How Secure Is WordPress

WordPress security: its greatest strength is also its greatest weakness

How is the security of WordPress? Not particularly well, because it comes with a number of serious vulnerabilities. And because more than 40 percent of the internet currently runs on WordPress, it is a popular target for attacks. The good news is that the most important vulnerabilities are easy to eliminate.

The beauty of WordPress is that anyone can use it. All you really need is an internet connection and you can get started. The security of WordPress is a completely different story. Perhaps because of its ease of use , not everyone thinks about how secure WordPress actually is out of the box.

In any case, WordPress tends to be very insecure due to its great strengths - its incredible range of functions and diverse designs. The modular structure offers plenty of points of attack. And of course, hackers exploit them. And they do so automatically, around the clock, 365 days a year.

But don't worry: these built-in weaknesses in WordPress are very easy to eliminate. And first of all, completely without an additional security plugin.

Of course, I'm not trying to talk you out of using your security plugin. It may even be very useful in some circumstances. But securing your WordPress website doesn't end with its installation. And before you get into shadow boxing matches with pseudo-threats, it makes more sense to first compensate for the fundamental weaknesses of WordPress.

In detail, today it is about:

  • the admin area and why it is so vulnerable
  • the weaknesses of the modular structure of WordPress
  • The role of WordPress hosting in the basic security of your website

"But my website isn't interesting enough"

Make no mistake: this assumption is simply wrong. Every WordPress website is a valuable target. For example, as a spam slinger, part of a botnet or an advertising platform for phishing websites.

And in case of doubt, it doesn't matter how small, new or little visited your website is. After all, you and your business are the ones who suffer in the end anyway. It can happen that your newsletter is classified as spam, users are warned against visiting your website and your Google ranking suffers because your website is on a blacklist.

What I'm trying to say is that WordPress websites are an easy target simply because of their popularity and prevalence. Regardless of their content and purpose.

"*" indicates required fields

I would like to subscribe to the newsletter to be informed about new blog articles, ebooks, features and news about WordPress. I can withdraw my consent at any time. Please note our Privacy Policy.
This field is used for validation and should not be changed.

The WP admin area is particularly vulnerable

The login page is accessible via the suffix "wp-admin" by default. This is why it is a particularly frequent target of attacks - especially so-called brute force attacks. These attacks are among the most common hacks against WordPress websites because they are easy to automate. A brute force attack attempts to guess the correct combination of name and password. So if the password is weak or the login area is not protected, it can happen that a brute force attack either succeeds and someone else can successfully log into your WordPress, or that the massive number of login attempts paralyzes your website.

Wordfence, the well-known manufacturer of the security plugin of the same name, recorded an average of 34 million brute force attacks every day in March 2017 alone. In comparison, so-called "complex attacks", i.e. attacks that exploit specific security vulnerabilities, are at a level of 3.8 million attacks per day.

Statistics on the brute force attacks counted by Wordfence in March 2017
March report from Wordfence shows: The plugin manufacturer was able to record an average of around 34 million brute force attacks per day. The number was particularly high in the middle of the month.

However, as Wordfence naturally only counts attacks that have been blocked by its own software, the number of unreported cases is even higher.

But the good news is: Although the attack on the WP admin area is very easy and can be automated quickly, the protective measures against it are very simple. To secure your WP admin area, you can put up protective walls in three places:

  1. At the WordPress level, through strong passwords
  2. At login itself, by limiting the number of login attempts
  3. Before login, through a blacklist

1) The old chestnut: strong passwords

Brute force attacks are very stupid attacks. They are basically just guessing. That's why a strong password can actually be enough to stop the attacks in their tracks. So let's keep it short: the strong password is mandatory. This includes: Letters, numbers, special characters as well as upper and lower case letters. And, of course, two-factor authentication is also a good idea.

TIP: Password managers not only make it easy to create secure passwords, but also to manage them. Apple computers, for example, offer a convenient way to manage your passwords offline with the "Keychain Management" program. All you have to do is remember a master password (which should of course be as complex as possible). Cloud-based password management programs such as 1Password, LastPass or X-Key Pass also work in the same way.

2) Limit the number of logins

You can see it impressively in the figures from Wordfence: Brute force attacks are the most common attacks on WordPress websites. The likelihood of your website falling victim to such an attack is therefore very high. And to prevent the high number of login attempts from putting unnecessary strain on your website, you have the option of limiting them.

For example, an IP is blocked for a certain period of time after three failed attempts. If the IP then reaches the limit again, the blocking period increases successively. This very quickly limits the number of possible attempts to such an extent that the attack becomes useless.

Depending on how low the blocking threshold is set, this procedure can also protect against an attack with changing IPs. The easiest way to implement this protection for your login area is via plugins. For example, you can use WP Limit Login Attempts, Login Lockdown or one of the major security plugins such as Sucuri, Wordfence or All in One WP Security. The websites hosted by Raidboxes are already equipped with brute force protection on the server side. An additional plugin is therefore not necessary here.

3) Blacklisting

Security companies such as Sucuri or Wordfence spend a large part of their working time analyzing attacks. They also publish these analyses at regular intervals. One of the most important aspects in these reports is regularly the origin of an IP. This is because servers are located in certain countries that are particularly prone to attacks.

Blacklisting the corresponding IPs therefore makes perfect sense. Especially if the region is not relevant to your target group. This allows you to effectively repel attacks before they reach your website.

You can either create such blacklists yourself by implementing them at server level, or you can use a security plugin with a corresponding function.

Outdated WordPress

WordPress is a modular system. It consists of the core, i.e. the core software, the plugins and the themes. One of the biggest dangers for WordPress installations is that many WordPress websites do not receive regular updates.

There are many different reasons for this. These range from incompatibilities with plugins and themes to lack of knowledge or lack of time for an update.

The consequences of delayed core updates were impressively demonstrated in February 2017: a security vulnerability was discovered in WordPress version 4.7.1 and there were calls to update to version 4.7.2 as quickly as possible.

Within a very short space of time, the news provoked mass attacks on WordPress websites (as the vulnerability was not yet known before the official announcement). The manufacturers of the corresponding security software also provided figures on this: within just a few days, a total of one and a half to two million websites had been hacked. The vulnerability had previously been discovered by a Wordfence employee.

If you remember that more than 43 percent of the entire internet currently runs on WordPress, you can get a pretty good idea of what could happen if such a vulnerability were to go unnoticed. It is therefore advisable to automate WordPress core updates or have them automated.

Incidentally, this mainly applies to minor updates, i.e. version numbers with three digits, e.g. 4.7.4. These are the so-called "security and maintenance releases" and should always be installed as quickly as possible. For major version jumps, e.g. from 4.7 to 4.8, the situation is slightly different: here, the focus of the updates is on functions and general improvements.

Outdated plugins and themes

What applies to the WordPress core naturally also applies to plugins and themes: outdated plugin versions almost always contain security vulnerabilities - and avoidable ones at that.

According to a security study on content management systems, the German Federal Office for Information Security (BSI) takes a similar view. The BSI data relates to the period from 2010 to 2012. 80 percent of the officially reported vulnerabilities can be traced back to extensions - i.e. in most cases to plugins.

A search for exploits using ExploitsDatabase revealed over 250 exploits for WordPress. The majority of exploits for WordPress plugins have been entered here.

- BSI (2013): "Security study on content management systems (CMS)"

In practice, plugins are a preferred point of attack. And with more than 50,000 extensions in the official WordPress plugin directory, they are also a very productive one. The starting point for such attacks are gaps in the plugin code.

It is important to understand here: There will always be loopholes like this. There is no such thing as a 100 percent secure system. And: A lack of updates for a plugin or theme does not automatically mean that it is insecure. Even if the update frequency is a good indicator of the support quality of a manufacturer. However, it could just as well be that no security vulnerabilities have been discovered to date.

However, if any are discovered, the plugin provider will (hopefully) also provide an update that closes the gap. If they do not, attacks such as SQL injections or cross-site scripting (XSS) are possible. The former involves manipulating your website's database. For example, new admin accounts can be created and your website can then be infected with malicious code or converted into a spam sling.

XSS attacks are basically about placing JavaScript on your website. Among other things, forms can be injected into your website to steal user data. Completely inconspicuous, encrypted with SSL and in a trustworthy environment.

And because plugins and themes offer so many points of attack, you should always pay attention to the number of plugins and make sure that you don't leave them deactivated, but actually uninstall them when you no longer need them.

Shared hosting

WordPress comes with these disadvantages as standard. However, since your website has to get online somehow, WordPress hosting is also an important security aspect. As the security of WordPress and WordPress hosting is a very complex and multifaceted topic, I would like to focus on the major disadvantage of shared hosting at this point. Again, this doesn't mean that I want to talk you out of shared hosting. It makes a lot of sense, especially from a price perspective. But shared hosting has a decisive disadvantage that you should be aware of.

With shared hosting, several websites are hosted on one and the same server. The websites also share the same IP address. This means that the status and behavior of one website can also negatively affect all other websites on the server. This effect is called the bad neighbor effect and relates to spamming, for example. If a website on your server causes the IP to be blacklisted, this can also affect your offer.

It can also lead to an overuse of resources, for example if one of the websites on the server is caught up in a DDoS attack or is affected by a massive attack. The stability of your own service is therefore always dependent to a certain extent on the security of the other websites on your server.

A virtual or dedicated server therefore makes perfect sense for professionally operated WordPress websites. Of course, the security concepts of hosters also include backup solutions, firewalls and malware scanners, but we will discuss these in more detail elsewhere.

Conclusion

WordPress is insecure. This is due to its modular structure. Its greatest strength can therefore become its greatest weakness. The good news is that you can get around this inherent weakness very easily. In principle, all you need to do is manage your account, create a password and carry out updates.

Of course, these measures do not turn your website into Fort Knox. But they are the cornerstone of your security concept. Because if you ignore them, they can undermine all other security measures. And you can influence these aspects yourself. This is precisely why it is so important that you are always aware of them.

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *