How website owners compromise their own cybersecurity

BY SHUAIB AGAKA

The recent warning from the National Information Technology Development Agency (NITDA) about a critical security flaw in the Jupiter X Core WordPress plugin underscores a persistent issue in the digital world: the ongoing cybersecurity threats facing website owners. While vulnerabilities like this are common, the real danger lies in the negligence of website administrators who fail to take preventive action.

Many website owners prioritize security only after an attack occurs, often with devastating consequences. Cybercriminals exploit these gaps, but website administrators who ignore basic security practices are equally to blame.

A common misconception among website owners is that their sites are too small or insignificant to attract cybercriminals. This mindset breeds complacency, as they assume hackers only target high-profile organizations, government institutions, or large e-commerce platforms.

However, cybercriminals exploit the weakest links, and smaller websites with poor security practices provide easy entry points. Today, hackers use automated tools to scan the internet for vulnerabilities, meaning any website—regardless of size or popularity—can become a target. By the time many website owners recognize the risks, their sites have already been compromised.

One of the most common cybersecurity mistakes among WordPress website owners and administrators is the failure to regularly update software and plugins. Content management systems like WordPress rely on plugins and themes to enhance functionality, but these components often contain security vulnerabilities. Developers release updates to patch known flaws, yet many website administrators neglect them, leaving their sites exposed. Cybercriminals actively search for outdated software to exploit, and a single unpatched plugin can allow attackers to gain full control of a website.

WordPress, which powers 43.6% (513.58 million) of all websites globally, is a prime target for cybercriminals. Its widespread adoption makes it a lucrative target for hackers seeking to exploit vulnerabilities to gain unauthorised access, inject malware, or steal sensitive user data. Unlike custom-built websites, which are developed with tailored security frameworks, WordPress sites rely heavily on third-party plugins and themes that introduce security risks. While WordPress offers convenience and scalability, its popularity means that a single vulnerability can endanger millions of websites.

The reliance on third-party plugins is a major security concern. Many website owners install plugins without fully assessing their security implications. Some plugins, developed by independent developers, may become outdated or abandoned, leaving security vulnerabilities unpatched. Even reputable plugins can contain flaws that hackers exploit. Malicious plug-ins also exist, designed to provide hackers with backdoor access to a website, allowing them to manipulate content, steal user data, or spread malware. This highlights the need to download plugins only from verified sources and conduct thorough security audits before installation.

Zero-day vulnerabilities pose another critical risk. These are newly discovered security flaws that hackers exploit before developers can release a fix. Because WordPress has a vast user base, cybercriminals actively seek out and exploit these vulnerabilities on a large scale. In contrast, custom-built websites, which do not rely on publicly available code, are less susceptible to mass attacks. Businesses with custom-built solutions benefit from greater control over their security infrastructure, making it harder for hackers to find and exploit weaknesses. This difference underscores the importance of choosing the right platform based on security needs.

This is where regulatory bodies like NITDA play a crucial role in raising awareness about cybersecurity threats. By issuing advisories, they aim to inform website owners of potential risks and encourage them to take preventive measures. However, the effectiveness of such warnings is often limited, as many businesses and individuals either ignore them or lack the technical expertise to act on them.

Without strict enforcement mechanisms or mandatory compliance policies, these advisories serve more as cautionary notices than actionable directives that lead to meaningful change.

Nigeria’s cybersecurity policies, though evolving, still face enforcement and compliance challenges. Existing regulations, such as the Cybercrime Act, provide a legal framework for prosecuting cybercriminals but do little to enforce security standards for website owners. Unlike in some developed countries where regulatory agencies impose fines or penalties for security lapses, Nigeria’s approach remains largely advisory.

As a result, many fail to prioritize cybersecurity, knowing there are no immediate consequences for neglecting best practices. Strengthening cybersecurity policies with clearer enforcement strategies is essential for ensuring that organizations take security responsibilities more seriously.

Ultimately, website security is the responsibility of owners and administrators, not just the government. While regulatory bodies can issue guidelines and create policies, website owners must take proactive steps to secure their platforms. Relying solely on government intervention is not a sustainable solution, especially in an environment where enforcement remains weak.

Implementing security best practices—such as regular updates, strong authentication methods, and continuous monitoring—is the most effective way to prevent cyberattacks. Until website owners acknowledge their role in cybersecurity and take decisive action, they will remain the weakest link in the fight against cyber threats.

Cybersecurity is not just about preventing hackers from breaching systems—it is about website owners taking responsibility for securing their platforms. Many breaches occur not because hackers are exceptionally skilled but because website administrators fail to follow basic security practices. Outdated plugins, weak passwords, and a lack of monitoring make it easy for cybercriminals to exploit vulnerabilities.

While regulatory bodies like NITDA issue warnings, their impact is limited if website owners do not take proactive steps to protect their platforms. Neglecting security updates and best practices not only puts websites at risk but also endangers user data and business credibility.

Cybersecurity is an ongoing commitment, not a one-time effort. Without decisive action, website owners will continue to be their own worst enemies, leaving their platforms vulnerable to attacks that could have been easily prevented. Now is the time to take security seriously before the consequences become irreversible.

Shuaib S. Agaka, a tech journalist, writes from Kano state. He can be contacted via [email protected]