Starting as just a good blogging system in 2003, Word Press has grown to be the most popular Content Management System (CMS), used in over 22% of the top 1 million web sites. It is the CMS that can be installed in less than 5 minutes, easy to use, stable, robust and secure.

Out of the box, Word Press provides nearly all the functionality that you can expect from a free, open source CMS. In Word Press, the look and feel of your site can easily be altered to best match your site’s subject matter using one of over 2,600 themes available in the Word Press Theme Directory. In addition, with over 32,000 plugins, you can rest assured that any functionality that you need in your website is either found in the default installation, or someone has already developed a plugin for it.

Word Press does look like it has the potential to be the CMS system that can alleviate the burden of maintaining our website, allowing us to focus on just producing interesting and informational content, without having to worry about the technical issues that such systems are known to encompass. Unfortunately, that is far from the truth. In the rest of this article, I will discuss some of the most common Word Press problems.

Install and Forget

With various experienced developers involved in the Word Press project and over 10 years since its inception, Word Press is in fact a mature system. Most users install Word Press, configure the theme, and get a bunch of plugins installed (or get someone else to do all this for them), and once everything looks like its sticking together and looking good, they only login to Word Press to add pages and posts, ignoring all the update warnings. As the saying goes, “If it ain’t broke, don’t fix it”.

Unless software has reached its end of life, or the developers decided to abandon the project altogether, most applications continue to get frequent updates. And Word Press is no exception. The Word Press Core Team release frequent updates with fixes to bugs that get discovered regularly. Most updates also address security vulnerabilities or contain additional security hardening to existing components to prevent possible security issues. It is therefore important that you keep an eye out for Word Press releases, and you ensure that you are running a recent release. Most reputable Word Press plugins, such as Yoast, are not supported on old Word Press versions.

Vulnerable Themes

Most people would think that since Word Press Themes only produce the graphical interface, the design of your site and its basic functions, so they should not be a cause of security concern. That is far from true. Most themes are free, which means that anyone could have coded them. There are also many such themes which include hidden and malicious code, which can be used to insert spam, or worse to distribute malware.

In addition, themes might make use of 3rd party components which might contain security vulnerabilities. A recent example is a zero day remote code execution vulnerability in TimThumb – a component which is used in various well known themes, affecting millions of installations. This is not the first high security vulnerability found in this component. See more.

Vulnerable Plugins

Everyone and their dog knows that it is bad practice to install a lot of plugins. However everyone seems to ignore this basic Word Press recommendation. Some plugins promise more (functionality) than they actually deliver. To make things worse, some people seem to be on a shopping spree, browsing the Word Press plugin directory in an effort to find the next plugin to install.

Each plugin installed in Word Press has the potential to:

  • Slow things down
  • Conflict with other plugins
  • Get  you in a situation where you cannot upgrade to the latest version of Word Press because the plugin has not been updated
  • Contain security vulnerabilities
  • Be outright malicious

Since Word Press is rather basic without plugins, here are some tips to minimise the risks:

  • Avoid installing plugins that are not really required
  • Only install plugins from reputable sources
  • For each plugin you install, you vow to keep up-to-date with the plugin’s news and updates (ditto – install less plugins)

Word Press is easy, Word Press Security is not

Word Press is designed to be easy to post new pages, new posts, and generally new content. However the same cannot be said when it comes to Word Press Security – or rather securing your Word Press installation, which might require editing your web server configuration, manually changing the wp-config.php or manually altering other PHP files.

The large majority of Word Press users are either not aware of these risks or deliberately choose to ignore them since they do not fully understand their implications, or find them too difficult to configure and would require technical expertise. They cannot be blamed, since one would expect the same proper security practices implemented in the Word Press Core to also be implemented in any plugins and themes that one may choose to install.

The Acunetix includes various security checks which identify WordPress Security issues such as: common security misconfigurations, old versions of Word Press and Word Press plugins, vulnerable Word Press Themes and Plugins, as well as the reporting of weak Word Press credentials as well as being able to check for a broad range of other vulnerabilities such as Cross-Site Scripting and SQL Injection that may exist in custom-built Word Press themes and Plugins.

Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.