Let’s face it, WordPress is a big target for hackers. It’s used by a huge number of sites, powering > 20% of all websites by many estimates. Builtwith reports 20% of their sample of 1.7M sites use WordPress, including 11% of the top 10k sites. Anyway you slice it — that’s a lot of sites, and that makes it an attractive target. Beyond just the volume though, WordPress and PHP have a reputation of being insecure. This isn’t totally fair, but it isn’t unwarranted either. While the number of WordPress vulnerabilities have been going down, the number of hacked sites don’t seem to be. Personally I have dealt with more hacked sites in 2014 than any previous year. What’s going on? I wouldn’t want to see people stop using WordPress because of security concerns, but for most people that just want a basic site they can update easily the idea that you have to spend so much time thinking about security doesn’t seem quite right either.
Recent Core Is Pretty Secure, but Not Enough Sites Are Updated.
WordPress core, i.e. the main product itself minus any plugins and themes hasn’t had a lot of security issues in recent years. In the past year WordPress core has only had 1 “high” level vulnerability in the CVE vulnerability database for recent versions, with 0 public exploits.
At the time of writing this, WordPress 4.0.1 just came out with some important security updates, so it may seem to be an odd time to declare core to be secure — but despite this particular update containing significant fixes you should absolutely apply ASAP, these aren’t likely to be the kind of holes that will cause thousands of sites to end up hacked. If you are running WordPress 3.7 or newer with automatic core updates on, you wouldn’t even have had to worry about these fixes because your install will be automatically patched.
To prove that it is indeed getting better, I’ve used the list of core vulnerabilities from wpvulndb.com and plotted over time.
This is all vulnerabilities, not just the critical easily exploitable ones. Many vulnerabilities affect multiple releases so years that had more releases will naturally show more vulnerabilities, but since 2008 there have been 7-10 releases per year so that is not a major factor in the clear downward trend since 2011.
However many people aren’t on recent versions of WordPress, so old versions of core remain a way some people get hacked. According to WordPress.org stats, 53% of WordPress installs are still pre-3.7 (so no auto-updates possible), and only 15% are up-to-date on 4.0.
Let’s also not forget the really out-of-date sites. WordPress 3.0 came out in Jun 2010, yet the the same Builtwith report from above shows 229,000 sites running a 2.x version of WordPress. That’s only 2.4% of the total, but every one of those sites that could be compromised is another site that could be part of a botnet attack, or a site that gets your site hacked because it was on the same shared server with weak system-level security.
Despite the number of vulnerabilities listed, I’ve never personally had to clean up after a site that was exploited via something in core WordPress. Certainly it happens, and if your site is running WP 2.x I would pretty much assume it’s been compromised, but even sites that are only relatively up-to-date seem to have limited issues in my experience.
The Larger WordPress “Ecosystem” Is Problematic!
My experiences with hacked WordPress sites revolve around sites being exploited in one of a few ways:
- Bad, un-updated plugins. Overall most plugins are safe, but install a few dozen plugins and don’t ever update them and it is a recipe for trouble for many sites.
- Themes with exploitable dependencies, themes with bundled bad plugins.
- Hosting issues.
- Shared hosts where sites were exploited via other sites on the server or system-level things (honestly most examples I’ve seen of this are due to other site’s bad plugins getting PHP back-doors installed on the server somewhere else).
- Bad passwords.
- Brute-force attacking of accounts.
This seems to be in line with statistics I found trying to determine the most common attack types. WPTemplate.com published a widely-cited infographic claiming the following breakdown for source of a hack: 41% hosting, 29% themes, 22% plugins, 8% passwords (I guess maybe core counts as hosting?). The exact percentages aren’t important, but it does back up what I’ve heard & seen anecdotally. For me almost all of the examples go to back to bad plugins or PHP libraries in some way or another.
What to Do When Your Site Is Hacked?
If this is your business, hire someone to clean it up who knows what they are doing. Seriously. The people that hacked your site might have done any number of things that a quick cleanup or restore might not find. Maybe they have multiple admin accounts now, or dropped a PHP backdoor, or subtly edited your templates for use later.
If you don’t get the malware 100% out of your system you’re just going to be cleaning it up again in another month. Unless you see in logs where you were compromised and how you’ll never know if you’re actually cleaned up or not.
Sucuri offers this service for $99/yr.
How Do We Keep Our Sites Safe For the Future? How Do We Make WordPress Safer to Use?
I seriously don’t like the concept of post-install “WordPress hardening”. The majority of sites will always run defaults, so if there are common things that can be done to harden an install, that should be in defaults as much as possible. Certainly some sites that are very high-profile will always require additional security work, but we’re not talking about those sites. We’re talking about the 99.99% of WordPress sites out there that are just regular ol’ websites.
Whether those sites get 10 visits/day or 10,000 visits/day, they are pretty much all being scanned on a regular basis looking for holes to exploit. So why would anyone want an “un-hardened” website??
So core WP itself is pretty secure now, and responsible security reporting along with auto-updates are a big improvement, but what I’d like to see in future WordPress versions is more of an attempt to be “hardened” out of the box as well as encourage an environment where plugins are less likely to cause major issues. It doesn’t feel like enough to have core be secure if everyone is running external plugins with who knows what security issues that don’t get auto-updated — or updated at all.
For example — common hardening advice includes restricting the wp-includes & uploads directory with an .htaccess file so PHP cannot be executed from within them, so why isn’t that built into core? That’s just one small thing, there are many others, just look at what plugins like Sucuri Security or iThemes Security do out of the box without causing issues in most cases. It’s the “most cases” that makes this a painful process, but without that effort sites will continue to get hacked in increasing numbers and WordPress’ reputation and community will certainly suffer.
I would also love to see dashboards actually alerting users of vulnerabilities in installed themes & plugins. For example if wpvulndb.com project data was included directly in the dashboard alerting users of plugins that have known vulnerabilities, that might get users to update much more rapidly if they knew not just that it was “another day, another plugin upgrade…”, but something critical they really needed to do ASAP.
Some Actually Actionable Advice
So what should you do right now? Here’s some basic best-practices I try to follow:
#1 — Host somewhere managed, but have an offsite backup of your site.
Remember that 53% of sites that are pre-3.7? A lot of those installs are assuredly auto-installed WordPress from $5/mo. generic shared hosting providers. They might offer a one-click install from a cpanel, and it all seems great until you realize it never gets updated and all the support they offer if you get hacked is to wipe your site out and start over. If you want hosting that is proactively keeping you up-to-date and is geared towards hosting & securing WordPress you want a host that offers managed WordPress hosting, something like: WPEngine, Pagely, Siteground, or you know.. wordpress.com if you don’t need the customization. It doesn’t have to be expensive, but it might be a little more than your paying now… just think of it as time you’re saving when you don’t get hacked.
Try something like backupbuddy to dropbox to get your offsite backup. It’s important that the offsite backup be something reliable & easy to restore, because you know you aren’t going to be checking its validity in disaster recovery drills every month really, right?
#2 — Use a security plugin. Turn on brute-force login protection & whitelist your own IP.
I don’t like that this is a requirement, but I feel it really is. I run iThemes Security Pro on the WordPress sites I host. There is also a free version. Even if you are doing managed hosting you still should use a security plugin. Security plugins are a thorny issue, if you are careful and setup correctly and don’t make any mistakes then you don’t need one, but they are a good safety blanket for those of us that happen to make mistakes every once in a while.
#3 — Actually manage your user accounts. Don’t have a user named “admin”.
So after a couple of years you might end up with dozens of accounts, and who knows what those users put in for passwords! If you have a security plugin, then turn on enforcing strong passwords, delete your old unneeded accounts and force password resets on the accounts you are keeping. You don’t need to force password resets every month or anything annoying like that, but you need to clean out the people that might be using trivially guessable passwords or shared re-used passwords from other sites. Don’t let your users pick & keep terrible passwords! Even with decent brute-force login protection a trivial/re-used password still might get cracked.
#3 — Limit your plugins, delete what you don’t use.
Some of use just install plugins for every issue we run across in developing a site and never really look back. I know I’ve been guilty of this. Every new plugin is something that might introduce security issues, updating issues or incompatibility issues down the road. So think twice before installing that plugin that you really need it, check out the reviews & don’t install stuff from sources you don’t know. Once you’re 100% done with a plugin, delete it. It might not be active in WordPress, but the file is still there on the server and could cause issues.
#4 — Update, update, update.
It’s kind of a pain, and it requires more intervention than we all would like, but better to spend the time pro-actively updating than cleaning up a big mess later. If you’ve got a lot of sites you’re managing, maybe try ManageWP? (read my review here)
There’s a lot of great resources out there to get deeper into this subject, some sources for further reading:
Here’s hoping that in 2015 we spend more time working on our sites and less time cleaning up hacks!