Notes and Observations on WordPress Security

WordPress security is a popular and difficult topicWordPress security has become a popular topic as there have been a number of posts lately talking about just how secure WordPress is or is not. From what I’ve read so far just about all of them boil down to one of two things: 1.) the author has a stake in WordPress as part or all of his/her business so it’s secure and, 2.) my site got hacked so WordPress is not secure. Add to that a number of posts on how to improve WordPress security and the ever-growing number of security plugins in the plugins repository and it can all get pretty confusing. So who is right? Is WordPress secure or isn’t it?

Before I start the flame war a post like this is sure to become let me point out that over the last 3 years of developing what has become one of the biggest security plugins in the repository I find the answers to these questions tend to be quite a bit more complex then just the code on which WordPress runs. It is far easier to measure security based on the strengths or weaknesses of a single variable than it is to do so on the strengths and weaknesses of 100 variables. That aside I do see some significant trends which contribute to to both sides of the argument and no matter what either I or anyone else write the only security that really matters is how secure your site is. If your site is compromised, no matter the reason, it is safe to say that a combination of both a vulnerability and a threat has made your site insecure.

Let’s start with the code

First of all let us, for the sake of this post, define the security of the code base as the ability or inability to use the code against itself. That is, can the code be executed or used in such a way that it would be considered an attack by the user who installed it.

The first argument often cited by both sides is the strength or weakness of the code on which WordPress is built. Frankly that code, at least the core of it before you change anything or add plugins or themes, is quite secure. Rarely ever do you hear about an attack against WordPress in which its own core code is used against itself. In addition when a vulnerability is found it is often patched with a minor version upgrade before it is widely exploited across the internet.

Given the lack of attacks against core I would say it is safe for us to assume WordPress core is quite secure. From personal experience I will add that a properly updated WordPress core is more secure than nearly any software available with such a large and diverse user base.

On the other side of this argument are two simple facts:

1.) Many users do not update their WordPress installations when a new version comes out

2.) Few sites using WordPress are using only WordPress core

On the simplest terms these seem like no-brainers but they’re actually rather significant to the argument about code security. To begin with patching a vulnerability doesn’t erase its existence. Until the user installs the new version their code has a hole in it and all it takes is the right threat to make use of that hole. Second, while WordPress core receives an awful lot of scrutiny, plugins, and to a lesser extent themes, do not. There are no groups of talented developers pouring over each and every plugin and theme fixing the errors when they arise. For some even the single developer who is working on it might be doing so as a hobby or a learning experience both of which can lead to problems. Put these together and although the current version of WordPress core might be locked up tighter than Fort Knox the code actually powering many of the sites using it is probably not.

Now for the real “problem”

Yes, I realize that the above argument doesn’t sound too promising for WordPress security and in some ways it shouldn’t. The fact is however that WordPress is just a tool and like any tool is subject to misuse by its users. In other words users are the real source of vulnerabilities in WordPress.

Last month’s attack against the “admin” user was a prime example of this phenomenon. WordPress core has given people the ability to change the username from “admin” upon install for quite some time but an awful lot of folks don’t take advantage of it. For some they don’t understand the effect it might have, for some a consultant or someone else just “gave it to them” without telling them they could change it, still others might just have been too lazy. Once your site is attacked it doesn’t matter what the reason was. The users inability to change the admin username whether due to reasons of their own control or not lead to many sites being hacked. While last month’s attack was a large example of this it is something that plays itself out time and time again in everything from failure to use one-click updates to installing bad plugins and themes and more (it is amazing how many passwords I get sent to me in everything from email to FaceBook).

So for all the arguments about whether WordPress is secure or not I have found through experience and observation that the code base itself is not the problem on sites where users either don’t know any better or don’t care about the security of their site.

So what can be done about it?

The first and most important thing that can be done to improve the security of WordPress is education. The more people that are aware of the security of their site the better. I would go as far with this as to say I could write a plugin tomorrow that would do absolutely nothing but put a line of text in the WordPress dashboard that says “this site is secure” and that the sites that install it plugin would indeed be significantly more secure than the average site.

Why? Because the user who installed the plugin is informed enough to look at the security of their site and try to improve it. On top of installing a security plugin they’ve probably changed the admin username, installed updates, and completed all of the other simple things that really makes the biggest difference in protecting a WordPress site.

Second, as no one knows all the vulnerabilities present in their site nor can many site owners provide training to all of their users, security plugins really can help fill in the gaps that education cannot. Features such as brute force protection and others can provide a level of protection which might be just enough to keep the next opportunistic attack out. For example, I have yet to hear of a single person using Better WP Security who was compromised by the “admin” username attack even though some have admitted to me that they still use the “admin” username. Did the plugin protect them? Maybe, maybe not but at least 2 of these same users reported to me that they had seen an obscene number of lockouts of bots trying to brute-force their way into their sites.

Putting it all together it is fair to say that a good security plugin can go a long way to protect a site but nothing can overcome a user who fails to take their own security seriously or doesn’t know that they have a problem.

So is WordPress secure?

The simplest answer I can offer here is that WordPress is only as secure as you, the user, make it. If you ignore the potential of someone hacking your site then your site will probably be hacked. If however you educate yourself on what could happen and take some basic steps to prevent it you will most likely not fall victim to the majority of attacks that make the news in the WordPress community.

16 Replies to “Notes and Observations on WordPress Security”

  1. Chris,
    You’re right your WordPress site is only as secure as you the user make it. But, it’s also a two way street. Those that provide plugins and other advice need to stay on top of things. No user will be protected from a non-updated plugin or recycled out-of-date information. Nothing screws you up faster than following the wrong recommended steps. On-the-other-hand, many people who don’t want to pay for a webdesigner have to realize WordPress is not a platform with plugins that you hook together and voila you’ve got a website an Internet business for free. For some people, just learning the details of the dashboard is overwhelming, let alone telling them they also need security and management tools. So, it’s a hard lesson to learn and many have to learn it the hard way. Everything needs to be protected as much as you can. Your home, your car, your credit cards, your social media sites and your websites.

    1. Thanks Joyce! You’re right on, it is a two-way street but many plugin devs and others who make their money on WordPress have an added incentive. So many posts talk about only the security of the code which does little for the average user. I believe in many cases it comes down to those who write about security need to step a little further into the shoes of their readers when explaining the topic. As for the rest, you’re right on there too especially, at least in the scope of this site, when it comes to your social media presence.

  2. “The fact is however that WordPress is just a tool and like any tool is subject to misuse by its users. In other words users are the real source of vulnerabilities in WordPress”

  3. Chris, I agree with you. I check all of my sites at least weekly for updates and keep everything current. I also think a mechanism to offer feature suggestions that is easier to use than the support page at WordPress is needed, There’s no feedback from you to let us know that you have even read the suggestions or what you think of it. Users who care about their sites want to provide you with ideas, suggestions and feedback. It’s one way we can contribute to the improvement of your work.

    An idea would be a members-only feature suggestion site where we can communicate more directly with you. It should NOT be used to request support as there are mechanisms for that purpose in place already. Access to the feature suggestion site would be earned by making a donation to the cause, no matter how small.

    A suggestion I would make, for example: I never, ever use ‘admin’, ‘webmaster’, ‘sysadmin’ or the default user account on any package I install on my websites. It’s the first choice for a hacker. Therefore, an obvious deterrent would be the ability to instantly and permanently ban any IP with a single attempt to use of any of those user names would be another step to slow the inevitable onslaught. It would not be enabled by default, but would be a nice extra layer of protection and would help to keep the database from being filled with.bad login attempts.

    I love your plugin and I know it’s a part-time activity for you. I recommend it to everyone I know because it works, plays nice with other plugins and is easier to understand than some of the other security plugins out there. I cannot thank you enough for the hours of aggravation you have saved me.

    1. Thanks!

      You’re right on the suggestions and I’m working on better options to contribute both in the plugin itself and through other avenues (watch my site later today for the first installment on this). I think the problem here is I frankly over-estimated the capabilities of the forum and found that once the plugin grew a little it is simply impossible to keep up there without making it a full-time job.

      As for the suggestion, I could see that as a future option but I could see points of abuse or confusion for some folks. It’s a fine line I walk here between usability and security and in the past, as is evident by many of the posts, I tend to stray a little to far from usability so for now this is something I’m going to hold on.

  4. Users who don’t upgrade, use a firewall and otherwise try to make there Site more secure are a big part of the problem, for example there are millions who are still using Java 6, even though Java 7 has been out for awhile.

    1. Good point. If they’re using Mac though they might not realize Java 7 is available as Apple is still offering them 6 as their “official” package. That said, the application is only a single level in a rather complex stack.

  5. Yes, WP security should be the first thing to setup when a site is installed. There are a few tricks that will go even further in securing your site. Things like protecting wp-config, .htaccess, upload folders etc…

    I did work for someone last year and the site was hacked using the admin username and a couple of bad plugins.

    1. Ouch. That must’ve been fun as their employee (assuming you were the person who had to fix it).

      There is a lot that can be done, no doubt. Hopefully more folks will pick up on this in the future.

  6. I too, just recently spent many hours digging a client out of the deep hole that the automated admin hack created, directly the fault of some “Advertising Agency” he used who had limited understanding of open source and took ZERO steps to secure the WordPress install.

    Anyone who utilizes an open source solution like WordPress for their website without taking the necessary precautions to secure it, ESPECIALLY for business, deserves what they get, IMHO.

    I have been a big advocate for WordPress for years now, and it’s at the core of many of the sites I produce, but only with the help and understanding of your Better WP Security plugin have I been able to keep the kiddie scripters’ crawlers and the majority of the known “bad bots” at bay.

    Keep up the great work… BWPS is definitely the first plugin I install with any new WP implementation…

  7. Great post. I’ve only had my site up for a year, and only installed your plugin about two months ago. I had NO idea how many attacks I had going on. I agree that the core is probably safe, BUT I think WordPress should do a better job advertising plugins like yours. Until your plugin I used the admin ID (fortunately I had a pretty complex PW for it, but I bet most folks don’t). Maybe this isn’t the place for this, but what do you recommend for the consistent hourly 1 user name attack. I get an attack every 60 minutes where someone is using 1 or 2 id’s. it’s non stop.

    1. In my case, I am usually the only login. I know my credentials and any attempt to anything else is cause for instant lockout, as far as I’m concerned. So … I make the number of failed logins small (3) and the monitor time long (30-60 mins). I set repeated attempts to permanently ban to 2.

    2. I find the default settings sufficient for most sites however with that many attacks I would probably turn them up a bit (I rarely ever see lockouts for bad username/password on any of my sites).

  8. Thanks for the reply I made some of the changes you suggested. On my site I usually get at least 1 attack every day from someone trying to login using admin or username. I can’t tell though if its the same person every day or someone diff though. Hmm, any chance you add the IP address of the person trying to login to the logs display? Or is this kept in a db somewhere I could check? If I could tell it’s the same person every day then I could block just that 1 ip?

    1. Sure, it’s kept in the “bwps_log” table in your database (putting them in the displayed logs resulted in information overload for some folks).