plug-ins, should be investigated to determine if they are a threat.
For more information, please refer to the following articles: