Is WordPress Secure?

I recently got a call from a friend I haven’t seen for a while asking me if I’d like to grab a coffee. He had a few questions about whether WordPress is secure. I’m always looking for an excuse to visit the hip Georgetown neighborhood just south of Seattle, so I jumped at the chance. Plus Chris is an all-round awesome guy who works for a well-known social media startup, so I wanted an update!

It turns out they were going to be launching a new website soon and were looking for a robust CMS. WordPress was the obvious choice, but they had grave concerns about security, since the company has a ton of visibility and could become a target for attack. It’s interesting when a good friend asks you a question like this because it makes you reevaluate your opinions and assumptions and make darn sure you’re providing advice that will set up this person that you care about for success.

Chris and I had a great chat, and I think it would be most helpful to distill my thinking on whether or not WordPress is secure into a FAQ format regarding the subject.

Is WordPress Secure?

The short answer is yes, but it does require a modest amount of work and education on the part of the site owner.

Keeping Core Up to Date

For WordPress to be secure, you must keep the core application up to date. The good news is that WordPress actually does much of this job automatically. If you have the default configuration, then when the core team releases a minor version of WordPress, it will upgrade to that new minor version automatically. Security fixes are released as minor versions.

So when a security fix is released, unless you’ve specifically configured your site to not update automatically, your site will update to the newest security fix and you will be protected from an emerging vulnerability.

To be clear, WordPress versions come with three numbers separated by dots.  The current version is 4.9.4. The number to the far right is the minor version. So when that changes, your site will be automatically updated. When 4.9.5 is released, your site will automatically update. When 5.0.0 is released, it will not.

Keeping Plugins and Themes Up to Date

You will also need to keep your plugins up to date. This does not happen automatically, except in rare cases where the plugin author provides that functionality. Our security plugin updates automatically when we release a new version. Most plugins don’t. But again, we have some great news. In cases where there is a severe plugin vulnerability, the WordPress security team have the ability to force plugin security updates, and have done so in the past. They have never automatically updated a theme, but they have the ability to do that, too.

In general, though, minor vulnerabilities that a plugin author fixes are not updated on your site automatically. That is why keeping your plugins up to date is one of the most important things you need to do to keep your site secure.

Protecting Yourself During the Window of Vulnerability With a Firewall

When a vulnerability does occur in a plugin or theme, there is a lag time between the vulnerability discovery and when a fix is released. We refer to this as the “window of vulnerability”. To protect yourself during this time, you need a firewall that is being actively maintained by a security team and that includes real-time updates.

The Premium version of Wordfence does exactly that. Our team works proactively to discover new attacks and to release firewall rules as soon as a new vulnerability is discovered. This protects our customers during the window of vulnerability, while the vendor works to release a fixed version of their software.

Zero Day Vulnerabilities Timeline

Reducing Your Attack Surface

You will also need to work to reduce the number of things that can be attacked on your website. Think of your website as a giant dartboard and a hacker is trying to throw darts that simply have to hit the board. The more plugins you run, the more themes you have installed and the more web applications you run, the bigger the surface area that the attacker can hit. Reduce your attack surface by removing unused or unnecessary applications, and you make yourself a much smaller target and your website will be much less work to maintain. You should also remove any unused accounts, especially administrator accounts, on your WordPress website.

Practicing Good Security Hygiene

Finally, you and the users of your website will need to practice good security hygiene. That means you should:

  • Use strong passwords that are not easily guessable. We recommend using a password manager like 1Password.
  • Enable two-factor authentication. (Wordfence Premium provides this.)
  • Make sure you have reliable backups of your website.

The Basics Are Actually Not That Much Work

If you have these basic ingredients for security in place, you will be starting from a excellent base security posture. To summarize, the items I have mentioned so far are:

  1. Keep WordPress core updated. This happens automatically most of the time.
  2. Keep your plugins, themes and other web applications up to date.
  3. Use a firewall that is updated in real time.
  4. Reduce your attack surface by removing unneccesary plugins, themes, web applications and user accounts.
  5. Practice good security hygiene by using strong passwords, enabling two-factor authentication and ensuring your backups are reliable.

This may sound like a lot, but it really is not. Once you have configured your WordPress site with a firewall, enabled two-factor authentication, removed any applications and plugins you don’t need, and set up strong passwords, the only thing you need to do regularly is update your website plugins when needed and occasionally verify your backups. In addition to this, I would suggest keeping abreast of WordPress security trends and any ‘big’ security news. This blog consistently covers big news and important threats in the WordPress security space, so subscribe to our mailing list and you’re all set.

What About the XYZ Alternative CMS? Isn’t That More Secure?

This question comes up a lot. I think the best way to illustrate my thinking on this is with a bell curve. Imagine a curve where the X axis is how evolved a software product is and the Y axis is the number of security incidents. I’ll provide names for each evolutionary stage.

Invention

On the far left, you have a brand new CMS or other software web application that is used by the one guy that wrote the software. Hackers aren’t interested in finding vulnerabilities in this software, because it will only enable them to hack a single site. Researchers aren’t looking at the code because securing a single website won’t bring them much recognition. Vulnerabilities aren’t going to get found by hackers or researchers, and won’t get exploited. The likelihood of this very early stage software getting hacked is low.

Discovery

As the new application gains popularity, it becomes a more interesting target, because a vulnerability enables an attacker to exploit more websites. The software is early stage, so there are no security processes, teams and vendors supporting the new CMS. You can’t buy a firewall for the product. Security researchers are focused on more popular products. Hackers are beginning to discover it is a target. At this point, the number of security incidents reported in this software is rising on a steep curve.

Growth

Once the new application hits a steep growth curve, hackers begin to take a major interest. There are now enough installations out there to make it very much worth their time. The new application is still not close to the most popular CMS in terms of usage and is still not receiving much attention from researchers, volunteer teams or vendors.

During this time, the new application is extremely vulnerable. Major incidents will occur in the evolution of the software. WordPress was in this phase from about 2007 to 2013, when we saw the Timthumb hack, auto-update was not yet available and security vendors were just beginning to emerge, including Wordfence which launched in 2012. The number of security incidents during this period puts the application on the map as a target and a product worth protecting.

Maturity

As a security community develops around the application, the frequency and severity of security incidents begin to drop. A community of passionate security researchers evolves around the product. Methodologies emerge for reporting and fixing vulnerabilities securely and confidentially so that hackers never have the opportunity to exploit them.

In the WordPress universe, we still see the occasional security issue like the large scale defacement campaigns that occurred early last year when a vulnerability appeared in WordPress core. But in the Mature phase, these incidents are short and sharp because the vulnerabilities are rapidly fixed by the competent security team that has evolved around the product and with the assistance of outside researchers and vendors.

Third party security products like Wordfence are able to mitigate the impact by preventing attacks. Where incidents do occur, incident response is available in the form of site cleaning services, to ensure rapid recovery.

Where WordPress Stands

WordPress is very much in the mature phase of its security evolution, and as it continues to evolve, the number of security incidents will continue to decline and stabilize. When choosing whether you want to use a newer or alternative CMS, consider which phase of the evolution the product is and where it will be headed in the coming years.

Someone Suggested a Static Website. Isn’t That Unhackable?

An alternative approach that some are taking is to build a website that is completely static HTML and CSS with no PHP or other application components. This does not have an application that an attacker can exploit, and the website can be configured so that it doesn’t even have the ability to execute PHP, so that hackers can’t run their code.

In theory, this website is far more secure than a PHP application like WordPress. The problem is that, other than serving pictures and text, it won’t actually be able to do anything. No comments, forms, content management, e-commerce or any other application functionality. That makes this option unfeasible for most site owners.

It’s also worth pointing out that the web server itself is an application, and there have been many vulnerabilities in web servers like Apache and Nginx reported. Eliminating the application does not make a website immune from exploitation.

Is a Cloud CMS More Secure?

For many users, a cloud CMS may never be an option because they need 100% ownership and control of their website, intellectual property and data. But if you are considering partially or fully outsourcing your website to a cloud CMS, you should keep in mind that cloud services are not immune from security breaches either.

In October 2017 we saw the cloud comment service Disqus report a major security breach which exposed the data of 17.5 million users. In February of last year we saw cloud firewall provider Cloudflare experience a breach when their systems leaked sensitive user data.

Cloud services are attractive targets for attackers because they have everyone’s eggs in their one basket. Their developers are also human and are prone to err like the rest of us. Self-hosted WordPress as a CMS platform gives you the benefit of complete control of your own security, and a community of researchers, vendors and volunteers to help you secure your site.

Are WordPress Hosting Providers Secure?

Most WordPress hosting providers do a reasonably good job of securing their customers, but occasionally we encounter a host that has what we refer to as a ‘service vulnerability’. In these cases, no matter what the site owner does to secure their own site, their site remains vulnerable due to a flaw in the hosting provider’s security posture.

Our team has developed a service vulnerability disclosure policy. When we discover a service vulnerability, our team works confidentially with the hosting provider to fix the problem. Once the issue is fixed, we publish the details. So far we have worked with four hosting companies and have successfully helped them fix their underlying security issues in all cases. We wrote about three hosting providers with service vulnerabilities in February and published details on a fourth this week.

When selecting a WordPress hosting provider, choose a provider that is reputable, responsive to fixing security issues and provides you with clear answers to any questions you may have about security.

Whether you choose WordPress as your CMS or an alternative platform, you will need to host your website somewhere. Because WordPress represents a very large and attractive market for hosting providers, the best hosts in the world have focused on providing hosting for WordPress. This gives site owners plenty of options to choose from among the largest hosting companies in the world.

A Security Researcher Said WordPress Is a ‘Security Disaster’. Is This True?

Security researchers make a living by selling security products or consulting services. They also have egos. Our industry has had a contentious relationship with vendors who make software for as long as hackers and security researchers have been around. As an industry we are working to change that. For a view into someone leading this change, check out Facebook CSO, Alex Stamos’s keynote address at BlackHat 2017.

Often vulnerability reports about WordPress core or plugin vulnerabilities are associated with hyperbole about the platform itself. WordPress is like any other application in that it occasionally has vulnerabilities. But as I discussed above, WordPress has entered a mature stage of its security evolution, and while vulnerabilities still occur, they are dealt with rapidly and in an organized and effective way.

Is WordPress Secure? That Depends on You.

WordPress can be a very secure, highly functional and well-supported platform that can serve you or your organization and scale for decades. But this requires that you follow the basic security steps I outlined above and that you stay abreast with the latest security developments.

If you run a WordPress site or are just beginning to embark on your WordPress journey, know that you have a massive community behind you, including our team, to help you secure your website for the long term. As always, I encourage you to share your WordPress security perspectives in the blog comments below.

Did you enjoy this post? Share it!

Comments

31 Comments
  • Very nice post thanks

  • Hello,
    Just curious, if you have a plugin that is "Deactivated" but still in the plugins folder. Does that plugin still pose a potential security risk in the future?
    Thanks,
    Clint

    • It does because the files are accessible from the net. Timthumb is a great exmaple of a deactivated plugin that would still have a vulnerable component - timthumb.php in this case.

  • Thanks for this article.

  • Excellent point of view on Wordpress security!

  • Thanks Mark. Good article that I will share with as many as possible. I ALWAYS read your posts.

  • As the owner of a small, self-hosted blog it's reassuring to have these security tips outlined so clearly and know I am doing everything I can to keep my website safe. Thanks Wordfence!

  • I used to lie awake at night wondering if my blog is as secure as it could be. I no longer worry about that because I have a pretty good security process worked out, including the awesome WordFence plugin.

    I've been using WordFence myself and recommending it on my blog for over two years now, and I've felt good about my blog's security ever since.

    I have VaultPress making daily backups of my blog just in case, but WordFence takes virtually all of the worry out of maintaining a busy blog.

  • Mark,

    I need clarity on the following:

    "It’s also worth pointing out that the web server itself is an application, and there have been many vulnerabilities in web servers like Apache and Nginx reported. Eliminating the application server does not make a website immune from exploitation."

    You reference "application" and "application server" in your post and I think that is somewhat confusing. In a traditional LAMP setup, you have the base OS installed on the Server (Linux), You have Apache or Nginx, MySql, and PHP. The web server in this case sits on the Linux server, and I'm assuming when you say application you're referring to the PHP piece, correct? Is PHP essentially the CMS that sits on the web server or in your comment is PHP separate from the CMS as it's own application that is required to run the CMS?

    • That was a typo. I corrected it to say 'application' and not 'application server'. Thanks.

  • This is a great post, and provides good balanced input (IMO) for the small, but attentive, user. If I were running a commercial business.... I don't know. In the past 24 hours, the Wordfence network has blocked from 1.2 million to 1 million attacks. The hacker threat is a daunting threat on any network of blogs, and WordPress has been a regular target, unfortunately. If I knew five years ago what I know now, I am not even sure if I would have invested in any blog. From a business perspective, there becomes an issue with cost/benefit analysis. Is it worth the investment? For a business, if they believe yes, I would consider Cloud CMS, but then you also have to pay for that, which is about $800/month for biz-level. For businesses that can't afford it, then they need to have a serious discussion as to whether they really have the resources to manage a blog. It should not have to be a part-time job for a business staffer, but it could be. Thank goodness for Wordfence for all of us using WordPress blogs for smaller blog efforts and resources, and we have the time to concentrate on it (PT of course). Since there are a "lot" of us on WordPress, there is a good user base. But knowing some commercial businesses the way I do, I would be surprised if they really had the resources to focus on brute force attacks on blog, etc., but then again there are many, many thousands more of us, then there are of such corporate customers.

  • Completely agree with Rick Rouse here. Wordfence makes a tremendous difference to WordPress bloggers. Honestly without Wordfence I am 99 percent certain I would shut down my blog 2 years ago. Today, if Wordfence ever stopped, I would shut down my blog that same day.

  • I own two companies with a major investment in WordPress. One builds and hosts WordPress websites and the other provides maintenance services. I will admit that it has crossed my mind lately to consider a new CMS due to how many security events I deal with for my sites and clients. After reading this, I'm completely secure in my WordPress investment. I now know how to respond when people express concern about WordPress security. Thanks for "putting this down on paper" Mark!

  • Do you know about (and have an opinion about) "easyupdates"? which has recently been bought by updraft. I am running this on all my sites and seems to be keeping the plugin and themes etc up to date with not quite so much effort on my part.

    • No we do not.

  • Yes, websites can be prevented from running php.
    However, I'm sure WordFence has cleaned up a number of sites where there was a js hack.
    Is it possible to stop js from running? Well, you can on the client side (though hardly anything will work.)

    I am not sure how server side js enters into this equation or the fact that a while back Mullenweg said js was WordPress's future.

    Would love some feedback about these questions.

    Thanks!

  • Great post, thanks so much.

  • I personally go even further. For example Wordpress does NOT run as the same user that owns the files. That means the web server can't write changes to the code itself as it is permission locked.

    Second I update Wordpress via SVN that way no FTP access or again files owned by same user as running the files is allowed. This again prevents unauthorized code changes.

    I deploy a custom BASH script to auto update all plugins via cronjobs. This again means less code running and only the owner of the actual files can update them.

    Finally all files are sync daily into a backup ZFS pool so I can see and rollback ANY changes period. The backup server is not the same server, OS, or even in the same datacenter as the source nodes. Also source nodes are not allowed to contact the backup server as it is one way via firewall rules, user permissions, and SSH keys.

    • Thanks Jeremy. Sounds like a custom setup. This works for some, but many admins don't like to lose the ability to update via the WP UI. These file permissions would remove that ability.

  • WordPress is most definitely NOT secure. Knowing what I know now after having Wordfence installed for about 2 years, I will NEVER recommend WordPress to another client.

    Quote:
    Is WordPress Secure?
    The short answer is yes, **but it does require a modest amount of work and education on the part of the site owner.

    **That means the answer to the question, for the average user, is NO. It's secure only AFTER you get hacked (typically within 60 minutes to 48 hours after installation), do hours of cleanup and homework, and install and configure third-party protection plugin(s). There is no way that your regular, everyday users, especially first time users, are even going to think about doing that stuff, let alone actually perform the actions. Experienced or highly technical users will. But the vast majority of people who install aren't. Should they know more and do their research first? Yeah, sure. Will they? Nope. And therefore WordPress is NOT secure. WordFENCE is secure. WordPRESS is NOT.

    • Hi Max,

      This actually applies to any application, OS or system. Getting secure and staying secure requires some work and some learning.

      Mark.

  • Thank you for sharing your insights, as always. Nicely done and much appreciated!

  • Thank's for all your good advice!

    I use Xubuntu and everybody say if you use Linux you don't need to care about security problem.

    And if i try to find some protection but don't find any program interesting for that.

    Do you think like many other than i don't need to protect my computer if i use Ubuntu updated (xubuntu) ?

  • Good point! --> Security researchers make a living by selling security products or consulting services. They also have egos.

  • Thanks for the info, the post is information rich and helpfully.

  • Thanks for the post, Mark. I especially liked the part where you explained how software is evolving. I couldn't agree more with your assessments and this is certainly an article that I'll send people to every once in a while from now on. :-)

  • Good article, and I found your CMS "evolutionary" graph very interesting.

    The only small quibble is your comments about static sites... "The problem is that, other than serving pictures and text, it won’t actually be able to do anything." In fact, static sites can do a whole lot, when you combine them with third part providers like Formspree and Disqus. And add in static site generators and services like Netlify that handle the whole hosting, DNS, SSL, github, and SSG rendering process, they are becoming a very attractive option compared to the traditional CMS. Not for more complex sites of course, but my first approach is always to consider whether a static site can do the job.

  • Great article. Thorough and objective. Really appreciate this summary.

    The thing about password protectors, such as 1Password, is that they, too, have been hacked. My own feeling is that I stand a better chance of securing my online activity by using several passwords, than by putting all of my eggs, however unique, into one basket.

    I'd like to see an article by WordFence about this. No one seems to talk about it.

  • Bruce, as to password managers I can vouch for two services:
    - Last Pass (proprietary software), has most awesome functionality and encryption so even if the cloud is hacked your data is encrypted. LastPass was hacked in the past and it wasn't a big deal for the users, LastPass also handled it well so all in all, the service checked out as robust in face of issues. LastPass also has nice features as checking if a password is secure enough, how long ago it was changed, it can trigger mass password changes on many sites, report if a service you store the password for was hacked so you need to change passwords, etc.
    - Bitwarden (open source software), a newcomer on the scene with almost equal functionality as LastPass but being open software, it's even more trustworthy. Some small features are missing, some additional, great features are present (that are not on LastPass) so in overall that's the only solution that is equal to LastPass currently. Also data is encrypted before sending to cloud. It's easy to move whole password data from LastPass to Bitwarden.

    All other password managers are primitive and rudimentary in comparison to those two. Once you start using either of them, you can't go back to using lesser ones.

  • I would add that the hosting policies and practices of the CMS creators also matter as to whether a CMS is secure. This includes the CMS code repository and the plugin/theme repository. If the source code of the CMS itself or the plugins become compromised at source, there is little that the CMS user can do until the compromise is discovered.

    The Wordfence blog and the company behind it has done a great job of exposing these kinds of problems with plugins being sold to malicious buyers and the buyer injecting malicious code into plugins which get installed onto thousands of websites without the website owners being aware that anything is wrong.

    Wordpress.org owners, in my opinion, dropped the ball on this by not taking greater care in curating who has access to the plugin repository. Since several plugins I used were taken over and compromised, I lost faith in Wordpress as a secure platform. I don't know if this issue has been resolved at Wordpress.org yet.

    Although the perspective of code ownership is somewhat different, Drupal.org seems to have a much more robust policy over module ownership and contribution which ensures problems like the above are much less likely to happen.

    How has Wordpress.org changed to reduce the likelihood of malicious actors taking over ownership of plugin repository code to push it out to Wordpress users?

    Thanks.

  • Regarding reliable password managers, I would like to add Roboform to the list. It didn't used to make the grade, but the 8.0 edition finally cuts the mustard.