Don't Blame Wordpress
Is WordPress secure? The short answer is yes, but if you don’t use the latest version of WordPress you will always be vulnerable. The good practice principle of using the current version is valid for any software you run on your computer. Don’t blame WordPress. As succinctly encapsulated in a WSJ.com article headline, “What’s a company’s biggest security risk? You.”
Let’s take a look at what why WordPress security has been questioned and put it into perspective.
The Panama Papers
The Panama Papers are a leaked set of 11.5 million confidential documents providing detailed information about more than 214,000 offshore companies and showing how wealthy individuals, including public officials, hid their assets from public scrutiny. Mossack Fonseca was the company responsible for creating the offshore accounts. In 2015, the uproar recorded in the news about the Panama Papers rivalled that when AshleyMadison.com was hacked.
Experts speculated that outdated Outlook login and web portal software, and emails that were sent out unencrypted were responsible. Forbes.com reported that Mossack Fonseca’s online portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, which had at least 25 known vulnerabilities.
Forbes.com also discovered that some parts of the site from which the documents were leaked may have been running WordPress with an out of date version of Revolution Slider, a plugin that had suffered from vulnerabilities in the past.
The main reaction in the cyber security industry was incredulity at the, let’s be frank, stupidity of not keeping software updated.
Software of all kinds is in a constant state of flux. If you’re running a Windows machine at home (unless your updates are set to run in the background), you’ll notice that you’re having to update Windows nearly every day and most of the time you’re installing security patches. The same goes for your browser and the anti-virus software you run.
Putting WordPress security into perspective
- Size matters: WordPress is huge. It runs nearly over 20% of websites on the internet, and a giant’s activities don’t go unnoticed, so it’s in the news a lot. In reality, WordPress has a relatively small number of attacks, taking its size and those of its competitors into consideration. WordPress is a natural target for hackers due to its size – a successful attack is far more satisfying than infiltrating GirlGuides.com. On the other side of the coin, WordPress has a large number of resources to counter attacks.
- Support: Open source software is written, supported and upgraded by thousands of geeks around the world voluntarily because they believe in its value. It is constantly evolving in a collaborative environment, so there’s less of the inbred approach of in-house development. Developers are constantly challenged by colleagues around the world to thwart hacking attempts, coming up with innovative solutions from the brightest and most committed software engineers in the world.
- Human error: Research has shown that data losses and security breaches are often due to human error, e.g. following fake links, not safeguarding passwords, not doing backups, not updating software.
- Themes and plugins: At the core of most so-called WordPress vulnerabilities are plugins, often written by third parties. Sometimes third parties have a nefarious reason for giving away attractive themes and plugs: they’re infected with malware. Don’t blame WordPress.
- Phishing: Phishers will go to extraordinary lengths to gather information about a company and its employees to acquire the most seemingly innocuous data, like an email address, and create havoc with that information. Employees who don’t understand the implications of social media hacking may inadvertently open themselves up to cyber criminals when they click on malicious links on Don’t blame WordPress.
- Core updates: Content management systems like WP, Drupal and Joomla need to be updated at the core, as well as the modules and plug-ins. Shocking statistics from wpwhitesecurity.com research in 2014 showed that of more than 30,000 installations of different WordPress versions, only 12,000 were running versions without known vulnerabilities. Don’t blame WordPress.
Note: WordPress has an auto-update mechanism which allows WordPress websites to update automatically when there is a new security patch. And there is a mechanism to show updates for themes and plugins, so there’s no excuse! Don’t blame WordPress.
Some tips for keeping WordPress secure
- Change your passwords often, and use long passwords with letters and number.
- Keep your software up to date.
- Don’t install themes and plugins from sources you don’t know.
- Delete plugins you aren’t using.
- If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
- Consider two-factor authentication.
- Don’t use “Admin” for your administrator login (this is the first login name hackers try to crack).
- Back up your site regularly. Your host is not responsible for 3rd party software you install.
- Protect your WordPress site using .htacces which is an access configuration file that controls the directory in which it is placed in and all sub-directories.
- Install a plugin to monitor your WordPress core files and traffic (and don’t forget to read the logs).
- Change the database prefix from "wp" to anything else (hackers know what the default prefix is).
If someone guarantees you 100% security and you believe them, either you or they are incredibly gullible. No site is 100% secure but following the best practises outlined here will repel the worst attacks and give you the advantage of being prepared. It’s a cliché, but prevention is better than cure.
Remember that website security needs to be approached holistically.
Our strategy includes:
- Web Application Firewall
- Support for the latest PHP and MySQL versions
- Intrusion detecting system
- Account isolation