How insecure is WordPress?

The internet can be a dangerous place. Data breaches in 2018 compromised the personal information of millions of people around the world. Every day malicious bots and unscrupulous hackers are trying to break into everything that is connected to the internet from your smart teddy bear to your Facebook account and yes, your website. You might have heard that WordPress has security vulnerabilities, but what does that mean for those who use it, or are thinking about it, in this dangerous internet environment?

How insecure is WordPress then?

Obviously that’s a pretty broad subject and there’s a lot to talk about. So we asked our resident System Administrator Benjamin about managed WordPress hosting and how we deal with security issues.

1. So is WordPress completely insecure?

Vulnerabilities are occasionally discovered, but with responsible disclosure are patched and a security update is issued before the public ever even finds out (that’s why it is important keep your sites updated, which we do).

WordPress, being open source, means it’s vulnerabilities can be more easily found and are more likely to be reported instead of exploited when compared to blackbox testing a closed source system.

2. Are all WordPress plugins and themes safe to use?

A plugin or theme, being arbitrary code written by a 3rd party can, unsurprisingly, contain security vulnerabilities. This is usually due to lack of developer knowledge.

To combat this it is a good idea to avoid bloating sites with excessive plugins and try to stick to a curated, and vetted list of public, open source plugins which are actively maintained.

3. How can attacks be prevented? And if someone does get access to a site, what happens?

A first line of defence of any web application should be a Web Application Firewall (WAF) which will hopefully detect and block malicious behaviour before it can even reach the application.

If the attacker gets past the firewall the next step is typically to modify the application files or add additional files to be executed. You can combat this by using a read-only filesystem, meaning any such attempt to modify or add files to the application are blocked at the operating system level.

In the places where it’s not possible to have a read-only filesystem (media uploads) you can explicitly deny any of those files from being run.

If somehow, malicious code does make its way on to the system you need to be able to detect it. We do this by comparing known (safe) states of the filesystem with the current and any differences are immediately noticeable.

4. What about shared hosting? Are there any risks involved?

Shared hosting is great for reducing costs. However, as you’re on shared hardware or software if a neighbour is compromised it can lead to you being compromised from an unexpected side channel.

At Ionata Digital we avoid this by hosting each site in isolation with no shared hosting for any client web sites.