As with any question about security at scale, the answer to this one is nuanced. What is “secure enough”? What does “WordPress” mean? Core? Plugins and themes as well? Hosting?
In this post, we’ll break down the security questions around the major attack vectors involved when using WordPress as a tool on the web.
What are Attack Vectors?
An attack vector is a way software can be attacked. Let’s use an apartment as an analogy. If someone wants to break in, how could they do it? One attack vector would be your windows. How old are they? Do they have good latches? Another could be bribing the door attendant at street level to let you in. Those are two very different methods of breaking in, and if you only focus on one, then the others will remain vulnerable.
Attack vectors for software tend to be things like trying to guess common usernames and passwords, or testing the network for known vulnerabilities. Let’s take a look at how WordPress is attacked.
Common WordPress Attack Vectors
When people say “WordPress” they often mean WordPress core itself. WordPress core is an open source content management system built by a worldwide community and managed at WordPress.org. 43% of the web is running WordPress in some way. Fortunately, WordPress core is the most secure and least vulnerable of the attack vectors.
Public Standard Practices
The Security page on WordPress.org details the standard security practices that WordPress core follows in the development, storage, and release of its software. Since it’s an open source project, not only are the standards and practices public, but anyone can run them themselves and prove out what the development team is practicing.
Furthermore, a robust bounty system rewards developers for hunting for bugs and reporting them properly. Since WordPress source is freely available, it’s quite easy for security researchers to look for problems. One of the advantages of Open Source has long been that more eyes on the code will find flaws faster and better, and this has proven to be true. This leads to the kind of reliability that enterprise companies need.
Core Security Flaw Mitigation
Finding security vulnerabilities quickly is no help at all if they’re not also fixed promptly and properly. Fortunately, WordPress Core has a team dedicated to security. You can read their policies and processes on the HackerOne page, but the process generally goes something like this:
- Issues are reported through HackerOne.
- It’s then triaged to assess whether it is a valid issue or not.
- If valid, the security team members volunteer to work on writing a patch, do testing, etc. It’s done on GitHub.
- At the time of a security release, the release lead at that time coordinates patches, backports, commits on Trac etc.
Of course, this intense scrutiny and rapid updating is only valuable if the site is kept up to date with the latest version. Automated updates can help keep WordPress running at the latest version at all times. In addition to fixing issues quickly, WordPress has the ability to push updates to all modern installs of WordPress (unless that feature has been specifically turned off). Introduced in WordPress 3.7 (October 24, 2013), this feature allows the WordPress core team to push security updates to WordPress installs.
This makes it so that we don’t have to hope that 43% of the web takes immediate action to update their sites, security is enforced, and not only are individual sites safer, but the web as a whole is safer.
Ironically, automatic updates are often out of place in an enterprise environment. At the enterprise level, updates are often carefully reviewed, tested, and managed through a content management system. So while the automatic updates help keep the world at large secure, it is possible to turn them off, so that an established deployment process can be utilized.
Third Party WordPress Code
The plugins and themes system in WordPress is both its superpower and most vulnerable point. Plugins and themes allow WordPress to be infinitely flexible, literally being all things to all people. They also allow bad actors to slip malicious code into your site. Let’s take a look at the issues here and how to mitigate them.
Where you get your code is important. Do you write it yourself? Do you buy it? Do you use free plugins?
The largest repository of WordPress plugins and themes is on WordPress.org. These are also free. The moderators on WordPress.org do a good job of checking for security issues, but really only when the code is submitted the first time. So while a plugin may not have any malicious intent, if it sits there unmaintained for months or years (which is common), then a previously unknown flaw may be discovered and exploited. Helpfully, the plugin page on WordPress.org reports the last time it was updated, so you can tell when a plugin hasn’t been cared for.
Similarly, you may purchase a commercial plugin. Not all software shops are the same quality, and you can’t assume that just because you paid money for it there are no security issues, OR that the original vendor is going to go back and keep reviewing that code for issues.
Writing your own code can take the most time, but also is far more likely to get you exactly what you need, and gives you the deepest control over things like security.
Having an expert to help decide which code is secure and when to write code from scratch is vital.
Mitigating Third Party Code Security Vulnerabilities
The simplest approach is to simply do your own security audits. If you don’t have qualified analysts on staff, there are many companies that can be hired to run security audits. If the code you’re auditing is open source, and you’re using it at no financial cost, working with the original author and releasing the results of the audit can be a great way to give back.
Much of this work can be automated. Tools like PHPCS (PHP Code Sniffer) have specific subsets for things like WordPress, and can be scripted to run on every code change and send alerts when needed. The Tide project is another example of automated code auditing.
Another option is to only use code that was written by people inside your organization. The built in mechanism for plugins and themes to work can be leveraged by your own developers to create custom work. Then security becomes an internal matter.
This isn’t really a WordPress security issue, but WordPress can help mitigate it. You’ll never prevent people from writing their password on a sticky note, or using open wifi in a coffee shop. There are, however, plugins that can help guide people toward better behavior. There are plugins that require 2 factor authentication, require password resets every 30 days, enforce SSL on all assets, and a wide variety of other common security practices.
All the normal server security standards should be followed. Depending on security requirements (military, government, coffee shop, etc.), you may need proof of a security audit, or perhaps even be required to do your own hosting and provide that proof of security yourself.
WordPress VIP, a premier, enterprise level WordPress hosting company, runs code security audits on every bit of code that gets into production, after the development agency has done their own audits.
Additional Security Tools
A Web Application Firewall is a third party service that basically serves as a reflector for your main site. When people try to go to your site, they actually get a copy from this other server. This means that if they try an attack, they’re not actually attacking your server at all, but rather this other site. This includes not only attacks to try to break in, but attempts to overwhelm your server with a Distributed Denial of Service attack. Cloudflare and Sucuri are two excellent examples of this.
At the end of the day, WordPress core is very secure, and if you follow best practices, you can prevent the introduction of security vulnerabilities. Having an experienced agency like Camber Creative work on your site can help ensure that proper security standards and protocols are followed and regular audits are conducted to make sure that future vulnerabilities are caught and mitigated quickly.
Hexagon tumeric banjo bicycle rights. Deserunt commodo try-hard taiyaki marfa, live-edge cardigan voluptate pork belly hexagon laborum 90's poutine bespoke. Hella asymmetrical offal skateboard chia DIY actually mukbang flannel magna messenger bag 3 wolf moon letterpress minim coloring book. Voluptate vexillologist raclette pariatur vinyl. Post-ironic chicharrones irure jianbing incididunt mustache etsy organic PBR&B. Do cillum vaporware ennui venmo adaptogen cloud bread.
Sriracha tweed gatekeep ennui, messenger bag iceland JOMO magna in tumblr la croix.