Is Wordpress secure now?
May 12, 2016 8:09 AM   Subscribe

I've read anecdotally that Wordpress is pretty flawed from a security standpoint, and I'm wondering if any of the issues in this article have been patched in the four years since it was published (there have been a lot of updates since then). And if so, what are the current concerns about WP security? Anything a site owner like me should be concerned about, or watching for?
posted by jbickers to Computers & Internet (22 answers total) 10 users marked this as a favorite
Something like 60% of the internet runs on WP, much of it ecommerce. What are your concerns?
posted by humboldt32 at 8:14 AM on May 12, 2016

Response by poster: The ones raised in the linked article. I'm wondering if any/all of them have been patched since it was written, and if WP is now considered more secure than a few years ago.
posted by jbickers at 8:30 AM on May 12, 2016

Wordpress is under constant development in response to security problems. An article from four years ago will be totally out of date.
posted by zadcat at 8:37 AM on May 12, 2016 [6 favorites]

I think it's considered to be very secure. You can install a security plug-in, and you can install automatic updates, to keep it as secure as possible.
posted by OCDan at 8:38 AM on May 12, 2016

Not sure why you're concerned about four-year-old WordPress security issues. That's like worrying about car problems on a 1999 Ford Escort when you own a model from today.

That said, there are always security concerns with WordPress. Hackers gonna hack! But if you follow best practices -- installing security plug-ins, not using default logins, etc. -- you can drastically reduce your risk. I agree with a previous commenter. What are your specific concerns? If we know your specific concerns, we can offer specific advice about how to cope with them. If you're only worried about the issues raised in the four-year-old article, well, you're probably okay.

(Note: I make my living off of WordPress sites and while some have been hacked in the past, none have been hacked recently.)
posted by jdroth at 8:44 AM on May 12, 2016 [6 favorites]

Wordpress is secure enough if you take reasonable precautions.
  • Set Wordpress to update automatically!!!! Most people that get hacked don't ever run updates.
  • Use a security plugin like WordFence.
  • DO NOT use the username 'admin', 'administrator', etc.. Use long random passwords.
  • Use big popular Wordpress themes. Sometimes people build themes that do insecure or hard to update stuff.
  • Don't install plugins if you can help it. Plugins can introduce vulnerabilities and their code typically isn't as well maintained as WordPress itself.
  • Run daily backups. If something does go wrong then you can just revert to yesterday's backup.

posted by gregr at 8:47 AM on May 12, 2016 [11 favorites]

I recently worked for a web host (just left this past winter) and I currently do web design. Most of the sites I have made recently are based on WordPress.

All the WordPress site hacks that I have ever seen were because people had either a) weak passwords or b) they had ignored updating their version of WordPress or a plugin.

WordFence and other security plugins can be useful but strong passwords and staying up to date with version releases is still the most important thing, from what I can tell.

Also, be sure not to use anything (themes, plugins) that is not directly vetted by WordPress itself.
posted by jammy at 8:49 AM on May 12, 2016 [4 favorites]

So, the quick answer is that any major content management platform will contain undiscovered security issues, and that the Wordpress team has historically been pretty responsive to patching newly discovered security flaws. Wordpress is not currently considered particularly insecure.

Wordpress got a bad reputation for security many years ago because, in the distant past, it wasn't too easy to update, and so folks would leave an old version of Wordpress with unpatched security issues online (despite fixes having been released), leading to attacks on that site. The Wordpress folks made the update process a "one click" mechanism, but that still wasn't enough to get people to update as security updates were released. Starting in 2013, Wordpress started doing automatic background updates, and you hear a lot less about Wordpress security issues today.

Now, the article. Most of those "vulnerabilities" aren't actually security issues within the Wordpress package itself. Vulnerability #5, for example, is brute force password attacks, and the recommendation is that you use a strong password, and that there are plugins to strengthen the login process. That's a bit like saying your home is vulnerable because your house has a door, someone can stand at your door to try to get in via various mechanisms, and that you should use a strong lock. Good advice, but you wouldn't avoid buying a house because it has a door. None of the recommendations are bad, but they don't really point to specific deficiencies with Wordpress itself.
posted by eschatfische at 8:49 AM on May 12, 2016 [3 favorites]

There is security in the core code, which is a very high priority, and generally considered quite good (though there was a critical security patch just last week). And then there is security in set-up (which a lot of what that article you linked talks about). And then there is security in the WordPress ecosystem-- code that runs on/in tandem with WordPress but is maintained by third party developers.

The best way to have a secure WordPress system is to:
1.) Keep all code (core, plugins, and themes) up to date at all times. Old code is vulnerable code.
2.) Install only trusted plugins and themes-- pick ones that have trusted, established companies or expert programmers behind them. The biggest security holes in a standard WP installation are likely to be old, outdated, poorly written plugins.
3.) Harden your environment (as discussed in the article you linked)
4.) Install a good security plugin to help monitor your security and guide your environment-hardening efforts.
5.) Keep good backups, so that if your site is hacked on Tuesday, you can easily roll back to Monday's backup. If you site is hacked on Tuesday and you don't notice for two weeks, you can roll back to your last-known-good backup
6.) Don't keep stuff on your server that shouldn't be there. This is only likely if you're being dumb, and storing personal information (SSN, credit card numbers, etc) that has no business being on your server.
7.) Find a good security consultant ahead of time so that if you need them when your site is hacked, they're already in your contact list.

Jinx, gregr.

In other words, every single person in this thread so far who does this professionally thinks that if you take relatively simple steps to stay safe, you're fine.
posted by instamatic at 8:50 AM on May 12, 2016 [4 favorites]

It can be secure but it can also be horribly insecure. Almost every client who has contacted me about their site being hacked, its eventually traced to out of date wordpress installs or dodgy plugins for wordpress.

Personally, I'm not a fan. It markets itself as this really easy to use platform and anyone can set it up with their 5 minute install, you don't even need a real web designer or developer with all the free themes available but people like that don't bother installing the updates (the automatic updates thing was a huge step forward) and will install any random plugin they find
posted by missmagenta at 8:54 AM on May 12, 2016 [1 favorite]

OK, I'm actually going to come back and reorder my list. If you're just running a small personal or business website on WordPress,
1.) Set up auto-updates for core code, plugins, and themes.
2.) Install Securi or WordFence plugins
3.) If you have much/any money relying on your website, hire a consultant to do a review. Because (no offense) your understanding of WP security makes me think you would be more comfortable and safer with someone who knows what they're doing helping you out.
posted by instamatic at 8:57 AM on May 12, 2016 [1 favorite]

The core of Wordpress is most likely fairly secure at this point. I would not be surprised if at least one more major vulnerability in the core is discovered in the next year or two. Between the advances in software that does automated security analysis and the increase of talented eyes doing deep dives into popular software, there's been a bunch of nasty stuff found in CMSs as of late.

A lot of the risk now is from plug-ins that introduce vulnerabilities and configuration errors that users make (like setting the file permissions incorrectly) without realizing the security implications. Not running too many plug-ins, using ones that have a good security posture, and staying up to date with patches is the big thing to do. The last part is tricky for non-professional admins - I recommend people that just want a WordPress site but don't deal with computers all day just use a quality managed hosting provider that takes care of all the patching for their customers.

In general, software will never be "secure", at least with anything that accepts a wide range of inputs like a web server. It's a continuum, not a black or white state.
posted by Candleman at 8:57 AM on May 12, 2016

Several units at my job run separate WordPress installs. One of them recently did get hacked and it was because they weren't updating their plug-ins. Update your plug-ins! In light of what happened to them (we do always update our core install and plug-ins, but it's a good idea to review security practices anyway) we're looking into installing one of the many security plug-ins currently available.
posted by soren_lorensen at 9:01 AM on May 12, 2016

> out of date wordpress installs or dodgy plugins for wordpress
> Update your plug-ins!

These are the main issues. If you regularly update core + plug-ins, you should be fine. But if you have any doubt that you'll take care of these things, you should perhaps look elsewhere.
posted by beerbajay at 9:09 AM on May 12, 2016

Response by poster: Appreciate all of the input so far. But to the specific question: The five "vulnerabilities" listed in that article (SQL injection, whatever that is, default prefixes) ... are they still a concern? I understand that #5 is not specific to WP, but I'm wondering about the other four.
posted by jbickers at 9:23 AM on May 12, 2016

Vulnerability # 1: SQL Injection & URL Hacking.
There was a XSS patch issued last week.
Follow the recommendations for hardening your environment, install trusted plugins only.
SOLVED (enough; certainly as much as almost any custom environment that you tried to deploy instead)

Vulnerability # 2: Access to Sensitive Files.
Install a security plugin that will allow you to obscure sensitive files. Follow the instructions in the article to harden your environment

Vulnerability # 3: Default Admin User Account.
Don't be dumb. Create a unique username for your admin. (I believe security plugins will also prompt you for this.)

Vulnerability # 4: Default Prefix for Database Tables
Don't be dumb. Give your WP database tables a different database prefix when you install them.

Vulnerability # 5: Brute-Force Login Attempts
Install a security plugin that will limit login attempts.

In general, these are not WP core code security issues. They are environmental setup issues, or plugin issues.

But what people are telling you is that the list you have posted is not a very useful way to determine the security of WP. If you think that it is a very useful list, and following it will give you a secure installation, please hire a security consultant for your site.
posted by instamatic at 9:36 AM on May 12, 2016 [4 favorites]

Investigation into SQL injection vulnerabilities (about half a year ago):
Previously, I read a tweet about the SQL injection vulnerability found in the core function of WordPress. I was curious and tried to dig the code but only found that the author of the tweet exaggerated its severity. It is true that the application is prone to an injection vulnerability, which, however, can never be triggered by a low-privilege user like “Subscriber” as claimed by the author in his tweet.

This series of blog posts concerning this vulnerability found in WordPress currently consists of two parts: One is about how to write a post marked as trash by a user with Subscriber permissions by bypassing access restrictions, and the other is about how to exploit this SQL injection vulnerability.

Through analysis of this vulnerability, I realize that the token mechanism of WordPress is really effective, which can protect against not only CSRF but also other types of attacks.

The logic of GET/POST operations is determined by web code and tends to become chaotic, as is the case with the code of WordPress, especially when permission checks need to be performed.

The second-order injection is an issue frequently talked about. It happens because some systems trust recorded data unconditionally and finally even forget that certain entries were actually written by users.
(emphasis mine)
posted by instamatic at 9:47 AM on May 12, 2016 [2 favorites]

The five "vulnerabilities" listed in that article (SQL injection, whatever that is, default prefixes) ... are they still a concern?

SQL injection will *always* be a concern. Every time new code is added or existing code is modified, it has to make sure it doesn't introduce SQL injection vulnerabilities if it deals with the database. And there may be clever ways to find it in existing code. It is not a matter of fixed or not fixed, it is a matter of constant vigilance on the part of developers.

That article isn't a terribly good one - the author didn't understand SQL injection and how to properly prevent it. The database prefix one was just kind of silly, as that's barely a speed bump to someone that knows what they're doing.

Again, if you want to have a secure Word Press site, outsource the administration to a company that does that for their customers.
posted by Candleman at 9:54 AM on May 12, 2016

Unfortunately, the nature of web development (heck, of just using computers in general) is likely never going to be "set it and forget it"-- new vulnerabilities are constantly being found for old software, so you either need to stay vigilant or hire someone who is.

With that said, I'll Nth the suggestion of: auto updates, strong PWs, and limited plugins.
posted by gwint at 9:59 AM on May 12, 2016

There were a bunch of Wordpress hacks a few months ago. Like others have said, you can make it secure, but there are really no guarantees. I've moved to Squarespace (or similar services). It does enough of what I want without me having to worry about it.
posted by cnc at 11:04 AM on May 12, 2016 [1 favorite]

The biggest security holes in a standard WP installation are likely to be old, outdated, poorly written plugins.

Or themes. Because themes can have as much going on as plugins, and are easier to forget about.

If you pay for WP themes or plugins -- particularly ones that are only obtainable from a members-only download area -- then you either need to keep paying for access to security releases or remove them when you stop paying for access. You also need to subscribe to their update emails, read them, and act on them.

I saw a lot of sites get dinged by an arbitrary-upload vulnerability in Gravity Forms, and though I think the developers provided patches outside their paywall, the fact that it was a paid plugin meant that it wasn't part of the standard auto-update process so sites remained unpatched for longer.
posted by holgate at 5:44 PM on May 12, 2016

Since the car analogy has reared its ugly head: Using wordpress is like choosing to use a very well-maintained steam locomotive rather than a modern electric car. Yes, it has a nice coal auto-feeder and a nice automatic throttle control to slow it down on the bends, and other modern conveniences that've been added on over the years, and there are all kinds of wonderful carriages you can hook up to it, but it's still running on coal and due to explode if you leave it unattended or tighten that screw the wrong way or derail when it hits a quarter left on the track.

It is many generations behind the current state of the art in writing maintainable, correct, secure software (which can, for example, completely eliminate SQL injection attacks). Its basic design leads to insecure webserver configurations -- files uploaded to the webserver should never be able to be ran as programs, but since wordpress is PHP code that is installed inside the web root, the webserver has to be (mis)configured to allow that.

.. And it may turn out all you really needed to get around was a bicycle.
posted by joeyh at 9:22 PM on May 12, 2016

« Older Rat trap of unusual size.   |   I need to replace my mouth Newer »
This thread is closed to new comments.