WordPress: Victim or Maligned?
We often get questioned about WordPress security and whether or not WordPress is a true enterprise level content management system. We believe it is, that’s why we use WordPress as our go-to platform of choice when building many web applications for our customers.
WordPress is pretty much the most popular open-source platform on the Internet and it does therefore have issues; but that’s no different to many other systems, it’s really just the scale of the opportunity.
All installs are not created equal.
With many millions of installs, WordPress presents a huge number of opportunities for things to go wrong. The sheer weight of statistics means that there are bound to be many WordPress installs that have fallen behind the patch curve and are running with older versions of WordPress itself or one of the many thousands of plugins that are available. If you were wanting to find web servers to ‘attack’ then those running WordPress would seem to present you with the most opportunities for success.
All hosts are not created equal
As we are often told, security is a many-layered thing and it’s not just the application platform, i.e. WordPress that’s vulnerable. The host webserver runs an operating system and lives in a network; both of these things present further opportunities for vulnerabilities to creep in and for consequent compromise.
Oh The Plugins
One of WordPress’s many strengths is the huge number of plugins that can be used to extend the functionality of the system. However, many of the most high profile attacks on WordPress servers have been as a result of vulnerabilities in one or more of these plugins. Most recently, the most popular ecommerce plugin WooCommerce, has been found to be vulnerable to a SQL injection attack. Woo Themes fixed the plugin within a matter of hours after it was discovered.
Developers will be developers; they just want the thing to work and may not really be aware of what security implications they may introduce by coding for the right answers. They should know about preventing what we now understand to be the standard risks such as SQL Injection by using PDO / WPDB or some other object layer that escapes SQL itself. Beyond that, they should also adopt a truly defensive approach to code to ensure the unexpected results are handled safely.
Then There’s YOU!
With the best infrastructure things can still go wrong. Weak passwords, careless configurations and unmanaged changes to any system will inevitably lead to weaknesses and vulnerabilities creeping into the system that you run. It may seem a trivial change at the time, or it may start out to be a temporary change to overcome an urgent need from a fellow developer, but one day that unmanaged change will perhaps combine with something else that’ll create a vulnerability which can be exploited.
Reducing The Opportunity For Compromise.
- Platform As A Service: Use a specialist hosting provider that can provide WordPress as a fully managed Platform. We have teamed up with WP Engine to provide what we believe to be the most cost effective, highly secure and performant WordPress hosting service available.
- Manage Installs: Managing Installs means monitoring and patching everything very regularly. This overhead is significantly reduced by using WP Engine as all of the core WordPress infrastructure is automatically patched and the support systems such as staging, snapshot creation and backups make the whole process easy, safe and secure.
- Manage Change: Manage all changes of your install no matter how small. The change management process need not be complicated and if integrated with your code development and staging processes, this can be automated.
- Code in Defence: Code in defensive strategies and control behaviour of the system and it’s users. Most importantly, test for the unexpected. There’s little use of testing for all of the expected answers if you forget that all real users are unpredictable.
Your Next Web Project
Come and talk to us about your next web project and about secure, enterprise quality WordPress hosting from WP Engine.