In part I of Do you have WordPress Security, we asked some vital questions relating to keeping your WordPress website and blog secure. Here is the concluding part of the article.
Secure WordPress Plugins
WordPress plugins are another classic example of how hackers are quickly finding inroads to people’s websites even before the authors of the plugin know of any vulnerabilities. Plugins extend the capabilities of WordPress. For the most part they are a simple PHP script that allows a person to alter the core functionality of WordPress. Today there is no shortage of plugins available for download from the official WordPress site.
The advantage that plugins give WordPress users is massive, but yet it also places them at a potential disadvantage. Like themes, many of them are being created with weak security and are distributed online by authors who haven’t considered the various ways that hackers can use SQL injections or change code and then release it back out to the community. Once a plugin is installed it can break your entire website/blog as well as damage the MySQL database that stores all your valuable data. There are too many dangers in not taking WordPress plugin security seriously.
As website owners, we cannot be sure that the plugin author has taken all of the necessary steps to prevent security flaws and protect against malicious attacks such as XSS or CSRF. For instance, a report was released on March 17th, 2011 alerting users to the PHP Speedy plugin for WordPress of a remote PHP code execution. Users were informed that the PHP plugin for WordPress had been exposed to an issue which let remote attackers execute arbitrary code because it failed to sanitize user-supplied input.
Simply put, had you been using this plugin on your install of WordPress, a hacker could have created a back-door by which they could have had access to any number of different options available on your website/blog. Depending on how far the hacker wanted to go, he/she could have planted some malicious code, thereby affecting your website/blog visitors.
As you can see, it’s required that you check for security flaws on a daily basis. Thing is, do you know what security issues you’re supposed to be looking for, and more importantly, do you have the time to do it? The majority of WordPress users know just enough to add a theme and a plugin or two as well as make some changes and check their pages in the search engines. Only a small percentage of users really know how to manage their WordPress security fully.
Having a system or service plan in place that can review potential attacks and attempts as well as manage your WordPress security should be at the forefront of your to-do list. Also, WordPress security checks need to be done consistently for the life of the website/blog as hackers are continually evolving their approaches when it comes to attacking websites/blogs. While you can take some preventative steps like keeping your WordPress website and blog upgraded to the latest version and using plugins that are developed by respectable developers, it’s wise to have a website scanning solution in place that scans your site and alerts you of any potential risks.
Your WordPress Vulnerability Scanner
To start off with, we advise downloading the 14-day Trial version of Acunetix, and run a scan on your WordPress site. This will scan for various security issues including XSS, and SQL Injection. It will also alert you if you are running a vulnerable version of WordPress, vulnerable plugins or themes, or old versions plugins. You will also be alerted if your WordPress configuration is deemed to be insecure.
All the vulnerabilities detected by Acunetix carry a detailed report of how the vulnerability has been detected together with useful remediation advice which can be used to address the security issue.