December 6, 2019

Is WordPress Safe? A look at WordPress Security Vulnerabilities

WordPress historically is one of the most frequently attacked Content Management Systems

For starters, the TimThumb vulnerability that came to light in 2011. It allowed attackers to upload PHP files to the website using TimThumb, a simple image resizing script used by thousands of websites.

In recent years, Jan of 2017 saw a flood of attackers trying to exploit the REST-API vulnerability in a competition to deface as many websites as possible. 

Also, quite worthy of mention, the Panama paper leaks that were possibly caused by a vulnerability in the simple slider plugin

Which really begs the question, 

Is WordPress safe?

Well, let’s talk about the stats. 

This chart from Sucuri’s 2018 Hacker Report depicts which CMS a website was using when it got infected. WordPress came out at the top with a whopping 90%! Magento followed behind with a giant difference at 4.6%. 

So it isn’t surprising that people are wary of using WordPress. 90% is a lot!

but, wait…

Let’s factor this into the equation – WordPress is one of the most popular CMSs by far. 

According to W3tech’s content management report, WordPress holds 61.9% of the market share. Which is leaps and bounds ahead of Magento’s 1.5% and Joomla’s 4.7%

So you see, it makes sense for the number of compromised WordPress websites to be higher. It doesn’t necessarily mean that WordPress itself is not safe. 

In fact, let’s take a look at a different statistic.

Here the pool was cut down to just include infected websites running the most recent version of the CMS. Essentially, it eliminates websites that got infected simply because they were using an outdated version.

As you can see, WordPress numbers drop down marginally to 36.7% while Magento and Joomla go way up. 

This implies that the WordPress security team rolls out fixes for bugs quite frequently and vigilantly. In fact, according to WPScan Vulnerability Database a lot of the security vulnerabilities arise from the plugins and themes you use with WordPress. Take a look at this chart below:

So, to answer the big question – Yes, WordPress is pretty secure.

Yes, more WordPress websites are hacked than any other, and it comes with a few security issues. But the truth is, most successful hacks occur because of human errors.

This includes not updating WordPress regularly, using untrustworthy plugins or themes. Most can be avoided by being proactive.

Let’s take a look at common security issues with WordPress, and how you could prevent them.

What makes WordPress Vulnerable?

A. WordPress core vulnerabilities

Problem: Bugs and vulnerabilities in WordPress core due to it being an open-source platform.
Solution: Update WordPress regularly to keep up with all security patches & updates.

WordPress is an open-source platform. This means that anyone can contribute to building WordPress core functionalities. Which in turn, makes WordPress more vulnerable than website builders, like Wix.  It opens up the door to brute force attacks, SQL- injections, cross-site scripting and more. 

Over the years, WordPress has grown as a CMS and as a community. Owing to this, the security team at WordPress has also stepped up their game, with a little help from WordPress citizens who help report bugs and other issues. 

Epitrove tip: You can also be a good Samaritan and report any bugs you find at [email protected]

Once a security vulnerability comes to light, the team immediately works to fix it. An update is rolled out before the vulnerability is disclosed to the community. This gives them a chance to get ahead of the people looking to use it as a weapon of mass destruction.

The easiest, most fool-proof way to avoid security issues because of core vulnerabilities is to keep your WordPress installation updated. 

B. Plugins and themes vulnerabilities

Problem: Security risks due to using unmaintained plugins and themes.
Solution: Using only active plugins, updating all plugins & themes regularly.

WordPress core has its issues, but at least it is heavily policed. More threats come from plugins and themes you install, ironically enough, to improve your WordPress site.  

Using plugins and themes that are not frequently updated, maintained, or are abandoned is one major way you put your website at risk. Even just using themes and plugins that are unpopular or don’t have too many installs is not advisable. These plugins don’t get priority attention from security teams and bugs go unnoticed. 

Plugins, more than themes, are often exploited by attackers. The code is more complicated and more prone to loopholes whereas theme code is mostly presentation code. However, both are an easy way for attackers to house malware, hide backdoors and other such threats.

So, it is essential to make sure all plugins and themes are updated and to use ones that have an active team working on them.

You can easily keep an eye on what needs to be improved using the Site Health tool. It was rolled out with WordPress 5.2 and shows you which plugins need updating, critical issues, and recommended improvements. 

C. Vulnerabilities via Shared Hosting

Problem: Your site is only as protected as the least secure site on that server.
Solution: Get dedicated hosting, get a security plugin with a server-side scanner.

Shared hosting is where multiple websites share one web server. This is usually an economical choice for many beginner websites. But the downside is that you can’t ensure everyone would be as security-conscious as you.

Once one of the websites is compromised, a hacker can use it to get access to other websites on the same server. This is called cross-site contamination. 

Once they have access, they can steal credentials through the wp-config database, create malicious admin accounts, post spam, and whatnot. 

The most obvious answer to this is to get a dedicated hosting server, but that might not be feasible for some. Your next option is to hire someone to patch-up and harden your website and beef up your security.

A good alternative here is to use a security plugin. Sucuri comes with a website server-side scanner that keeps an eye out for malware, spam, brute force attacks, DDoS attacks and more.

D. PHP code vulnerabilities

Problem: Attacks like SQLi and XSS due to bugs or backdoors in the PHP code.
Solution: Keep everything updated, use a security plugin, set strong permissions for important PHP files.

PHP code makes up your WordPress website, your themes and your plugins. Bugs in the code due to an oversight by the developer, or lax checking of user inputs, make you vulnerable to all kinds of attacks. 

SQL injections happen when the user is able to send unauthorized code to your database and the database executes it. This happens when the input given by the user is passed on to the database without being checked. It’s quite a serious security issue as it allows the attacker to completely access your website. 

Cross-site scripting is when malicious code is loaded in the user’s browsers, used to steal cookies, credentials and other private information. 

Other vulnerabilities include remote file inclusion or execution, authentication bypass. Take a look at this chart of common vulnerabilities and their frequency:

You can see that Cross-site scripting and SQLi top the list.

Keeping everything updated is the first line of defense. In fact, WordPress 5.2.3 released seven fixes for cross-site scripting vulnerabilities. In addition to that getting a good security plugin for your website is advisable.

E. File Permissions based vulnerabilities

Problem: Incorrect file permission might give access to unauthorized parties.
Solution: Change default file permissions, set no access permissions for important files.

Files and folder permission is an often overlooked but important part of WordPress security. 

These permissions define how much access a user or group has to that file and folders, i.e., whether a person has no access, can only read the files, or read, write, and execute files, etc. 

Not setting these permissions correctly can give unauthorized parties access to your files. They could then go on to plant malware on your website, steal data, or alter site settings.

Hackers also often look for temporary files or old, unmaintained applications that could provide a doorway into your website.

Modification of files like wpcofig.php, index.php, function.php can cause serious security issues. It gives hackers the ability to open up malicious backdoors giving them access to all the files on that web server. 

Avoid this by making sure that you change the default permissions that have been set. Ensure that you have a strict no access permission set for all important files.

Last Word

WordPress has had its fair share of scandals and security issues. But the fact is, it still remains one of the most widely used and competent content management systems out there. If you’re concerned about the security of your WordPress website there are always simple tips you could follow yourself.

If you need a more robust solution to lock down your website you can invest in a security plugin.

Keep in mind that no CMS is 100% attack-proof. Even the most thorough security plugins don’t prevent hacking completely.  All we can do from our end is be vigilant and try to make our sites as secure as possible!

What is the biggest security threat your website faced and how did you solve it? Any suggestions about improving WordPress site security? Let us know in the comments below!


How do I secure WordPress?

Some simple steps you can take to secure WordPress include: choosing reliable hosting, 2-factor authentication, securing wp-config.php file. Be sure to check out the full list of security tips


How can a website be hacked?

A website can be hacked using brute force attacks, DDoS attacks, SQL injections, cross-site scripting and other similar methods used to get past your site security


Which security plugin should I use?

WordFence, Sucuri, Ithemes Security are all good security plugins you can try out. Here’s the complete list of security plugins you can check out


Disclosure: Some of the links in this blog post might be affiliate links. When you purchase through a link on our website, we receive a small commission, at no added cost to you, which helps us run Epitrove and keep producing great content. This does not influence our recommendations; we only recommend products we work with or love. Thank you for your support!

Lavanya Deshmukh
Lavanya Deshmukh

Computer Engineer, food enthusiast and die-hard Harry Potter fan that now writes content full time for Epitrove

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.