It’s true that WordPress is one of the most popular technologies on the planet, but is it secure? The short answer is, yes. The longer answer is more nuanced.
WordPress security is also something we get asked about fairly regularly, especially by those who have only heard of WordPress mentioned in the same sentence as a “blogging platform”, so we decided to tackle the subject in this blog post.
But first, a bit of history.
WordPress as a self-hosted content management system (CMS) was first released in May 2003 with v0.70. This month sees v4.9.6 released, marking the 15 year anniversary of the platform as a mature, stable and robust open source solution.
For anyone who has followed the technology, it’s difficult not to be amazed at its evolution from what were fairly modest and humble beginnings to the technology powering, by some estimates, around a third of the entire internet.
If we narrow that view to the top 1 million sites in the world, we can see WordPress supports roughly half of them, and it retains a third of market share all the way down to the top 10,000 sites. So it’s pretty popular.
The price of popularity…
As with any popular solution, WordPress generates a huge target for would-be hackers and bad actors. Just ask Microsoft how they feel about the vast number of computer viruses and malware written for their operating system.
Most hacked WordPress sites are compromised automatically by “botnets” using known exploits, so it’s really important to keep everything up to date. As an Open Source application with a very large development community, new vulnerabilities are patched as quickly as they are identified.
Thankfully, WordPress will update minor versions of the core (containing security fixes) automatically. Some plugins will also update automatically, but most need to be monitored and updated manually.
If you only use well-maintained popular plugins from established authors this becomes even less of a problem, but the update process itself is generally very straightforward, especially for minor bug fixes and changes.
A common sense approach
Ensuring sites are patched when fixes are released is great, but what about the period between a vulnerability being discovered and it being patched?
That’s where an industry standard firewall like WordFence comes in. Even the free version of WordFence operates as a robust Web Application Firewall (WAF), stopping known threats before they’ve had a chance to connect to the target site, making it a useful tool in monitoring and restricting traffic.
Of course, keeping a website up to date and using a web application firewall is a great first line of defense, but it’s equally important to run similar security measures on the webserver itself.
Keeping the operating system, software application and packages up to date is equally as important. Security support for PHP 5.6 ends in December 2018 making it ‘end of life’, and having the most secure website in the world won’t help if it’s powered by an unsupported and potentially vulnerable version of PHP.
Reducing the 'attack surface'
Keeping software up to date and using firewalls is going to make life much harder for automated bots looking for weak targets. But it’s not where security stops.
Obfuscating the login process, forcing strong passwords for all users, automatically blocking those who guess incorrect usernames, protecting core files from unauthorised editing, blocking long or suspicious URL strings, enabling 404 detection… the list of additional measures that can be taken is exhaustive.
It would be trivial to lock down the back-end of a website to only be accessible by whitelisted IPs, but this level of security might also get in the way of day-to-day content management. Even two-factor authentication might be a step too far for a site with multiple authors, or those who are often on the move.
It’s why we take a common sense approach. We keep our server and websites up to date, have firewalls and other security measures in place, perform regular security audits and reviews, and take the steps we deem necessary to protect our client sites from harm. All of these measures won’t stop the most determined attacker, so having a backup plan with multiple layers of redundancy is just as important!
WordPress is incredibly popular and for better or worse, it also has a low barrier to entry. Sites which aren’t regularly maintained might be vulnerable, especially to botnets performing automated attacks. But this doesn’t mean WordPress itself is insecure, and the steps to mitigating a compromised website are fairly straightforward:
- Make sure WordPress is kept up to date.
- Make sure any plugins, themes and the webserver are also regularly updated.
- Use a firewall at the webserver and website levels.
- Reduce the attack surface further by taking some additional steps to harden and protect the installation.
- Perform regular reviews and security audits to keep on top of changes and developments over time.
Last but not least, it’s also important to have a robust backup process in place (ideally with multiple levels of redundancy) to be able to restore and roll back in the event of a breach.