I was hesitant to start developing in Wordpress because of all of the bad press it has gotten over the years regarding security issues. But as our business grew, more and more people came to us with existing Wordpress websites and it became clear that many small businesses use the platform and they wanted us to continue working on their existing sites, not starting from scratch.

We reluctantly began creating all of our sites in Wordpress, but we are very cautious about which plugins we put in a site. If a client comes to us and wants bells and whistles that do not add any value to the site we warn them of the security problems involved with adding 3rd party stuff. If they persist in wanting all of the stuff that requires numerous add-ons, we generally wish them well and move on.

We generally have no more then three plugins per install, and they are all time tested ones with thousands of downloads and lots of reviews.

Any site can be hacked, you just have to prepare for the worst and make regular backups.

Exactly TC. Outside of the hosting setup and the other ways to attack a server, WordPress alone is only as good as the sum of all the code used. This includes the plugins, themes, as well as the core. There are plenty of sketchy plugins out there and it only takes one with a vulnerability to provide a hacker with the opening they need.

I think its all about the plugins. I stay away from plugins written by kids/unknowns. I would rather pay a reputable company for a license to a product I know is vetted rather than use free plugins. The pharma hack for example was from a free plugin that claimed to do X but in the background was doing evil.

All right, I'll bite.

The more technology you run, the bigger your attack surface. That said, Wordpress security has improved so much over the years, that people who say "Wordpress isn't secure" and point to attacks that took place on version 2.x are basically the same as the people who claim Windows isn't secure because of attacks on Windows Millennium. That does NOT make Wordpress or Windows 8 impervious, but they are different animals from the previous version that were designed with almost no attention to security.

There's always a tug and pull - large user base and open source code means a lot of eyes on security issues, but it also means the creators of automated scripts will target the system. I think security via review is a better bet than secuiryt through obscurity.

WP is no less secure than a Drupal or Joomla or any CMS script out there

More or less true, but there are differences and they are significant.

In favor of Wordpress, it's a way smaller codebase than Drupal and so therefore a smaller attack surface.

On the other hand
- Wordpress allows direct editing of files on the server from the admin interface.

- All Drupal modules are under the same umbrella and the security team watches over all of them. Clearly, obscure modules don't get much review, but major third-party modules are treated much like core. I don't believe that Wordpress has anything similar. Also Drupal segregates security fixes from bug fixes, which helps people stay up to date on major security issues.

- By implication, this also means that the security team has the entire universe of Drupal modules on a single git repo, so when an exploit is discovered, they can grep for similar code in all modules and try to roll out fixes across the board.

- in a default install, Drupal automatically sends a nag email daily if there are security updates that should be applied to a site. Again, because there's a centralized clearinghouse for security issues, this is possible.

So while I think much of the Wordpress bad reputation is outdated, I wish that Wordpress would adopt a bit more of a Drupal-style plugin management and security overview. I think that would help a lot.

Some of the work I do has been in helping people learn to use WP and helping them correct some basic settings that can cause issues. I haven't been inside more than a few dozen WP installs that I did not do, but some of the stuff you find inside shows that uninformed users create many security problems for themselves, just because they don't know better. A username of admin with login of login123 is so obvious a place to start, but if you don't know any better, that looks just fine to you. The most recent WP update 3.7 addresses this one issue in a way that should help even the newbiest. If they ever update to 3.7, that is.

My point is that a good number of WP security issues are not due to WP, but user inflicted problems. They made it simple to use and people, some who don't even know how to create and save a .txt file, are using it.

I have never had a security problem with a properly installed WordPress Site. I believe it is a popular target because it is widely used, and often enough by unsophisticated users. I see hundreds of wp-login.php hacking attempts per month on plain old html sites, enough to see it as an automated shotgun approach that must sometimes work.

My point is that a good number of WP security issues are not due to WP, but user inflicted problems

Bingo! The code base is pretty solid but it can fall apart with one lousy plugin.

@ergo - While WordPress may not watch over every plugin as it grows there is an approval process. From the plugin submission page

Within some vaguely defined amount of time, your plugin will be manually reviewed. You may be emailed and asked to provide more information.

[wordpress.org...]

When WordPress sites are hacked it's often the case that hackers gained access by other means but target the WordPress site once on the server because so many sites use WordPress by default that it's just an easy target. This has happened to GoDaddy a couple of times in the last few years if my memory serves well/

I think people really need to evaluate everything on their server when they get hacked and not just blame it on WordPress although not keeping WordPress up to date, which many site owners don't do after the developer installs it, is a real problem.

Additionally, some developers that don't know how to properly make additions to WordPress sites make it impossible for the site owners to update without either breaking the site or losing the changes that were made, so the shoddy WordPress developers are also often to blame.

Is there any CMS that is totally secure?

For the past several months I've been using the Wordfence plugin--both the free and paid version. They provide security notices about unsafe plugins and give you a heads up on how to spot vulnerable plugins and what to do about it. I cannot praise Wordfence enough.

Best of all it notifies you when WordPress needs to be updated as well as the plugins.

There is one sure way to get hacked and that is not to keep everything up-to-date. As you probably already know bots are scouring the Internet looking for which version of a CMS that is installed and once vulnerabilities become known with a particular CMS they attack those sites.

I'm curious how, without server admin privileges, WP accomplishes this automated tweaking of the software one's server is running . . and how widespread this practice - of granting admin-type access privileges to alter server hosted software - is?

What spooks me more than the possibility of plugin/server conflict issues is the ability of the boys and girls at WP.org - or anyone else smart enough to gain (hack) access to the new WP update system system - to exploit it - "given admin access" to every install of WP. Seems like the opening of a backdoor to killing or reconfiguring (for good or evil) every install of WP.

"Knock, knock. Hello, this is the NSA. We're having a problem and we need to create a massive botnet to counter a cyber-attack that is threatening national security. May we borrow your WP network . . and the home PCs of everyone administering those WP sites . . and the PCs of everyone visiting those sites . .. ahem . . borrow them by uploading an "improvement" to the WP core that will enable us to take control of ALL those machines for awhile? Don't worry. We'll given them back . . cough . . cough."

#justsayin

Just how common is this practice and how do we know exactly how much more data/info/insight/access WP can glean from making this "improvement"?

I'm curious how, without server admin privileges, WP accomplishes this automated tweaking of the software one's server is running

That's easy, they use FTP to upload files with the permissions of the account owner, just like we do to manually tweak the server while it's running. So WP really doesn't have access to all your servers unless they stored and transmitted your FTP account info when you submit it, which it doesn't.

Plus, it's all source code, thousands of people look at it daily, we would know right away if some funny business was going on.

However, that would be a great exploit, to make a rogue plugin that started capturing the FTP user/pass when people try to update their site or install new plugins.

Thanks, something new to worry about :)

there is an approval process

Yes, but no oversight that I could see of a dedicated security team who, discovering an exploit in one plugin, will grep through the entire repo of plugins and find others with the same code (common).

Also no automated notices from the site itself except apparently with the Wordfence plugin. But such practices are not built into the community.

There's a fair bit that Wordpress as an organization could do to keep the community at large informed and more secure, but unfortunately I think they have never built in the infrastructure for it, so it's hard to roll it out now.

That's true ergo but is it really necessary? WordPress isn't a commercial product and is totally built and supported by a community. It is an example of a community dedicated to the development of tools that serve the community. I for one have never seen such a well organized and dedicated team of developers that have achieved such phenominal success - success measured by the volume of installs.

I agree the community approach doesn't have a rigorous review process but there's something to be said about self-evaluation and an unspoken community commitment to providing above bar plugins, themes, and services. It's not perfect but it's the only example of a decentralized community on the web where the community can be involved - or not - and can have a huge impact on the development cycle and what the end results are. Sure a plugin developer can fall behind or produce poor code but the community does review and comment - very verbosely at times - when something doesn't work. Again, it's not a perfect solution.

As for keeping the community at large informed. That's up to the community. There are several methods by which they can stay informed. By default WordPress installs include a feed from the WordPress blog on the dashboard. The core developers post their notes, meetings, and contribute to the blog about what they're working on as well as any issues they've uncovered.

[make.wordpress.org...]

Perhaps what's needed is an owners manual that explains responsibilities (users versus development community) on maintenance and upkeep as well as support. Buying into WordPress or any CMS means you're buying into the culture of that community as much as you are into the tool itself. It's a personal choice based on many factors. Some people choose based solely on convenience. Others may choose based on availability of support or because there is a rigorous security review process. I like the WordPress community approach. It suits me and my clients. I know what I need to do to keep my sites safe and secure and if a rogue plugin is uncovered it would likely be discovered and the community would act on it quickly. BTW - I've never heard of one in the 10 years I've been playing with WordPress - yea, I was messing with WP when it first came out.

Lorax,

You've nailed it. Years ago I was advised that when it comes to software follow the pack because there are a great number of users and problems are more quickly discovered. When a issue does surface there are more people to resolve the problem.

When a 12-year-old Canadian boy can break into secure U.S. government computers arguing about WordPress' security seems silly. If someone is worried about being hacked then I'd suggest using the WordFence plugin.

Of course anyone who doesn't backup their database is living in la-la land and needs to install DBmanager, which will send regular backups of their database.

Going the extra mile to backup your entire WordPress site is simple enough with Backup Buddy. It's also makes moving an entire site from one server to another a breeze.

I'm just saying that many other projects - say Linux and Apache - are "community" (i.e. open source with some corporate money behind them just like WP), but they are way more organized on security issues.

WP is a huge community and runs more sites than any other CMS - probably more than then next 10 put together. They have some massive sites running on WP as well.

I think they could and should step up the security game within the community. I think they're doing a good job of it on the software side of the WP core though.

Given how extensible something like wordpress is, and how popular it is, it's an inevitable target for hacking. Outside the top few CMS I imagine the rest aren't worth spending time on to exploit.

I'd agree that it being open source and transparent is definitely a good thing, and security seemingly is more of a WP issue purely because we hear about it more. I'd rather use code that's been scrutinised by both hackers and those who secure code rather than being blissfully unaware.

I've seen a number of exploits lately regarding a commercial and quite popular billing/account management package. They were simple SQL injections with grave outcomes (delete all data/take all customer data kind of thing)- things that simply wouldn't happen if the codebase of something this popular was open for public scrutiny.

Very interesting thread with lots of very good points made. But how about suggestions on how to protect WP? Besides avoiding dangerous plugins, is there any suggestions on what is the best way to protect WP?

Read my previous post cnvi.

I read about backup buddy but I am wondering what else can be done more proactive?

Absolutely get WordFence. If you want a regular backup of your database emailed to you, then get DBmanager.

FWIW, back in the day I had some arguments with Google that they should block certain queries that the hackers were using to find WordPress sites of specific versions after encountering some botnet scripts used to scrape Google SERPs for those terms.

For some reason the brain trust in Mtn. View didn't seem to understand that those sites weren't easy to find until someone started providing the results to queries like "Powered by WordPress x.y".

The bigger argument that finally persuaded them to take action at the time was that MSN was already blocking those search terms.

So while WordPress security is definitely an issue, I think a lot of responsibility also falls on the search engines to make sure they aren't just handing over easily compromised sites to any botnet querying for specific versions and crawling all the search results.

Limiting the number of responses to such queries is at a minimum the best compromise as there's no reason to allow anyone to harvest a list of thousands of sites to hack.

@cnvi

Here's the official "Hardening WordPress" article on their site: [codex.wordpress.org...]

>> but they are way more organized on security issues.

Okay. But please elaborate - in what way are they? Or more importantly, what concrete steps/actions should the WordPress development team take?

Use a good host - not a cheap host.

Keep WP up to date (a lot easier now; the latest version of WP updates itself - I have issues with that, but overall it's probably a good idea for most)

Use well known, well vetted plugins, and personally I don't use anything that hasn't been updated in the previous six months.

DON'T have any more administrators than you absolutely need - you wouldn't believe how many installs I work with where everyone in the company has admin access, and half of them aren't even working there anymore. Or they hired some kid to fix something, and left him in there. If you have to give someone admin access to work on something, revoke it when they're done.

Personally, I don't think the security plugins give you anymore real security than the above practices, and they can get in the way of other necessary functions (like cache) But if you feel you need it, g'ahead.

@webwork

As long as the files have execute permission they can call and run other files. Nothing nefarious about it in itself as this is common practice with applications. It's when a malicious script is uploaded to your server and executed that the troubles begin. That's why that first layer of security is all important as is subsequent monitoring of files and activity on the server.

I thought Wordpress was now built with backdoor access in mind. Much of the code 'calls home' for various reasons, without a way to shut it down. Secure from hackers? Moderately, but it's the 'good guys' you need to worry about more.

I don't like needing to modify core files to fully lock it down.

CNVI,

You might want to check out BulletProof Security Pro by ait-pro.com.

From what we have read and seen nothing really is secure. Just ask some of the banks, EDU's, Gov sites. If your targeted it will happen. The plugins are usually the gateway, the less of them you can do without the better you are as far as security.

I just had an htm site not really hacked but injected with code from an old file they had added for some reason or another.

Nothing is really secure you just want to make it harder for the hack, because the more time they have to spend getting in the less likely it will happen.

WP is targeted because it is so popular and so many old plugins still running that are very easy to get access to either the server or the site.

There are many angles for this and yes, there are proofs of Wordpress being insecure, or at least not as reliable as other tools IMHO (and in the opinion of others) specially if you like statistics.

Is Wordpress insecure? yes and no. From start many wordpress installs had problems due to several reasons: server security problems, file and folder permissions on shared servers and poor security planning from the user/admin perspective, etc but that's not WP's fault, this includes the plugin security flaws. And yes, on the other side there have been WP security problems related only to WP.

I know this is not a comparison to Drupal but it's difficult not to mention the report tool telling you about possible problems, file permissions, etc. But let's stay with the perspective of Wordpress having no full responsibility on the plugins made by others.

Keep your code up to date.Fail or win? Well it can be a serious problem. Of course keeping your code updated will free you from security concerns but there was a situation where Wordpress advised NOT TO update because the update had security problems. I believe there could me more situations like these one but I can only assure you about this one because I researched on it. That update allowed everyone of us to tear down any WP from the url browser input. So, not every update is secure and many world famous blogs went down during that week.

WP got some bad rep. It's easy to use, it works out of the box, etc. This made WP available to people with no security notions who later experienced problems with their webs. Suddenly there was a lot of noise on the web about WP security issues (Joomla had company then). This is in part what I mean "if you like statistics" because you can find lots of resources on the web regarding bad WP and Joomla installs, servers hacked, etc but not many go deep on why those installs failed.

Additional to that you can find lots of SEs about "broken WP" meaning people updated to a newer version and the web just stopped working.


Do I hate WP? nope. Do I used it? when I have to and there is no other alternative. Why I think of WP this way? I developed my own CMS and also work my bit on Drupal. The thing is I worked on a company managing lots of websites and there was a time when they wanted to switch everything to WP, I refused, I researched and Drupal server better. We were on diff kinds of servers and Drupal or my CMS never had security problems but WP did. I'm not saying Drupal sucks I'm just painting my picture of past experience but YES those security problems were fixed and the webs continued existing BUT after several months and also years it became evident the servers loaded with WP were a nightmare compared to the one with Drupal. Drupal showed better response on sites having intense traffic. Drupal scalates pretty well.

Sorry if I bored you, didn't mean to. Just saying WP has some issues on performance that altogether with the past security issues... well doesn't make WP the first tool of choice of many around.

But hey, I use it, it's a great tool, some refuse to call it a CMS but it's good. I just wouldn't sleep too well building critical webs on it.