WordPress is a fantastic, open-source website design tool that is popular among blogging and website-related Content Management Systems (CMS). WordPress provides a free and easy-to-use platform for users of all levels of expertise to create and design a website. WordPress even offers website hosting for free using their platform (with limited features). To use the full features of WordPress, users will need to host their website themselves or reach out to a hosting company to keep the lights on.

With WordPress’s increasing popularity, the question of security rises. Popular, open-sourced platforms like WordPress are easy targets for hackers to find security flaws in its source code. In fact, according to Sucuri’s “Website Hacked Trend Report 2016 – Q1”, the WordPress platform was the most infected among other similar CMS platforms by a significant margin. While that report might sound scary, it is important to understand the reasons behind this.

  • Popularity—WordPress is a popular platform, similar to how Microsoft Windows is a popular operating system. Its popularity becomes an easy vector for hackers to distribute their malicious attacks.
  • Upkeep—Plugin and theme authors neglect to update their themes and plugins. Using out-of-date plugins and themes can compromise the security of WordPress sites.
  • Neglect—Website hosts not keeping up with WordPress core, plugin and theme updates. With the simplicity involved in WordPress, it is a popular platform among non-technical users. Non-technical users typically are not as security-conscious as compared to technical users and thus tend to neglect reviewing and updating their WordPress sites.

Vulnerability Vectors

Common security reports suggest that WordPress plugins are continuously the top source for vulnerabilities compared to other vectors such as WordPress core and themes.

WordPress heavily relies on the community (third parties) to keep plugins secure and up-to-date. This heavy reliance toward third parties should come as notion for WordPress users to continuously review plugins that are out of date for extended periods. It is up to the hosts/owners to perform a risk analysis of the outdated plugins and themes. The decision to keep or replace a plugin or theme correlates to the functionality of the theme.

The most common way that hackers exploit vulnerabilities found in WordPress is through code injections using Cross Frame Scripting (XSS) and SQL injections (SQLI). These code injections are typically targeting known exploits in plugins, themes and WordPress core files with a purpose to read/change elements in the WordPress database, setup redirecting inside website elements and collect administrative login information. It is common that XSS and SQLI are run by Internet bots who scan WordPress sites and insert malicious code in attempts to gain access.

Vulnerability Aid

WordPress provides a slew of security plugins and documentation to help protect your website from malicious attackers. While these security plugins and tools may not protect you from all malicious activity, they do provide tools that increase awareness about the activity of your site.

All In One WP Security & Firewall

  • Provides security ratings for your WordPress site
  • Provides step-by-step directions on how to increase your security rating
  • Forces login lockouts and notifications for repeated incorrect logins
  • Allowing whitelisting and blacklisting of IP addresses
  • Large amount of auditing tools at disposal

Sucuri Scanner

  • Provides security activity auditing
  • Provides file integrity monitoring
  • Monitors and reports changes made to WordPress core, themes and plugins.
  • Provides malware scanning

Wordfence Security

  • Provides alerts for successful user sign in and administrator sign in
  • Provides scanning tools that search for malicious content inside of WordPress site
  • One example might be a blog post with a malicious link.
  • Scans and reports out of date plugins, themes and core files.

WP Security Audit Log

  • Provides audit logs of almost every action done in your WordPress site.
  • Great tool to use for identifying the source of malicious activity
  • Able to send daily reports overviewing the changes made to WordPress.

Security Awareness

Spreading awareness is a key motivator in keeping WordPress sites secure. The old saying of “If it ain’t broke, don’t fix it” cannot be applied to today’s modernized technology. Security has been (and will continue to be) a hot topic among IT professionals. Staying on top of exposed vulnerabilities and patches improves business continuity in the event of disasters. While security tends to be an expense, there are ways it can be rewarding by avoiding website compromise. For beginners, here are a few notes to get you started:

  1. Update WordPress core, themes and plugins often.
    • Check change logs for security-related notes
  2. Review out-of-date plugins and themes
    • Any plugins or themes that have not been updated in extended periods of time could be considered malicious.
    • General rule of thumb is around 6 months but this depends on the functionality of the plugin or theme.
  3. Install security plugins to audit changes.
  4. Secure your site with an SSL, preferably from a reliable trusted web security host.
    • This may be complicated to a basic user but a hosting company should be able to assist as well.
  5. Ensure web host requirements are up to date.
    • PHP
    • MySQL