Is WordPress Secure?

Last updated on August 12th, 2014 by Robert Abela. Filed under WordPress Security Readings

In the past few weeks a number of critical vulnerabilities were discovered in WordPress itself and in a number of popular WordPress plugins such as MailPoet and Custom Contact Forms.  Such vulnerabilities and security issues left millions of WordPress websites and blogs vulnerable, and lead the WordPress community to question the state of security of WordPress, again!

WordPress Community Questions WordPress Security

Is WordPress secure? Is the code of WordPress secure? Is everyone giving enough attention to WordPress security? Are the WordPress plugins and core developers writing secure code? WordPress security has been a hot topic in the WordPress community and will always be, mainly because the unfortunately most of the community members do not understand security, or the lifecycle of software.

Therefore before we start pointing fingers and raising false alarms and claims at how insecure WordPress is, first we should spare a minute or two to get to know more about  the development and life cycle of software and vulnerabilities, which apply to all type of software and not just WordPress.

Does Non WordPress Software Have Vulnerabilities?

Software vulnerabilities are discovered and reported in any type of software on a daily basis. According to the Common Vulnerabilities and Exposures database (CVE), in 2013 7,393 vulnerabilities were reported. That averages to around 20 vulnerabilities a day. Vulnerabilities were reported in Apache web server, Drupal, Joomla and several other web and non-web based software.

In 2014 so far 5,880 vulnerabilities have been reported. That averages to around 26 vulnerabilities a day. It is important to note that these statistics only account to the reported and documented vulnerabilities, since many of them are never disclosed as explained later on in this article.

Is All Software Vulnerable?

The above statistics would lead anyone to question the state of the security of all software. Technically speaking yes, all type of software can be vulnerable to a specific vulnerability at any point in time. Why? The reasons can be many and as such there is no answer. If we knew the answer then there wouldn’t be any vulnerable software.

Though as the statistics highlight, it is not just WordPress, or WordPress plugins and themes that have vulnerabilities. Several other software has vulnerabilities, including some of the most stable, such as Apache. Though since WordPress is popular, and powers around 20% of the web then when vulnerabilities are discovered in WordPress the media makes a fuss about it and drives the community crazy.

What Happens When a Vulnerability is discovered?

When someone discovers a vulnerability in a particular software, he or she typically contacts the software vendor or developer and discloses all the details including a proof of concept. Once a patch or update is released and available to the public, the person who discovered the vulnerability publishes an advisory; a technical document which includes all the details about the vulnerability.

As always there are the exceptions to the rules. There have been cases were the vulnerability details were published before contacting the vendor, or before the vendor releases a fix. There have also been cases where the vulnerability is never disclosed and those who know about it exploit it in the wild.

How Can I Ensure My WordPress and Other Software Do not Have Vulnerabilities?

This is a very common question many people would ask and the security community has answered this over and over again. Always keep your software up to date; ensure you always run the latest and most secure version of the software you are using, be it WordPress, Apache, MySQL, FTP client and anything else.

What is a Zero Day Vulnerability?

Most probably you have heard the term zero day exploit, or zero day vulnerability. As the name implies, zero day exploits are attacks that exploit a previously unknown software vulnerability. For example as explained above, someone discovers a vulnerability and instead of disclosing its details to the developer so a patch is released, he or she exploits the vulnerability to hack into networks, websites etc.

Is there a way how to protect yourself from zero day vulnerabilities? Unfortunately there is not much one can do apart from limiting access to the vulnerable software until the developer releases a patch.

Is WordPress Secure?

As the statistics above highlight, software vulnerabilities are discovered on a daily basis in any type of software. The questions one should ask before using a particular software, is not just how secure the software is, but how many vulnerabilities have been discovered in the past for such software and how did the developer, or vendor react when such vulnerabilities were identified.

Was the developer proactive and issued fixes as soon as possible? Does the software in question has a bad security reputation, i.e. a lot of vulnerabilities have been reported or it only had a few?

WordPress is Secure

When you look at these statistics you will notice that WordPress developers have always addressed reported security issues on time and WordPress itself did not have a lot of vulnerabilities. There have been cases where plugin developers didn’t fix security issues reported in their plugins, or didn’t handle such reports correctly but overall things look very promising. If you do not want to be a victim of such plugins, follow the guide on how to choose the Best Plugin for your WordPress when choosing your next plugin.

The Weakest Link in WordPress Security

At this stage we can conclude that almost all the software you use might be vulnerable to a specific vulnerability some time or the other. Hence it is important to always run the latest version of the software you are using and to always install the latest security patches to ensure you run non vulnerable software.

Though unfortunately even though WordPress security professionals constantly preach about the importance of running the latest version of the software you are using, many WordPress websites and blogs still get hacked on a daily basis, and many more get hacked when such vulnerabilities are disclosed. Ever wondered why?

The answer is simple; WordPress users do not keep their WordPress, WordPress plugins and themes up to date. According to the statistics we published some time ago, more than 70% of WordPress sites are vulnerable to hacker attacks simply because they run an old and vulnerable version of WordPress. Therefore the problem is not WordPress as such, or the plugins, but most of the users.

And this answers the WordPress community dilemma; Is WordPress secure?

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

2 comments

Tony Payne 10/08/2014

Excellent article Robert. The key as with every site is to make sure that you have good backups. WordPress is of course targeted because there are so many sites running it and the majority are unsecured. I learned my lesson the hard way, but now trust that my sites are better prepared to meet the hackers and to defeat them.

Robert Abela 11/08/2014

Hi Tony,

Thanks for the compliment. Yes backup is a very good safety net, though it is not enough. I mean you should not just depend on backups. There are many other things you can do to improve the security of your WordPress and you should do them to ensure that you will never need to restore the backup 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *