Is WordPress Secure - cybersecurity shield protecting WordPress website

Is WordPress Secure?

As WordPress continues to dominate the website development market, understanding its security is crucial. While the modular build system has attracted both veterans and beginners to its service, the variations in website customisation levels have made the question “Is it secure?” a nuanced one, with answers that vary on a website-by-website basis.

Factors such as a user’s knowledge of cybersecurity, the website’s level of hardening, the number and types of add-ons used, and the site’s purpose all contribute to the answer.

Unless a user is experienced in web development or chooses to pay for third-party management services, the responsibility of maintaining a good security posture falls entirely on them.

Assessing your chance of becoming victimized by a cyber attack is critical. As the world’s leading content management system, used to build over 810,000,000 websites, WordPress has become an attractive target for malicious attackers.

In this article, we will examine the elements of a WordPress website, its security concerns, and the risk mitigation techniques and hardening methods you can use to improve your security.

Related: Hardening the Web Server of Your WordPress Website

The Core of the WordPress Platform

The “Core” of WordPress refers to the backbone of the content management system. It includes the files that provide the underlying framework, default features and administration interface. WordPress installations use PHP as the server-side scripting language and MySQL as the Database Management System (DBMS).

To put it simply, WordPress Core is the default installation that is downloaded from WordPress.org.

The root directory that includes the files and folders of Core is structured in the following manner:

  • license.txt
  • readme.html
  • wp-activate.php
  • wp-admin/
  • wp-blog-header.php
  • wp-comments-post.php
  • wp-config-sample.php
  • wp-content/
  • wp-cron.php
  • wp-includes/
  • wp-links-opml.php
  • wp-load.php
  • wp-login.php
  • wp-mail.php
  • wp-settings.php
  • wp-signup.php
  • wp-trackback.php
  • xmlrpc.php

How Secure is WordPress Core?

Professional developers and guest committers, many of whom work for Automattic (the parent company of WordPress) or are associated with WordPress, maintain the Core. As WordPress is open source, anyone is free to contribute to the development release cycle, but commit access is limited, and any new contributions go through a thorough review process.

Because the Core is maintained so professionally, it is rarely exploitable. According to statistics analyzed by WPScan – vulnerabilities that can be attributed to the Core only represent 2% of the 54,205 tracked. However, it’s crucial to update to the latest version as soon as it is released, since the maintenance team is continuously addressing and fixing newly discovered bugs and security vulnerabilities.

WordPress versions above 3.7 will automatically install minor updates reserved for security fixes, but you’ll need to manually update to major versions.

Configuring Core Defaults to Increase Security

WordPress Core comes with default configurations and behaviours. Plugin installation or manual configuration is required to change them. It is not recommended to alter the Core files. If you do, your changes will be overwritten whenever WordPress is updated.

Concerning default mechanisms/settings, as well as their remedies, include:

Usernames cannot be changed by default (but there is a workaround). When choosing a username, avoid common defaults, such as “admin”. As the username is one half of the credential pair, using well-known usernames can be a security risk.

In order to change your username, create a new user with the desired username and administrator permissions using a different email address than the one used by your current account. Afterwards, log in to the newly created account and delete the old account. Ensure to select “Attribute all content to: [NEW-USERNAME]” when asked: “What should be done with content owned by this user?”

When users register an account, WordPress displays a meter indicating the strength of the password, but password strength is not enforced. To enforce password strength requirements on your users, you can use a security plugin such as Password Policy Manager.

WordPress allows unlimited login attempts. This leaves your website vulnerable to unauthorised access, as threat actors can use brute-force attacks to guess valid account credentials. To implement rate-limiting protections, you’ll need to install and configure a plugin to rate-limit login requests, such as Limit Login Attempts Reloaded.

The default login page is typically accessible through four endpoints: /wp-login.php, /wp-admin, /admin or /login. Unless changed, this information is well-known and leaves no room for a malicious actor to guess the location of the login portal. To easily change the URL of the login form page, utilize a plugin such as WPS Hide Login.

The /wp-admin path, which contains the files and scripts necessary to run the admin dashboard, is accessible. Only by explicitly configuring 401 BasicAuth will access to this directory be password-protected. Three methods to implement this include:

  • Use a plugin such as Password Protected.
  • Create and upload a .htaccess and .htpasswd file to the /wp-admin directory. Ensure to change AuthUserFile path accordingly, replace any instance of [USERNAME] to your actual username and provide a hashed password to replace [HASHED-PASS].

The access rules in the .htaccess file to use are:

AuthName "Admins Only"
AuthUserFile /home/user/public_html/example.com/wp-admin/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user [USERNAME]

Supply your credentials to the .htpasswd file:

USERNAME: [HASHED-PASS]
  • Edit the privacy settings for the /wp-admin directory in cPanel provided by your hosting provider.

Authenticated users are not automatically logged out. The browser window associated with the session must be closed, or the logged-in user must explicitly log out. This presents a security issue in a shared local environment, as an authorised user could leave their device unattended. You can use a plugin such as the Inactive Logout plugin to automatically terminate the sessions of idle users.

There is no default option to implement multi-factor authentication or CAPTCHAs. These security measures can greatly reduce the risk of unauthorized user access.

  • To add an extra layer of security for yourself and your users, install and activate a plugin such as WP 2FA.
  • To add CAPTCHA checks to forms and logins, plugins such as CAPTCHA 4WP can be used. CAPTCHA will also serve as a defence against brute-force attacks.

WordPress will display hints after unsuccessful login attempts. Supplying a registered username or email address with an incorrect password will display the error message: “The password you entered for the username is incorrect. Lost your password?”. These hints can be used by a malicious attacker in order to enumerate valid usernames.

  • To disable these hints, select +Add Snippet and Add Your Custom Code (New Snippet) in the WPCode plugin and supply the following code block to the functions.php file:
function no_wordpress_errors(){
  return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

Register users can also be enumerated via /author/[NAME], /?author=[NUMERICAL ID], /wp-sitemap.xml, /wp-json/wp/v2/users and /wp-json/oembed/1.0/embed?url=[AUTHOR POST URL]. If accessible, these endpoints can also be brute forced. To thwart this user enumeration method, you can use the Stop User Enumeration plugin.

By default, the same login page is used for both website owners and registered users. Unless you create a separate login page, users’ accounts registered by those who visit your website will use the same one as you do to access the admin panel. To create separate registration and login pages for your user base, use a plugin such as Theme My Login.

When your server cannot locate an index file such as index.php or index.html to use as a landing page – it will automatically display an index page showing the contents of the whole directory. This disclosure of files and subdirectories could expose sensitive information. To check if directory browsing is enabled or disabled, visit the /wp-includes directory in your browser. If you receive a 403 Forbidden or similar message, then directory browsing is already disabled.

  • To disable directory browsing, add the following access rule to the very bottom of the root .htaccess file:
Options -Indexes
  • You can also simply create a blank index.php or index.html file.

The directory that stores all the files uploaded through the media uploader, /wp-content/uploads, is publicly accessible. This means that any sensitive files accidentally uploaded to this directory could be viewed by anyone.

  • To prevent access to this directory – disable directory browsing, password-protect the directory or create a new .htaccess file in the directory with the following rule:
deny from all

WordPress makes certain directories writable for you and other authorized users in order to upload files to your website. By disabling this permission in directories where you don’t need PHP execution, you can protect against malicious uploads, such as backdoor access files and malware.

  • Create or add to the .htaccess files within the /wp-includes and /wp-content/uploads directories. The rule setting will be:

<Files *.php>

deny from all

</Files>

XML-RPC is enabled. This protocol, used for Remote Procedure Calls (RPC) over the Hypertext Transfer Protocol (HTTP) using the Extensible Markup Language (XML) data format is enabled by default. This can be exploited to overload the server or to bypass rate limiting as multiple login attempts can be combined in a single request.

  • Use the Disable XML-RPC built-in code snippet provided by the WPCode plugin.
  • To disable XML-RPC manually, add the following rule to the root .htaccess file:

<Files xmlrpc.php>

order deny,allow

deny from all

</Files>

The default database prefix is wp_. This consistency makes it predictable for attackers who are attempting to target your site’s database tables in SQL injection attacks.

  • While this is considered security through obscurity and is not a sufficient security measure, changing the prefix is still recommended. To change the prefix, edit the $table_prefix variable string value in the root wp-config.php file:
$table_prefix = '[VALUE]';

The wp-admin dashboard directly allows file editing by default. If a malicious attacker were to gain access to your admin area, they could use this built-in editor.

  • To disable the file editing feature, select +Add Snippet and Add Your Custom Code (New Snippet) in the WPCode plugin and supply the following code block to the functions.php file:
define( 'DISALLOW_FILE_EDIT', true );

Even if this is disabled, an attacker could just use a file upload plugin, so you need to configure the wp-config.php file again by adding:

define( 'DISALLOW_FILE_MODS', true);

WARNING: Disallowing the uploading of files via a plugin will remove the Add New button from the dashboard, along with any notifications of outdated plugins.

However, you can still update plugins with WP-CLI:

php wp-cli.phar plugin update --all
php wp-cli.phar plugin update [PLUGIN-NAME]

By default, the WordPress version number of your installation is public. Malicious attackers often target known security vulnerabilities in specific software versions. By hiding your version number, you make it slightly more difficult for an attacker to enumerate which version you are using.

  • To remove the version number from both the header file and RSS feeds, use the WPCode Remove WordPress Version Number built-in code snippet provided by the WPCode plugin.

While an experienced developer may have a solid understanding of the security implications of default configurations and more secure alternatives, an average user might not be aware of these details.

How Secure are Themes?

Themes style the frontend design and appearance of your website. The layout, colours, fonts, spacing and other visual aspects of your website are all elements that can be changed with a theme.

Even though there are currently over 12,000 themes available in the official WordPress theme directory – the percentage of vulnerabilities that can be linked to their usage only amounts to 4%.

That’s not to say that WordPress themes can’t get vulnerabilities; they can, and they do, but the most likely way that your WordPress instance will get hacked is through insecure plugins, not themes.

How Secure are Plugins?

Plugins are additional modular components used to customize your website suit your specific needs. They can be conceptualized as applications on a smartphone – plugins (applications) provide functionality that is not included in the Core installation (the phone’s OS).

There are around 60,000 plugins available to download from the official WordPress plugin directory. Even though plugin authors undergo a submission process that involves a manual code review, they are responsible for the vast majority of vulnerabilities. 95% of all vulnerabilities are associated with plugins.

Straying Away from the Core

Each plugin and theme added to your project is a potential source of vulnerability. Therefore, every installation increases your attack surface.

Related: Reducing the WordPress Attack Surface

As WordPress is largely community driven – themes and plugins may be made by amateur developers that do not follow best security practices. Even plugins that enhance security can be insecure.

You can download plugins and themes from multiple sources, including the official WordPress directory, third-party marketplaces, developer websites and hosting providers. However, it is important to only use reputable sources as plugins can be malicious in nature.

Supply Chain Attacks

Just like phone apps, plugins are distributed as standalone packages. These packages contain files and folders that make up the plugin. These may import third-party components to function properly. When a component, such as a package, relies on another in this way, it is known as a dependency.

Supply chain attacks exploit these dependency packages to sabotage software, injecting them with malware. Because packages rely on each other, these attacks can have a massive reach, affecting millions of users.

Supply chain attacks are carried out in various ways. Package maintainer accounts may be taken over by malicious attackers via compromised credentials or expired domains in what are known as package hijacking attacks. Package installations may also source illegitimate packages in a dependency confusion attack. Other supply chain attack vectors include trojans, typosquatting and masquerading.

Repo jacking is also a type of supply chain attack, but it applies to dependencies sourced from version control systems such as GitHub rather than registries.

When a premium paid plugin or theme is pirated, it is known as a null add-on. Their use, even when free, can create significant security vulnerabilities. In addition to being illegal to use, they could also be tampered with by malicious actors and contain malware. Security updates released to their official counterpart are not available to the null copies.

If any of your plugins are directly or indirectly affected by a supply chain attack or you are using a null version – you are vulnerable to compromise.

While ultimately, becoming victimized by a supply chain attack can be reduced to a matter of chance – there are actions you can still take to mitigate your risk:

Stay up-to-date with the latest versions of plugins and themes. When a new version is available, an alert will be displayed in your WordPress admin menu and the corresponding add-on will be highlighted. To enable automatic updates:

  • Navigate to the Appearance screen in your admin dashboard and select Enable auto-updates. This must be done on a theme by theme basis.
  • Navigate to the Plugins screen. Each plugin installed will be displayed in a table. In the Automatic Updates column – select Enable auto-updates for each plugin. For convenience, you can select multiple items by checking their associated checkboxes, then use the Bulk actions dropdown menu.

Ensure to only incorporate plugins and themes that are known and reliable. Before adding any to your website, verify their source and maintainer/s. Popular ones, while not immune to attack, are more likely to be inspected and reported on as more eyes are on them. View any reviews and the active installation count to gauge how many other users trust and use them.

Actively research any plugins and themes you use. Community discussions, reported issues and index searches can provide valuable insight into the current state of an add-on.

Carefully review the spelling and formatting of plugin and theme names included in your project against official documentation. This will reduce the chance of falling victim to a typosquatting attack.

View the release history of the plugin or theme to ensure it is actively maintained by trustworthy entities. Those developed by large organizations with good standing are more likely to be secure. Check the version numbers of WordPress, PHP and what version they have been tested up to. If it is not being actively maintained by a trusted author – seek out an alternative.

Remove any plugins or themes that are no longer required for your website to function properly. These may include ones that were only used for development and are not necessary in a production environment. This will reduce the attack surface of your project.

Be suspicious of any obfuscated or minified code. Malware can be injected using only a few lines of code. Even if it has no ill intent, it can add unnecessary complexity, making it challenging to maintain and audit.

Managed WordPress Hosting

There are third-party management services for your WordPress site. There are numerous advantages to subscribing to a WordPress specific managed hosting provider – the servers are configured to operate at optimal speeds, an in-depth security program is included, backups are performed regularly and updates are automatically installed.

While these can ease the total burden of security responsibility, it does not mean you can become complacent. You are still responsible for configuration settings and plugin and theme management.

Security Best Practices: File and Database Management

A File Transfer Protocol (FTP) client, Secure Shell (SSH) client or a cPanel provided by a hosting provider are used in order to access WordPress core files or upload files to your site.

Although it varies by host, the phpMyAdmin client is likely the interface you will use to interact with your MySQL database.

Insecure use of these tools can be dangerous, as they provide direct access to your website’s file system.

Some key security practices to follow when using these clients are:

  • Ensure that you use strong, unique passwords for your client accounts. Strong passwords should include a mix of characters. Avoid using commonly used passwords or reusing a password from a different account.
  • Regular FTP transmits data unencrypted. When using regular FTP, data transmission is unencrypted. Use SFTP or SSH instead.
  • Keep the client up-to-date with updates. Keep your client installations up to date with the latest patches and updates.
  • Limit the number of people with access to your client accounts. This is a form of access control. Additionally, maintain and monitor access logs to view who accesses what and when.

Securing the Language

Just as with other WordPress components, it is equally important to use the latest version of PHP. If your site is running an outdated version of PHP, it could be compromised by any unpatched vulnerabilities that were fixed in newer releases.

To check what version of PHP your website is using, view your Site Health Info tab by selecting the Tools sidebar menu option. Extending the Server section will show your current PHP version.

You may even have the following notification displayed:

WordPress security hardening checklist and best practices diagram

 

To avoid issues when updating your PHP version, the following steps should be taken beforehand:

  • Create a backup of your website. If anything goes wrong, you can revert to the backup of the functioning snapshot.
  • Update WordPress, themes and plugins to ensure compatibility. Then use the PHP Compatibility Checker plugin. If this plugin flags any issues, notify the theme or plugin developer.

Once these proactive steps are completed, the exact steps to update your PHP installation on your server vary by hosting company.

Host-specific instructions can be found here.

Adding Perimeter Defense

Firewalls act as a first line of defence against attacks. They can protect against attacks such as Cross-Site Scripting (XSS) and SQL Injections (SQLi).

A Web Application Firewall (WAF) inspects incoming HTTP traffic. This type of firewall can be conceptualized as a security guard. A WAF examines requests before they reach your hosting server (DNS level) or once they reach your server but before most WordPress scripts are loaded (Application level).

Related: Protecting WordPress with Open Source Web Application Firewall ModSecurity

A WAF will deny or permit requests based on predefined rules that inspect for suspicious or malicious payloads in request lines, headers and body data. Based on the inspection, it will decide whether the requests are to be passed on to the host server for processing.

There are many WAF plugins available for WordPress. A list of reputable ones can be found here.

Activity Log and Tracking Plugins

These types of plugins track user activity and record events in logs – such as user logins/sessions, changes made to files/themes/posts/pages, file downloads, membership requests as well as all other actions made by visitors to your site.

Maintaining an activity tracking log establishes a system of checks and balances. If issues arise, it becomes straightforward to identify what went wrong, who was responsible and how to address the problem.

A list of reputable plugins that include tracking and activity logs can be found here.

WordPress Vulnerability Scanners

A vulnerability scanning tool will analyze a WordPress site for security weaknesses. Outdated plugins, themes, files, insecure configurations and exposed sensitive information are all checked for. Our team at WPSec has integrated our custom technology into the WPScanner base.

To this day a total of 9,669,051 scans across 96,445 sites have been performed using our tool.

With our tool, you are able to:

  • Instant In-Depth Scans: Conduct immediate, detailed scans of your WordPress website to receive real-time feedback, enabling you to quickly take action to secure your site.
  • Automated Scanning Schedule: Set up daily, weekly, or monthly scans to monitor your site’s security health continuously. Automated scheduling ensures you won’t forget to initiate a scan manually, freeing you to focus on other important tasks like managing your business.
  • Intuitive Dashboard: Access a user-friendly dashboard that visually represents scan results across multiple hosts. This centralized interface lets you track and resolve issues efficiently from one place.
  • Real-Time Notifications: Receive instant alerts via email or WebHooks when issues are detected. Immediate notifications allow you to address and mitigate threats quickly, minimizing the time your site remains vulnerable.
  • Advanced Reporting: Generate detailed reports with clear breakdowns of findings and actionable solutions. Each report provides you with a comprehensive plan to address and fix identified vulnerabilities effectively.

Online Stores are a More Attractive Target

According to a report by Astra Security, small businesses account for 43% of cyberattacks annually. On average, small- to medium-sized businesses lose $25,000 due to cyberattacks.

Owners of online stores are responsible for handling financial transactions and safeguarding Personally Identifiable Information (PII), such as customers’ names, addresses, and credit card details.

Small e-commerce businesses’ websites are especially attractive to malicious attackers because they often lack the resources to implement robust security measures. Some owners may even mistakenly believe that the small size of their operation makes them less likely to be targeted.

Given the vast number of online stores today, implementing even a few basic security measures can deter hackers who might otherwise find an easier target to exploit.

In addition to adhering to all the security practices discussed so far, if the purpose of your WordPress website is to facilitate sales of a product or service – there are extra precautions to take:

  • Validate user-supplied data. Injection attacks are frequently used by cybercriminals to exploit vulnerabilities by inserting characters that manipulate systems into performing actions such as running database queries or executing malicious code. These attacks often target fields that handle user data, such as forms. Validating data ensures that submissions adhere to a specific format, preventing harmful inputs. Fortunately, the form-creating plugin Formidable Forms can provide validation.
  • Use secure payment gateways. Examples of payment gateways include PayPal and Stripe. Use well-known, reputable payment gateways to protect the financial security of both you and your customers.
  • Prevent fraudulent transactions and card attacks. Extension plugins to WooCommerce, such as the Anti Fraud plugin, will automatically block or prevent potentially fraudulent transactions. This plugin also includes powerful prevention customization options and an analytics dashboard.

Further Reading

Conclusion

Maintaining the security of a WordPress site involves a multifaceted approach and an understanding of areas that can be improved. While WordPress Core has proven itself as a secure framework, vulnerabilities can arise from the extensions added onto it. Customizing the Core installation or integrating numerous plugins and themes can expand your attack surface.

A user with a thorough understanding of security best practices is better equipped to implement measures such as regular updates, proper configuration and vigilant monitoring.

So, “Is WordPress secure?”

It depends.

Take control of your WordPress security today. Run a free security scan with WPSec and identify vulnerabilities before attackers do.

Leave a Comment

Your email address will not be published. Required fields are marked *