Common WordPress Security Issues & How to Secure Your Site
Last night I was invited to speak at the Boulder WordPress meetup. My friend Angela drew a big crowd, and they listened intently to me talking a little too long about WordPress security vulnerabilities and what you can do to protect your WordPress site. That talk, like this article, is focused on protecting WordPress users and site-owners from common security problems. I have a whole other course about what WordPress developers should do to keep WordPress secure. This article will intentionally simplify complex technical details which often just cloud the story of security from a WordPress site owners perspective. There are far too many complex acronyms for WordPress security conversations to make sense easily to most non-developers.
But without further ado, our structure here will be to first outline common WordPress security issues, and then offer the most important and easy steps that give you the most benefit when it comes to WordPress security. As WordPress Security with Confidence explores at length, there are lots of other harder and less-valuable other things you can do. But for most people, the four WordPress security issues we outline, and the five WordPress security tips we cover will be more than you need. Let’s get to it!
The Overarching Issue: Leaving Your Site Easy for Botnet Attacks
One of the core points where clarity helps understanding security issues in WordPress is what we call the threat model. Your threat model is what factors in the world will contribute to the possible future compromise of your WordPress site. For example, a WordPress site run for the President of the USA has a very different threat model than your candle shop or dentist office. While the President’s WordPress site would face the same biggest threat as you, it’d also have lots of others to consider. Most importantly: political and financial opponents, both foreign and domestic, that would love to give the US President a political blemish by showing that he (or she) is bad at cybersecurity.
Because most of us aren’t the president of any country (although “Hello” to Mr/Ms President), we should focus our WordPress security concerns on one major threat: botnets. Most WordPress security issues are simply problems when and if it’s possible for a botnet to successfully exploit it. Because other than your vindictive cousin you beat at dodge-ball in 2001 (drop the grudge, Donny!), by far the biggest threat to you is the marauding horde of security-exploit-wielding bots trying to take over sites. Botnets on their own are a source of hours of interesting speculation and complication, but just understand them as a puppet of one or many bad actors who want to take over as many WordPress sites as they can to do amorphous bad things with them.
Bots’ Favorite WordPress Security Vulnerability: Out of Date Code
By far the most common and likely cause of compromise of a WordPress site is out-of-date code. Like all evolving software, WordPress security vulnerabilities (and those in its plugins and themes) must be treated as concrete and consistent parts of the ecosystem. Humans write software, human make mistake, therefore all software will contain (security) mistakes from time to time. Fighting with that reality is great way to drive yourself bananas, but not a great way to live. Instead, you should just accept and understand that the most common WordPress security issues will always be that some old version of WordPress, your plugins, or themes contained a security vulnerability.
It’s worth saying that you can count on the fact that WordPress vulnerabilities will get patched once known. Aaron Campbell, head of the WordPress security team, explained how that process worked in the interview I did with him for WordPress Security with Confidence. But if you don’t update WordPress, you don’t get the benefit of this patch. Instead, you face the real downside of WordPress being open-source software: that a fix to a security issue is immediately visible to the bad actors who want to attack your WordPress site as soon as it’s fixed. So if they can exploit a security loophole, they’ll have the blueprint to how that worked on the outdated versions.
WP Security Issue #2: Poor WordPress Login Security
The next most common way that a WordPress site is compromised? That you used a bad password. “Bad password” is hard to quantify very specifically. But one of the most common and easy attacks that threaten the security of a WordPress site is what’s called a “brute force” or “password guessing” attack. This is where a computer is just set to try to log in to your WordPress site by guessing passwords until it finds yours. There are ways to slow such attacks down, but in general these will eventually compromise your site no matter what if your password is “ilikebeer” or “kittens.”
There are different counter-measures you can take, but brute-force and other password attacks are a really common cause of compromise. Understanding that bad passwords are a very serious WordPress security issue is and important first step.
Security Issue #3: Hosting Environment Insecurity
This is a combination of a couple of different WordPress security issues. But they’re related. You might compromise the security of your WordPress hosting environment because of oversight or neglect. Even the absolute best WordPress hosting can’t do anything if you make mistakes like:
- You run other insecure tools (or [outdated] WordPress installations) in the same hosting account. An outdated version of WordPress is a subfolder or subdomain of your WordPress site can be used to compromise all of them. So can a tool like Interconnect IT’s Search Replace DB, which is super useful for a developer, but can be used to nefarious end pretty easily if left sitting around.
- You run an outdated version of PHP, MySQL or some other tool that WordPress uses, which has been compromised. Especially because WordPress continues to support versions of PHP without security patches (all the way back to PHP 5.2 today), this could be a source of compromise.
These are the two biggest issues. It also can happen (but is rare and mostly a distant memory) that your host has configured things insecurely, and a compromise of your account can come from someone else on your shared web server. That hasn’t happened on a large host for quite a number of years. But if you’re on “Joe’s Cheap Backyard Web Hosting,” I might be a little concerned about that possibility.
Security Issue #4: Other Ways to Your WordPress Site
There are many diverse and interesting ways into your WordPress site that aren’t specifically the rest of this list. These methods of compromise (which I’ve kind of lazily combined 🙃) include:
- A plugin, theme, or WordPress vulnerability for which no patch has been released can take down your site.
- Your site being compromised because your hosting account was taken down by a bad FTP password or a compromise to your WP hosting dashboard.
- Your WordPress security compromised by someone who works for or with you and wanted to take your site out.
- A previously trustworthy WordPress plugin is compromised intentionally by a new maintainer. (A “supply chain” attack, which are still uncommon but real threats.)
Each of these represent real threat, but ones which are far less common as causes of compromise than those listed above.
WordPress Security Tips: How to Secure your WordPress site
Secure your WP, Step #1. Update, Update, Update
Just as our #1 WordPress security issue was that your don’t keep everything up-to-date, the best thing to do to keep your WordPress website secure as a site-owner is just to keep everything up-to-date. In the WordPress ecosystem, there’s not always clear delineation between “security fix” and “new feature” releases. If there was, I could change this to “always get the latest security releases.” WordPress “core” security vulnerabilities do work this way, so WordPress 4.9.x is the latest security fix that adds no new features. It’s less common that plugins and themes in WordPress support this sort of security history, so you’ll find it easier to “just update everything all the time.”
There are many ways to do this. WordPress core has self-updated for at least a few years now. I highly recommend you leave that feature on. And if you’re comfortable with it, I love letting plugins auto-update as well. Here’s a Quick Guide about how I do that:
Securing WP Step #2: Good Login Security
Again, our #2 WordPress security issue yield our #2 WordPress security tip: have a good login security system. Technically, you can strengthen your WordPress login security in a number of ways. The most important of which in order of descending importance are:
- Have a good login password for your WordPress account. Ideally your WordPress site password is: long, unique, and random. Using “i AM in l0v3 with Kittehs!!!!!1” is a pretty good password, if you also don’t also use it on Twitter, Instagram, CandleStore, and CoolPictures4Free. Password managers are a big help here.
- Consider 2-Factor Authentication. 2FA doesn’t eliminate the helpfulness of a good password. But using a time-code on your phone, or even an emailed code can make your WordPress login a lot more secure. If you’re already very comfortable with 2FA, adding your WordPress site to the things you access that way is an obvious win.
- Consider other login security challenges. Whether this is something like a CAPTCHA you add to your login form, or locking-down your admin to only work from certain IPs (too much of a hassle IMHO, but a big security win) there are a lot of other things. I think all of them are beneficial, but less important than a good password and possible 2FA.
Securing WP Step #3: Principle of Least Access
This related to tip #2, but don’t share your WordPress login credentials with anyone. Whether they want to make a guest post, do some plugin development, or anything else, it’s generally better than you give Sarah or John their own username and password to WordPress. Even more, if you give them that account, make sure their account has just the access it needs to WordPress.
WordPress vulnerabilities are way more numerous when you have an “Administrator” account whose password was compromised, than when that account was a “Subscriber.” So if John is just writing a guest post for you, make his an account a “Contributor.” Sure, if Sarah’s going to do some plugin development for you she’ll probably need an “Administrator” account, but you still shouldn’t give John those rights.
Securing WP Step #4: Backup for “Time Security”
I used to think that backups were a tangential topic to “WordPress security” writ large. And indeed, no backup will prevent a botnet or other attacker from exploiting your WordPress site’s security vulnerabilities.
But what a backup (or 300) does do for you is give you what I’d call time security. What I mean by that is that if you were compromised on Saturday and notice it Tuesday, your backup from a week ago can still be used to put your site right. Without a backup, you’re left trying to clean up what can be complex and difficult infestation that you might not even understand. So keep backups!
Securing WP Step #5: Install a WordPress Security Plugin
The best WordPress security plugins is far too complex a topic for this short post. I’ve got a website and article that should help. (I should definitely merge those two things, just that’s a task for another day.) In short, if you read this article you’ll have a better sense of the kinds of features and powers of a WordPress security plugins:
My general advice about security plugins: they’re useful, but no substitute for being vigilant about WordPress security. That’s why they’re not #1 on this list of security tips, nor should they be.
No Security Tips will Address ALL WordPress Security Issues
In conclusion, a note of caution. This is a list of my absolutely best opinion of what security threats exist for your WordPress site and what you can do about them. But WordPress security is an evolving topic, and your threat model needs to evolve with the times. If and when quantum computers crack most encryption technologies, we’ll have much more serious threats than those enumerated above. On our WordPress sites, and all across the internet. So the last and most important WordPress security tip: stay involved, stay informed, and stay looking at your WordPress site. Best of luck!