Resources: What you need to know about WordPress Security
WordPress is the world’s leading web content management system, serving as the foundation of over 60 million websites and counting.1 Its ease of use and flexibility, combined with an ever-growing community of content publishers, marketers, developers and more, make WordPress a popular choice for individuals, hobbyists, professionals and large organizations alike. However, due to the platform’s popularity and low barrier of entry, WordPress is often perceived as being insecure and more vulnerable to hacking attempts when compared to other platforms. By following a series of checklists and best practices for securing WordPress, it can be made to suit and scale to any project, from personal blogs to business-critical applications.
WordPress is a free and open-source web content management system (CMS), first released in May 2003. Used by nearly half (48%) of all CMS-based websites worldwide, WordPress is the most popular CMS among many open- and closed-source (free and paid) alternatives.2
WordPress is recognized and respected for its simplicity and flexibility for programmers and non-programmers alike. For many users, from individual bloggers to multidisciplinary teams of skilled business professionals, WordPress provides an intuitive foundation that is “simple to learn but difficult to master” upon which websites of dramatically varying levels of complexity and functionality can be built. Originally conceived as a blogging platform for hobbyists, WordPress is used today by some of the world’s biggest companies, from legacy brands such as General Motors and The New York Times to up-and-comers like BoingBoing and Mashable.3
WordPress is backed by a large community which participates in the evolution and improvement of the platform by releasing themes and plugins4 – modules which change the appearance and functionality of the platform. In fact, WordPress’ blogging capabilities are entirely optional; the platform can be used as the foundation for e-commerce websites, intranets and extranets, event management, registration portals, and much more. Although WordPress made a lingering first impression as a tool for amateur bloggers, Entrepreneur’s 25 Reasons Your Business Should Switch to WordPress makes a great case for the platform in a commercial setting.
Despite its acclaim, WordPress is not without its share of detractors. One often-criticized aspect of the platform is its security (or lack thereof). This topic has been covered by countless articles and reports, many of which contain useful statistics and cautionary tales, but we need to question the validity of these stats and stories. This whitepaper aims to address the truths and misconceptions about WordPress security and what can be done to solve these issues.
The myth that WordPress is insecure is most likely one you’ve heard before. The popularity and ubiquity of WordPress naturally means that since so many individuals and organizations rely on the platform, its reliability and security is a newsworthy topic.
In 2013, EnableSecurity, an information technology security consultancy,5 conducted a study revealing that at the time, 70% of over 40,000 of the most popular WordPress websites were vulnerable to hacking attempts. These results were published in a report by WP White Security,6 a notable WordPress security consultancy and blog, and became a popular source of information that was used to demonstrate how seemingly insecure WordPress was.
Before making conclusions, consider that the study’s figure of 70% likely included websites which were
- created and maintained by users with little or no knowledge of WordPress security best practices
- hosted in environments that did not provide adequate security or fail-safes
- neglected or abandoned and did not receive updates to address security vulnerabilities
In fact, the study is careful to point out that 30% of the 40,000 websites surveyed were using an outdated version of WordPress, a version that contained five known security vulnerabilities, while less than 20% of websites surveyed had applied the update to address those vulnerabilities. Other websites were using even older versions of WordPress dating back several years, and some were even using unofficial versions of WordPress that were not recognized or supported by the community at large.
The study concluded that at the time, 73.2% of the most popular WordPress installations were vulnerable to hacking attempts and that these susceptibilities were largely due to the sites’ owners not being aware of the importance of keeping their WordPress versions updated as fixes for previous versions’ vulnerabilities were introduced.
Properly securing a WordPress website requires a working, current knowledge of the tools available to address the platform’s potential vulnerabilities, a suitable hosting environment, and regularly scheduled maintenance to ensure that the site and its security measures do not become obsolete.
WordPress Vulnerabilities and How to Address Them
There are many potential ways in which an ill-prepared WordPress website can become compromised. Several of these methods are common among all out-of-the-box WordPress installations, so taking even basic precautions when creating a new WordPress-based website will go a long way in preventing these methods from being exploited.
User Accounts, Passwords and Permissions
By default, all WordPress websites come with a single administrator account—‘admin’ for short. The administrator account has permission to access and change all aspects of a WordPress website, so it’s vitally important that this account does not fall into the wrong hands.
Best Practice: Replace the ‘admin’ account with an account that uses a different name and ID (a unique value assigned to the account in the site’s database) so that attackers cannot rely on this default account to access the site.
Just like your computer or smartphone, weak or easy-to-guess passwords create an opportunity for unauthorized users to gain access to another person’s account, and remain an important security concern for businesses despite the ubiquity of password-based technologies for consumers. A study conducted in 2014 about computer users’ passwords and their efficacy revealed that, among 10 million unique passwords, the top five most common passwords were:7
Best Practice: Enforce strong passwords for all users consisting of upper- and lowercase letters, numbers, and symbols. Password expiration policies and two-factor authentication may also be used to increase security.
Websites belonging to smaller organizations may be managed by just one or two people at a time. In larger organizations, it’s not uncommon for many individuals to be granted varying levels of access depending on their roles and responsibilities within the organization.
Best Practice: Limit the number of unique user accounts that may be used to access a WordPress website and restrict the permissions granted to those accounts. Access logs and version control may also be used to audit users’ actions throughout the site.
Critical URLs and Database Structure
Along with its default ‘admin’ account, WordPress typically makes use of a standard series of URLs (web addresses) that attackers can rely upon to gain unauthorized access to a website. One example of this is the address at which the WordPress login form is located: /wp-admin and /wp-login.php.
Best Practice: Disable these default methods of logging into WordPress and replace them with an address that’s less common. For example, a bakery’s website might use the address /bakery-administration instead.
WordPress stores almost all of the important information about your website in a database, and the format in which it stores this information is similarly common among all new installations of the platform. Attackers may become discouraged when they’re unable to find that information because it’s not located in the place they expect.
Best Practice: Prefix your WordPress database’s tables with a random string. For example, wp_users might become 89x7gm_users. Since this table’s name no longer conforms to WordPress’s default naming convention, the chances of an attacker identifying where your users’ information is stored is greatly reduced.
Theme and Plugin Selection
WordPress’ selection of themes and plugins is a deciding factor in the platform’s popularity, and also one of the reasons for its perceived insecurity.
With just a few clicks, a WordPress administrator can give their site a complete makeover with a new theme, and add new features by installing one or more plugins. Themes and plugins are widely available from a number of different sources on the internet—freely and for profit—so understanding how to choose from these sources is essential.
The importance of theme and plugin selection is highlighted by the fact that almost 70% of WordPress vulnerabilities are caused by poorly-developed themes and plugins.8 However, with a bit of research and due diligence, you can avoid such issues and choose from only the finest, reputable sources available.
There are a number of plugins that are considered essential for basic WordPress security:
- iThemes Security can change WordPress’s default login address and enforce strong passwords for your users—two of our best practices mentioned earlier—and offers many additional features for securing and auditing access to your website’s files and database.
- BackupBuddy allows you to create complete backups of your website or schedule them to occur on a regular basis. These backups can be archived and easily transferred from one server to another.
Best Practice: Only install themes and plugins that are well reviewed and supported by their developer(s). A paid theme or plugin is not necessarily the safest choice; likewise, a free theme or plugin is not always a disaster waiting to happen. Assess themes and plugins on a case-by-case basis and try to install as few as possible. A site with too many superfluous features is guaranteed to perform slower and be more prone to error than a site using only the bare essentials.
Where a WordPress site is hosted is just as important—if not more important—than how it’s been developed. There are many options available for hosting a WordPress website, ranging from free services that meet WordPress’ bare minimum requirements to automated cloud distribution solutions managed by large teams of professional server administrators—and everything in between.
Whether you are a small business with a simple virtual storefront or a large corporation whose clients send and request sensitive information to and from your website on a daily basis, there are several important features to look for when selecting a hosting environment for your WordPress website:
- Automated updates and backups ensure that your server’s software and core libraries remain up-to-date and secure, and provide snapshots of your website’s files and database which you can restore in the event that your website is compromised.
- Intrusion and Denial of Service (DoS) protection hardens points of access to the website’s server and mitigate Denial of Service attacks, also known as flooding—a technique used by attackers to overload a website with requests in order to slow or disable it.
- SSL certificates encrypt communication between websites and their users and are essential when sensitive information is involved. The addresses of websites that use SSL certificates begin with ‘https://’ instead of ‘http://’, and combined with information made available in the user’s browser about the certificate’s authenticity, let users know that their visit to the website and any information they share with it are being treated securely.
- Distributed hosting is necessary for critical or high-traffic websites. Synchronized copies of your website are made and stored on several different servers in various geographic regions, allowing users in these other regions faster access to your server. Users may automatically connect to another region’s server in the event that theirs is compromised.
Best Practice: Choose reliable, well-reviewed hosting providers that offer automated management and security and other features deemed critical to your website or application. Virtualized cloud hosting environments such as Pantheon specialize in WordPress hosting and offer these features and many more.9
Routine Evaluation and Maintenance
Once a WordPress website has been developed and hosted with a suitable provider, it is essential to regularly assess the state of the website and determine what needs to be done to keep it secure. Despite the precautions taken by many hosting providers to discourage server-level methods of intrusion, very few providers bear the responsibility of individually monitoring the websites they host for vulnerabilities and ensuring that the sites’ WordPress and plugin versions are kept up-to-date.
Some questions you might ask yourself when evaluating the security of your existing WordPress website include:
- “Am I using the latest version of WordPress?” As we identified earlier, the leading cause of WordPress insecurity is allowing sites’ versions to become obsolete without replacing them. Fortunately, updating WordPress is a painless task that can be done in a matter of minutes from within the WordPress Dashboard.
- “Am I using the latest versions of any plugins installed on the site?” If not, it’s time to update them. Like updating WordPress itself, this task can be performed within the WordPress Dashboard without affecting your site’s operation in the meantime. However, depending on what kind of plugins your site uses and where they were downloaded or purchased from, it’s always a good idea to first understand how and why the authors are updating their plugins. The release notes that are included with most plugins’ updates will identify features that have been added, changed or removed, security vulnerabilities that have been addressed, and more.
- “Have my site’s user requirements changed?” For instance, has your organization undergone staffing changes or delegated existing responsibilities to other team members? If so, consider how the site’s user accounts and permissions may need to be revised to ensure that access is granted only to those who need it most.
- “Is the site experiencing any challenges or problems that were not obvious before?” As a site grows and becomes more popular, you may need to address issues such as spam comments and form submissions and—if your site is particularly busy—load balancing traffic by employing distributed hosting techniques.
Best Practice: Schedule regular evaluations of your WordPress website to monitor its performance and security and to identify any steps you can take to improve those items ahead of the next evaluation. Working closely with your site’s developers to understand how frequently to perform these assessments and what to look for is a good strategy.