It is true that WordPress enjoys an unfavourable reputation when it comes to security. Indeed, we have sat in meetings with clients and heard the throwaway comment “well, WordPress is an insecure platform, so we don’t use it.” But is this reputation warranted or even fair?
Common Security Issues
When we talk about security vulnerabilities, what do we mean? This refers to elements in the codebase or the infrastructure that it is hosted on that people can exploit in some manner to gain access to your build. In other words, they are backdoors that have been left unlocked for people who know how to open and walk through.
Some common security vulnerabilities that any system can face are:
- Brute Force Attacks
A trial and error method of entering multiple username and password combinations over and over until successful entry is gained. This is not particularly sophisticated and targets the login screen for WordPress.
- File Inclusion Exploits
This is when vulnerable code in the website is used to load files that would then allow attackers to access the website. This is usually done with script files that open up the server from within and most commonly is exploited through badly built forms (which don’t limit script injections).
- SQL Injections
This is when an attacker gains access to the SQL database that your WordPress install uses. This gives access to all the data in your website and also can allow them to inject new data themselves, including spam and malicious links.
- Cross-Site Scripting
This is short of ‘Malicious Software’ and is code that is used to gain unauthorised access to a website to gather sensitive data. This is the most common vulnerability and is often caused when Malware has inadvertently been injected in the websites codebase.
Open Source is open shop
WordPress has two main things going against it when it comes to security; one, it is the most used Content Management System (CMS) in the world and powers somewhere in the region of 25% of all websites; And two, it is an open source platform.
Why is being an open source platform a problem? Well inherently it isn’t. In fact, this is arguably why WordPress is such a powerful platform. Being open source means that anyone can create and contribute new code, new plugins and new themes to the WordPress universe. And that is where the problem lies. Because with WordPress hosting somewhere in the region of 700 million websites it attracts a huge amount of developers working on it and contributing, and trying to control and audit the quality of what they are contributing is next to impossible. This means that WordPress’s biggest value-add is also its biggest flaw.
But does this mass of contributors make it insecure? Of course not. What it does mean is that you have to be very careful about how you select the plugins and themes you use, because you need to be sure they are well built and by reputable people. But the reality is that WordPress itself is very secure as long as you follow best practices.
According to a report by wpscan.org in 2017, of the 3,972 known WordPress security vulnerabilities:
- 52% are from plugins
- 37% are from core WordPress
- 11% are from themes
That is 63% that are nothing to do with WordPress itself. And the 37% that are can easily be solved with reputable plugins.
And the flip side to having all those developers focussing on one platform is that all those developers are also available to try and fix these problems. This is why WordPress regularly has new releases. It has one of the largest bases of development and release of any platform in the world. And because it is open source, you have the ability to fix them yourself as well rather than waiting for a software house to release a new patch.
Popularity makes you a target
There is a reason why you don’t read about the transfer news of your local football team on the back pages of the national broadsheet. It simply doesn’t carry the kudos of a team like Manchester United, who have nearly 700 million fans worldwide (according to Forbes magazine). And the same applies to the world of websites. WordPress is responsible for approximately the same amount of websites as Manchester United has fans and that attracts a lot of attention.
We have an expression in the office that the ‘Eye of Sauron’ is on you when you’re under scrutiny. That is the situation that WordPress finds itself in. The likelihood that any website faces security problems from time to time is quite high. That is why we maintain them. So the likelihood that 700 million websites will face a security problem isn’t just high, it is absolutely certain. And that problem is exacerbated because they’re all running versions of the same platform. If a hacker finds a vulnerability in a WordPress site then he can instantly target a huge amount of other WordPress websites in the hope of exploiting the same vulnerability. And in a lot of cases he will succeed. It is simply a numbers game. And the important point is that this is no different to websites built on other platforms or that are completely bespoke. The only difference is that there are 700 million available targets in this case, rather than only a few.
To put it another way; if you take WordPress and look at it as if it is a custom CMS, written especially and exclusively for your website, then no one else uses it but you. In this situation you have got one of the most secure websites out there. It is very unlikely to ever be hacked because it isn’t ‘on the radar’ for hackers. Why? Because WordPress is a very solid CMS and, unless your website is on the hackers most wanted list, it would have no real value for a hacker as a stand alone website. And additionally, it would be very hard to hack because it wouldn’t have any publicly known vulnerabilities. Whereas WordPress is probably the most talked about and most publicised CMS in the world.
The same rules apply to your website generally. If you get a few thousand visitors a month then your website isn’t going to attract much attention to hackers. But if you’re a platform that attracts ten million viewers a month then that is a big audience for hackers to try and exploit. It would be like moths to a flame. Companies who have this level of web presence look at increasing security measures, not the underlying security vulnerabilities in their code. And the reality is that all code has vulnerabilities there to be found. That is why we always release upgrades and patches.
Vulnerabilities are a reality that we have to live with
The reality is that any code that is written will, at some point, expose vulnerabilities. That is why it simply isn’t good enough to create something and then leave it. Instead we update the code base, we apply new security patches to environments and we regularly test for vulnerabilities and fix any that are found. The world of online evolves, just as life does and diseases do in the natural world.
So, all software has vulnerabilities. So how does WordPress compare? WP White Security (https://www.wpwhitesecurity.com/crunching-the-numbers-vulnerabilities-is-wordpress-a-really-insecure-web-application/) did a piece of work in 2018 to look at popular platforms and the number of vulnerabilities that existing within them. The results are:
- Apache (the most widely used server management software in the world): 918
- Joomla! (a leading CMS): 639
- Drupal (another open source PHP based CMS, used by a lot of government and public sector websites: 996
- MySQL (a database type): 598
- WordPress: 963
- Google: 1,471
- phpMyAdmin (software that manages SQL databases over the web): 346
- cPanel (software to manage server setups): 115
What you can conclude from the numbers above are a number of things. Firstly, WordPress is in line with other very widely used CMS. But Apache and MySQL are not far behind and these are software used to manage the server and databases, which are far more of a vulnerability than a CMS would be. And even more interestingly, Google is still the number one and by a country mile. Why is this most interesting? Because Google’s products are used by people all over the world and yet they don’t have the reputation for being insecure, even though the numbers suggest differently. As Google is not open source, maybe this is why they don’t get the bad press that WordPress does every time a vulnerability is found, and although platforms like Drupal are commonly used by public sector projects which hold masses of highly confidential data, they also don’t get the same bad press as they simply aren’t as widely used.
Dispelling the myth
There is a myth that has developed around WordPress that it isn’t good enough for big brands. This is because of the reputation for being insecure, because it is open source (which in development circles can be dismissed through sheer snobbery) and because it isn’t robust enough for big websites. All of these are unfair but they are also untrue. And many very big brands use WordPress for their web platforms (https://www.wpbeginner.com/showcase/40-most-notable-big-name-brands-that-are-using-wordpress/):
- The New Yorker
- BBC America
- Bloomberg Professional
- Sony Music
- MTV News
- Microsoft News Centre
- The Walt Disney Company
- The New York Times Company
- Marks & Spencer for Business
- The Wall Street Journal Law Blog
- Reuters Blogs
- Mercedes Benz
- Harvard Gazette Online
These 17 examples are not small brands, and yet they have chosen to use WordPress as their platform. If it is good enough for them then it surely can’t be too bad.
Simple security measures
So what does make WordPress (and any other platform, for that matter) insecure and can we easily fix it?
- Weak passwords
Like all systems, if you use a poor password then you’re open to be hacked. As ‘password’ and ‘password1234’ were still the most commonly used passwords only a few years ago, it is hardly surprising that hacking is still so prevalent. This can be fixed by introducing additional password standards measures.
- Not changing the login URL
As standard, all WordPress sites have their backend logins at /wp-admin. We don’t use that. When we put a site live we move that so that hackers and automated scripts looking to exploit the sites can’t just brazenly walk up to the frontend and try to bash it in. They have to find the door first!
- Not adding further security
There are plenty of security plugins available from very reputable sources. We add in a number of these to make sure that we aren’t relying on just a username and password to get into the system. These additional layers of protection keep your site safe and avoid bots accessing the site easily.
- Not updating plugins
The most common problem with any website is neglect. Neglect of the code base, neglect of the server updates and, in the case WordPress, neglecting to update both the CMS and all of your plugins. What is the point in developers taking the time to fix all the issues if you don’t then apply them? Our support team routine maintains your website and makes sure that all plugins are up to date so that your site is secure.
- Using untrustworthy plugins and themes
This should really go without saying. It is the website version of telling your kids not to accept sweets from strangers. All plugins for WordPress have reviews available, so read them. And research the company first. If your brand is going to be represented by this supplier’s technology then make sure it is reputable. Do your due diligence. We only use reputable plugins and try to keep them to a minimum.
- Poor quality infrastructure
It isn’t good enough to just have a secure website. You must take your hosting seriously. Because hackers don’t just exploit your website, they can target the hosting platform instead as another way to get to your content and data. We use Amazon’s AWS cloud hosting solution and add in security monitoring to the environment to make sure only those who should be accessing the sites and database are.
What many people don’t appreciate when asserting that WordPress is insecure is that any CMS or website is prone to be hacked at one point or another. But in the case of WordPress, it is not that it stands out from the crowd as particularly insecure, it is merely that it is abnormally popular. And it is this popularity and exposure that is both its strength and its weakness.
The reality is that if WordPress sites are installed properly, on secure environments, are maintained properly and use reputable plugins and themes, then they are no more or less secure than any other site. But like all websites, if the above is not put in place then you are, quite naturally, opening up the door for hackers to walk right in and mess with your stuff.