WordPress is a Security Mess

By WordPress, I mean everything written for WP, not just the core software. Honestly, with a little configuration with security in mind, WP Core is rather solid (security-wise). However I have a client that wanted a specific "Feature" on their website, they found and installed a seemingly good plugin to add the desired functionality. Only 3 days later their website had been compromised. We started fresh, and installed everything again, double checking all the configurations. In just a day, it had been attacked and compromised again. How is this possible?

Is it the hosting configuration?

I am going to say no. we have a very strict permissions model, and our nginx configuration excludes execution of files in the wp-content folders. Stopping users from uploading a script, and then browsing to it, essentially giving them the ability to run arbitrary code on your website. Also the site has a really restricted user which it runs as, and chrooted into its home directory.

If a site is somehow compromised on this configuration, it is not able to infect other sites which are hosted on the same machine.

Determining the Security Hole.

I looked through all of the files for this website, and catalogued the infected files, also saving them for a WP Shield project I am working on which aims to Detect & Stop Attacks on wordpress websites. But the real problem here, is a poorly written Plugin or Theme. 😕

By using a random plugin which adds the clients needed feature, you could be incurring additional risk. These plugins are written many times by a novice coder who is hoping to make money by churning out plugins. They create a plugin with potentially hundreds of php files, each of which might introduce several security holes. Usually these are introduced be allowing users to upload files outsite of the standard wp-content/uploads location. Maybe the have a folder in the plugin's directory for tmp_uploads which is not included in the Nginx exclusion rules.

WordPress is so Popular, who can it be so bad?

The world 🌎 runs on WP  (or as it might seem) and with this comes attention of hackers. This is the same logic of the seemingly Insecure Windows OS. It might be that, Windows is just a vulnerable as Mac OS X or Linux. The software each just have different size rewards if they are hacked. WordPress is so popular, bringing the attention of hackers with its popularity.

How Do We FIX WordPress Security?

I tell each of my WordPress Clients nearly the same thing. WordPress makes it cheaper to gain the needed features for their business' needs. This comes with the above mentioned security concerns. The only way to limit this, is to use both a Security Hardened Hosting Provider, and only using Plugins which are well written and have been tested for their security.

Any time my clients ask for some random plugin, I inform them of the potential risks, and also recommend they have the plugin audited for potential vulnerabilities or recommend a similar plugin which is developed by a reputable developer or team.

The Absolute Best Way To Decrease Risk Exposure!

The risk exposure come from the combination of the ease of hack, potential reward, and the re-usability of the attack on additional companies. In many cases the attackers will create a bot, which tries ever known attack on the software you are running your website with. Here are some of my thoughts:

  • Entirely bespoke web software; while introducing potential security holes, reduces the other variables in the attackers decision to attack your site. This will reduce the potential of a hack by a bot, since you likely do not contain the same vulnerabilities as the popular software.
  • When running a wordpress site; limit your risk by minimizing the plugins you have installed. Simply deactivating them, does not give you the same security as completely removing them. If you must have plugins, try to keep them to well written and small code-size plugins, preferably written by reputable developers.
  • Try using a more security oriented web software. There are hundreds if not thousands of CMS systems, many of which have small targets due to their small user-base.
  • Finally, running a native, compiled cms (bespoke or not) increases you security by more than any other single factor. With this method, there can be absolutely no arbitrary code execution, since your site is compiled to native code, and executed. To achieve this, I usually recommend a website software custome made in Go-lang (offering rapid development at a high level, with deployment and execution as machine code).

What should you do to reduce your risk?

While I can't give you advice here in this article, that pertains to your unique needs and situation, I can say; do whatever you are able to, to reduce your risk exposure. This could be by utilizing any one of the ideas above, or simply understanding what increases your risk. In the security industry I believe this is called Threat Vectors and reducing your Threat Vectors.

If you are interested in consulting for Information Technology, Digital Marketing, Systems Integrations, or Business Process Development and Business Systems head over to my Consulting website https://lessdigital.co/