WordPress Security Revisited

Starting as just a good blogging system in 2003, WordPress has grown to be the most popular Content Management System (CMS), used in over 22% of the top 1 million web sites. It is the CMS that can be installed in less than 5 minutes, easy to use, stable, robust and secure.

Out of the box, WordPress provides nearly all the functionality that you can expect from a free, open source CMS. In WordPress, the look and feel of your site can easily be altered to best match your site’s subject matter using one of over 2,600 themes available in the WordPress Theme Directory. In addition, with over 32,000 plugins, you can rest assured that any functionality that you need in your website is either found in the default installation, or someone has already developed a plugin for it.

WordPress does look like it has the potential to be the CMS system that can alleviate the burden of maintaining our website, allowing us to focus on just producing interesting and informational content, without having to worry about the technical issues that such systems are known to encompass. Unfortunately, that is far from the truth. In the rest of this article, I will discuss some of the most common WordPress problems.

Install and Forget

With various experienced developers involved in the WordPress project and over 10 years since its inception, WordPress is in fact a mature system. Most users install WordPress, configure the theme, and get a bunch of plugins installed (or get someone else to do all this for them), and once everything looks like its sticking together and looking good, they only login to WordPress to add pages and posts, ignoring all the update warnings. As the saying goes, “If it ain’t broke, don’t fix it”.

Unless software has reached its end of life, or the developers decided to abandon the project altogether, most applications continue to get frequent updates. And WordPress is no exception. The WordPress Core Team release frequent updates with fixes to bugs that get discovered regularly. Most updates also address security vulnerabilities or contain additional security hardening to existing components to prevent possible security issues. It is therefore important that you keep an eye out for WordPress releases, and you ensure that you are running a recent release. Most reputable WordPress plugins, such as Yoast, are not supported on old WordPress versions.

Vulnerable Themes

Most people would think that since WordPress Themes only produce the graphical interface, the design of your site and its basic functions, so they should not be a cause of security concern. That is far from true. Most themes are free, which means that anyone could have coded them. There are also many such themes which include hidden and malicious code, which can be used to insert spam, or worse to distribute malware.

In addition, themes might make use of 3rd party components which might contain security vulnerabilities. A recent example is a zero day remote code execution vulnerability in TimThumb – a component which is used in various well known themes, affecting millions of installations. This is not the first high security vulnerability found in this component. See more.

Vulnerable Plugins

Everyone and their dog knows that it is bad practice to install a lot of plugins. However everyone seems to ignore this basic WordPress recommendation. Some plugins promise more (functionality) than they actually deliver. To make things worse, some people seem to be on a shopping spree, browsing the WordPress plugin directory in an effort to find the next plugin to install.

Each plugin installed in WordPress has the potential to:

  • Slow things down
  • Conflict with other plugins
  • Get  you in a situation where you cannot upgrade to the latest version of WordPress because the plugin has not been updated
  • Contain security vulnerabilities
  • Be outright malicious

Since WordPress is rather basic without plugins, here are some tips to minimise the risks:

  • Avoid installing plugins that are not really required
  • Only install plugins from reputable sources
  • For each plugin you install, you vow to keep up-to-date with the plugin’s news and updates (ditto – install less plugins)

WordPress is easy, Securing WordPress is not

WordPress is designed to be easy to post new pages, new posts, and generally new content. However the same cannot be said when it comes to securing your WordPress installation, which might require editing your web server configuration, manually changing the wp-config.php or manually altering other PHP files.

The large majority of WordPress users are either not aware of these risks or deliberately choose to ignore them since they do not fully understand their implications, or find them too difficult to configure and would require technical expertise. They cannot be blamed, since one would expect the same proper security practices implemented in the WordPress Core to also be implemented in any plugins and themes that one may choose to install.

The Acunetix Vulnerability Scanner includes various security checks which identify common security misconfigurations, old versions of WordPress and WordPress plugins, vulnerable WordPress Themes and Plugins, as well as the reporting of weak WordPress credentials as well as being able to check for a broad range of other vulnerabilities such as Cross-Site Scripting and SQL Injection that may exist in custom-built WordPress themes and Plugins.

Share this post
  • Yes, you are absolutely correct.
    It is very easy to install WordPress, but securing WordPress is hard path.

  • Leave a Reply

    Your email address will not be published.