WordPress is one of the most high-profile open source CMS's in use today. Being that 60% of all CMS websites use Wordpress, and 31% of all websites on the Internet use it, it's safe to say that it's a frequent target of security exploits.
Table of contents
The subject of whether WordPress is secure or not has been at the core of infosec discussions for several years. With hundreds of thousands of WordPress websites getting hacked annually, the question remains: "Is WordPress really secure?”
The eternal discussion on WordPress security
WordPress website hacks frequently occur for a couple of reasons that are easily preventable: using "admin” as your login credential or having a weak password. Factoring in these types of incidents to hacking statistics makes the simple question of WordPress safety difficult to answer.
When talking about WordPress security, the first important thing to note is that any security vulnerabilities it may have extend beyond its core. So, we need to make it clear that WordPress is made out of three different parts:
- The core
By looking into the latest statistics from WPScan.org, we can see WordPress vulnerabilities by each component:
Check out our list of Top 5 best WordPress vulnerability scanners to learn about great alternatives to WPScan.
5 Most Common Security Issues with WordPress
Before learning what makes WordPress secure or not, and to explore ways you can help make your website as safe as it can be, let's go through a quick list of the most common security issues website owners experience with WordPress:
1. Brute Force Attack
A brute force attack is a method of trial-and-error used mostly for obtaining information such as passwords and PINs (personal identification numbers). Cyber criminals do this by typing in multiple passwords or user names until they get the right combination. It can be a dictionary attack, where attackers try typing in every word in the dictionary, or an attack by trying the most commonly used passwords. This attack exploits the frequent mistake of using an insecure password for your website, practically giving attackers access to your data.
2. SQL Injection
Since WordPress websites use the MySQL database, this type of attack happens often. An SQL Injection takes place when security vulnerabilities are exploited and attackers are able to gain access to your data, change it or even destroy it.
Malicious software is used to gain access to your data by inserting a code in an expired theme or a plugin. The attacker can then extract your data or even insert malicious content into your website.
4. Cross-Site Scripting
5. DDoS Attack
A distributed denial-of-service attack occurs by maliciously overflowing a website with traffic, rendering it unable to serve its content to legitimate website visitors. It's executed from several machines compromised by the attacker using malware, making it very hard to locate and resolve.
Follow us on Twitter to receive updates!Follow @SecurityTrails
Who keeps WordPress secure?
You may wonder, who are the people behind the curtains, the ones working day and night to keep WordPress — and the millions of websites that use it — safe? Since WordPress is made up of the three components we mentioned, there are several teams of people in charge of keeping it safe:
The WordPress Core is maintained by an expert group of developers and researchers who undergo a long hiring process before being accepted as a part of the WordPress Security Team.
It's also important to know that, even if the WordPress Security Team is a group of 50 highly-qualified individuals, also crucial are the individual developers, security researchers and contributors who play a great role in maintaining the overall safety of WordPress.
They work diligently to keep WordPress safe, implementing the best security measures, developing new technologies to minimize potential security threats, identifying bugs and releasing patches.
Themes and Plugins
The WordPress Security Team is not responsible for themes and plugins. There is a team of volunteers who work on checking new plugins and themes, but they do not guarantee complete safety with so many of them being released so frequently. Vulnerabilities can go unnoticed.
There are both free and paid themes and plugins — and this is where the difference is noticeable.
The core of WordPress is significant, something each user who has a website uses, but what makes your website really yours is the selection of plugins and themes you use. Individual plugins and themes are created by different developers.
Here, budget can be detrimental. There are both free and paid themes and plugins — and this is where the difference is noticeable. Paid service will often have a team behind it that maintains it, releases updates and makes improvements regularly. Sometimes, free themes and plugins are made for testing one's skill, or "just for fun." For that reason, it's always good to invest in a paid plugin or theme.
What can you, the website owner, do?
Even with whole teams working on the WordPress core and individual plugins and themes, a lot of the responsibility for keeping your website secure falls on you.
Creating a website and leaving it up for years without maintenance and updates can make you an easy target for hackers.
Paid services are a great way to ensure your safety, but it is not possible for security threats to be completely eliminated.
WordPress is only as secure as the amount of effort and education that goes into it:
Keep the core up to date
When looking at this statistic from WPScan, we can see that the most vulnerable versions of WordPress date back to 3.X versions:
Keeping the application up to date is of crucial importance for your safety — most of the websites using WordPress that were hacked had out-of-date applications. Be sure to enable automatic security updates to incorporate new security fixes as soon as they're released.
Keep themes and plugins up to date
The themes and plugins are what make the WordPress platform loved by so many people. It's understandable to want to have as many possible, to customize and make websites unique and special, but each new plugin or theme can be a gateway for malicious attackers. Whenever you install a new plugin, you're courting the possibility of a malware code embedded in it. As we mentioned, paid features are safer; with more eyes on them, developers work maintaining safety and identifying bugs. With free ones, the possibility of that is significantly reduced.
More often than not, what happens is that a security patch is released for a plugin or theme, but website owners just don't update them. For this reason, it's important to set plugins and themes to also update automatically. And removing plugins that are not regularly updated and ones you don't use is also important — the more additions your core has, the greater the attack surface where hackers can attack your website.
Limit login attempts and use a strong password
We mentioned that brute force attacks are the most common WP security threat. For this reason, it's always good to limit login attempts so you will be notified when someone is repeatedly attempting access your website. Also, having a strong password made out of an unusual combination of letters, digits and special characters helps greatly.
Captcha solutions like Re-Captcha from Google are another great solution. Put them on your login page so all users need to pass the check before they are able to sign up or login.
Note: Google has announced that they will be removing the standard "I'm not a robot" Re-Captcha and are introducing a new version that will detect if a user is suspicious, and only then will the user have to go through usual checks.
While having your application updated and maintained, there is a possibility that hackers can damage your website without even coming close to WordPress.
You can always choose a web hosting company that specializes in hosting WordPress websites, or you can go the route of securing your own server.
Still, even if you have the strongest security possible on your WordPress website but are using a weak server, the chances of being hacked remain high.
Understanding your server security is important. Always make sure you have installed security updates for your OS, PHP, web server, and for any other applications.
Here are more steps you can take to harden your server security:
Add another layer of protection by installing a firewall on your computer. A firewall monitors incoming and outgoing traffic across the network. It also covers any protocol type and provides you with DDoS protection on the network layer.
One of the easiest ways to protect your website is to enable a web application firewall. A WAF is there to monitor, filter, and eventually block traffic to and from a web application. It's even able to block malicious traffic before it reaches your website. WAF implementation covers HTTP(S), SOAP, XML and SPDY. It also offers inspections of encrypted traffic, a safety measure lacking in network firewalls.
WAF implementation can be very useful in preventing XSS attacks and SQL Injections.
An IDS, or intrusion detection system, is a software that monitors the host or network for suspicious malicious activity. The administrator is notified of those activities using a SIEM system which uses alarming techniques to differentiate true malicious attacks, where hackers could be trying to exploit security holes in your website, from false alarms.
More on how to set up an IDS can be found here.
TCP Wrappers are in some ways similar to firewalls — they can block suspicious traffic but they work differently from firewalls due to some additional features.
TCP Wrappers are host-based access control list (ACL) systems that provide an access control by using access rules in the
host.allow file. With TCP Wrappers you are able to grant access for specific features like FTP, but deny access to others. They are also able to examine encrypted connections.
TCP Wrappers should be used in conjunction with firewalls since they are not a substitute — make sure you have it set up behind your firewall system.
As we mentioned, WordPress websites are a frequent target of DDoS attacks. WordPress doesn't have a built-in feature to protect you against these attacks, and it can seem hard finding the right plugins to help you.
Since these types of attacks are directed to your server, the best and easiest way to protect against DDoS attacks is having a managed hosting provider for your servers with built-in protection. That protection will filter traffic before it even reaches your servers, and block it if it's deemed malicious. Protection of DDoS attacks is also provided by having both a system firewall and WAF implemented.
Besides having a managed server, WAF implemented and a system firewall, you can also disable XML-RPC functionality of WP.
It's enabled by default and is there to allow a wide range of data to be transferred. Amongst the many functions it offers, it provides Pingbacks and Trackbacks. Pingback function is used for cross-referencing between different blogs, but its vulnerability lies in the fact that it can be exploited by attackers — to use WordPress websites for creating a botnet which is then used for DDoS attacks.
2013 saw an attack on approximately 2,500 WP websites by exploiting Pingback, as reported by Gur Schatz at Incapsula. The websites were not compromised or taken over, they were simply used to create a voluntary botnet.
Local PC and Network Security
Even if your WordPress website is well secured at the server level and you have your application updated, keeping your local PC and network secure decreases the risk of remote attackers hacking your website.
Having any Trojan, malware or viruses on your local network noticeably increases the chances of having keyloggers installed and your credentials for WP websites compromised.
Keep all of your software updated, upgrade to the newest OS's when they are released and run an anti-virus software regularly.
There is no definite answer to the question "Is WordPress secure?”
There's a great team behind WordPress, working 24/7 to make it a safe environment for users, but website owners have a responsibility to manage their websites themselves and keep them updated. Investing in good plugins and themes can make a big difference in defusing the attack surface.
Based on all of this, WordPress security depends on how much you invest into making it secure. Education and maintenance can make all of the difference, changing an indefinite answer to the question of WordPress security to an absolute 'Yes!' for you.
Website security extends beyond application-level security — malicious actors can find different ways and gateways to your website. Stay protected by integrating SecurityTrails API to your applications and you'll be able to analyze all data you share publicly with your WHOIS records so you can prevent future attacks. Grab your free API here.