I recently got a call from a friend I haven’t seen for a while asking me if I’d like to grab a coffee. He had a few questions about whether WordPress is secure. I’m always looking for an excuse to visit the hip Georgetown neighborhood just south of Seattle, so I jumped at the chance. Plus Chris is an all-round awesome guy who works for a well-known social media startup, so I wanted an update!
It turns out they were going to be launching a new website soon and were looking for a robust CMS. WordPress was the obvious choice, but they had grave concerns about security, since the company has a ton of visibility and could become a target for attack. It’s interesting when a good friend asks you a question like this because it makes you reevaluate your opinions and assumptions and make darn sure you’re providing advice that will set up this person that you care about for success.
Chris and I had a great chat, and I think it would be most helpful to distill my thinking on whether or not WordPress is secure into a FAQ format regarding the subject.
Is WordPress Secure?
The short answer is yes, but it does require a modest amount of work and education on the part of the site owner.
Keeping Core Up to Date
For WordPress to be secure, you must keep the core application up to date. The good news is that WordPress actually does much of this job automatically. If you have the default configuration, then when the core team releases a minor version of WordPress, it will upgrade to that new minor version automatically. Security fixes are released as minor versions.
So when a security fix is released, unless you’ve specifically configured your site to not update automatically, your site will update to the newest security fix and you will be protected from an emerging vulnerability.
To be clear, WordPress versions come with three numbers separated by dots. The current version is 4.9.4. The number to the far right is the minor version. So when that changes, your site will be automatically updated. When 4.9.5 is released, your site will automatically update. When 5.0.0 is released, it will not.
Keeping Plugins and Themes Up to Date
You will also need to keep your plugins up to date. This does not happen automatically, except in rare cases where the plugin author provides that functionality. Our security plugin updates automatically when we release a new version. Most plugins don’t. But again, we have some great news. In cases where there is a severe plugin vulnerability, the WordPress security team have the ability to force plugin security updates, and have done so in the past. They have never automatically updated a theme, but they have the ability to do that, too.
In general, though, minor vulnerabilities that a plugin author fixes are not updated on your site automatically. That is why keeping your plugins up to date is one of the most important things you need to do to keep your site secure.
Protecting Yourself During the Window of Vulnerability With a Firewall
When a vulnerability does occur in a plugin or theme, there is a lag time between the vulnerability discovery and when a fix is released. We refer to this as the “window of vulnerability”. To protect yourself during this time, you need a firewall that is being actively maintained by a security team and that includes real-time updates.
The Premium version of Wordfence does exactly that. Our team works proactively to discover new attacks and to release firewall rules as soon as a new vulnerability is discovered. This protects our customers during the window of vulnerability, while the vendor works to release a fixed version of their software.
Reducing Your Attack Surface
You will also need to work to reduce the number of things that can be attacked on your website. Think of your website as a giant dartboard and a hacker is trying to throw darts that simply have to hit the board. The more plugins you run, the more themes you have installed and the more web applications you run, the bigger the surface area that the attacker can hit. Reduce your attack surface by removing unused or unnecessary applications, and you make yourself a much smaller target and your website will be much less work to maintain. You should also remove any unused accounts, especially administrator accounts, on your WordPress website.
Practicing Good Security Hygiene
Finally, you and the users of your website will need to practice good security hygiene. That means you should:
- Use strong passwords that are not easily guessable. We recommend using a password manager like 1Password.
- Enable two-factor authentication. (Wordfence Premium provides this.)
- Make sure you have reliable backups of your website.
The Basics Are Actually Not That Much Work
If you have these basic ingredients for security in place, you will be starting from a excellent base security posture. To summarize, the items I have mentioned so far are:
- Keep WordPress core updated. This happens automatically most of the time.
- Keep your plugins, themes and other web applications up to date.
- Use a firewall that is updated in real time.
- Reduce your attack surface by removing unneccesary plugins, themes, web applications and user accounts.
- Practice good security hygiene by using strong passwords, enabling two-factor authentication and ensuring your backups are reliable.
This may sound like a lot, but it really is not. Once you have configured your WordPress site with a firewall, enabled two-factor authentication, removed any applications and plugins you don’t need, and set up strong passwords, the only thing you need to do regularly is update your website plugins when needed and occasionally verify your backups. In addition to this, I would suggest keeping abreast of WordPress security trends and any ‘big’ security news. This blog consistently covers big news and important threats in the WordPress security space, so subscribe to our mailing list and you’re all set.
What About the XYZ Alternative CMS? Isn’t That More Secure?
This question comes up a lot. I think the best way to illustrate my thinking on this is with a bell curve. Imagine a curve where the X axis is how evolved a software product is and the Y axis is the number of security incidents. I’ll provide names for each evolutionary stage.
On the far left, you have a brand new CMS or other software web application that is used by the one guy that wrote the software. Hackers aren’t interested in finding vulnerabilities in this software, because it will only enable them to hack a single site. Researchers aren’t looking at the code because securing a single website won’t bring them much recognition. Vulnerabilities aren’t going to get found by hackers or researchers, and won’t get exploited. The likelihood of this very early stage software getting hacked is low.
As the new application gains popularity, it becomes a more interesting target, because a vulnerability enables an attacker to exploit more websites. The software is early stage, so there are no security processes, teams and vendors supporting the new CMS. You can’t buy a firewall for the product. Security researchers are focused on more popular products. Hackers are beginning to discover it is a target. At this point, the number of security incidents reported in this software is rising on a steep curve.
Once the new application hits a steep growth curve, hackers begin to take a major interest. There are now enough installations out there to make it very much worth their time. The new application is still not close to the most popular CMS in terms of usage and is still not receiving much attention from researchers, volunteer teams or vendors.
During this time, the new application is extremely vulnerable. Major incidents will occur in the evolution of the software. WordPress was in this phase from about 2007 to 2013, when we saw the Timthumb hack, auto-update was not yet available and security vendors were just beginning to emerge, including Wordfence which launched in 2012. The number of security incidents during this period puts the application on the map as a target and a product worth protecting.
As a security community develops around the application, the frequency and severity of security incidents begin to drop. A community of passionate security researchers evolves around the product. Methodologies emerge for reporting and fixing vulnerabilities securely and confidentially so that hackers never have the opportunity to exploit them.
In the WordPress universe, we still see the occasional security issue like the large scale defacement campaigns that occurred early last year when a vulnerability appeared in WordPress core. But in the Mature phase, these incidents are short and sharp because the vulnerabilities are rapidly fixed by the competent security team that has evolved around the product and with the assistance of outside researchers and vendors.
Third party security products like Wordfence are able to mitigate the impact by preventing attacks. Where incidents do occur, incident response is available in the form of site cleaning services, to ensure rapid recovery.
Where WordPress Stands
WordPress is very much in the mature phase of its security evolution, and as it continues to evolve, the number of security incidents will continue to decline and stabilize. When choosing whether you want to use a newer or alternative CMS, consider which phase of the evolution the product is and where it will be headed in the coming years.
Read all of this great write-up with more FAQs here: Is WordPress Secure?