OWASP & WordPress – Improving WordPress Security With OWASP Top 10

Last updated on September 06th, 2018 by Robert Abela. Filed under WordPress Security Tutorials

WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. The good news is that compliance and standards such as the OWASP Top 10 list can help businesses get started with WordPress security.

 

This article explains what is the OWASP Top 10 list and how WordPress website owners and administrators can have an Owasp Top 10 compliant WordPress website.

What is the OWASP Top 10 List?

The OWASP Top 10 is a list of the 10 most critical web application security risks. As such it is not a compliance standard per se, but many organizations use it as a guideline. The first list was published in 2003 by the Open Web Application Security Project (OWASP) organization. An updated version of the list is published every three years.

Which are the OWASP Top 10 vulnerabilities and security risks?

The most recent OWASP Top 10 list was published in 2017. Following is the list of security risks in it:

A1: Injection
A2: Broken Authentication
A3: Sensitive Data Exposure
A4: XML External Entities
A5: Broken Access Control
A6: Security Misconfiguration
A7: Cross-site Scripting (XSS)
A8: Insecure Deserialization
A9: Using components with known vulnerabilities
A10: Insufficient logging & monitoring

Applying OWASP Top 10 Security on your WordPress

This section explains what you need to do to ensure your WordPress website is not vulnerable to any of the OWASP Top 10 vulnerabilities and security flaws.

Addressing A1: Injection in WordPress

SQL Injection is a technical application vulnerability that is typically caused by lack of sanitization of user input. By exploiting it malicious hackers can gain access to data in the WordPress database.

When an injection vulnerability is identified in WordPress core typically a fix is available within a few days. The same applies for WordPress plugins, hence why it is important to always use well maintained plugins that are developed by responsive developers.

The only way you can ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability is by keeping all your software up to date and installing all the security patches.

Addressing A2: Broken Authentication in WordPress

Similar to the above, these type of security flaws are technical vulnerabilities that are caused by weak and broken design of the web application. Attackers can exploit broken authentication issues to access sensitive data.

These type of issues can only be addressed by developers. Therefore as long as you use the latest version of WordPress core and plugins, your WordPress website not be prone to such vulnerabilities, assuming the plugins are maintained.

Though since we are talking about authentication, it is worth reminding you to implement two-factor authentication on your WordPress website. If you are not sure which plugin to use, here is a list of some of the best two-factor authentication WordPress plugins.

Addressing A3: Sensitive Data Exposure in WordPress

Sensitive data and the EUSensitive data exposure have become quite an issue. Data breaches are featured almost on a daily basis in web security news. In fact GDPR and other regulatory compliance requirements are making a big emphasis on the need to properly handle and store sensitive and personal data.

According to GDPR, sensitive and personal data is any data related to an identifiable user. It could be the name of your customers, their billing details and cardholder data in case of an ecommerce website. In case of financial services it could also be the bank account details, or in healthcare it could be their medical history. Note that even though an IP address can be classified as sensitive data you can still keep a WordPress activity log, which allows you to keep track of everything that is happening on your websites.

To ensure your WordPress website is compliant, if you store sensitive data on your WordPress website make sure that only the users who need to use the data have access to it, and of course, the data should be encrypted. Always use the WordPress users and roles to better manage users’ privileges and access to sensitive data.

Should you store sensitive data on your WordPress website?

There is no definitive answer. It all depends on the setup and resources. Though small businesses would typically be better off storing data on third party provider.

For example in case of an eCommerce store, it is much easier to use payment systems such as Stripe or PayPal to handle and store cardholder data. They have the infrastructure in place already. The same applies for email addresses and newsletters lists. Use a service such as Mailchimp so all data is stored on their servers and not on your WordPress website.

Addressing A4: XML External Entities (XXE) in WordPress

This is a technical software vulnerability that is caused by unsafe and incorrect treatment of XML files and data. An out of the box WordPress install does not deal much with remote XML files, though you might use plugins that do.

To ensure your WordPress website is not vulnerable to such type of vulnerability use the latest version of WordPress core, plugin and other software. Always use plugins that are maintained. Consider changing any plugin that you use that has not been updated in more than a year.

Addressing A5: Broken Access Control in WordPress

This is a technical application vulnerability. This issue is caused when the necessary restrictions are not enforced on authenticated users. Therefore when attackers exploit such vulnerabilities they can access sensitive data.

Since this is a technical vulnerability it can only be addressed by the software developers. To ensure your website is not vulnerable keep your WordPress core, plugins and other software you use on your website up to date.

Addressing A6: Security Misconfiguration in WordPress Websites

Security misconfigurations are very common in WordPress websites. Most WordPress websites are hacked because they are either unpatched or are using some sort of default. In the last few years the WordPress core team has done a lot to help users address such issues. For example WordPress no longer has a default admin username, which was the culprit of many WordPress hacks.

To ensure your WordPress website does not have any security misconfigurations change all the defaults. This applies to WordPress, plugins and any other software & device you use. For example if a plugin has a default set of credentials, does not password protect sensitive data, or stores it in a default location, configure strong authentication and change default paths. This applies to any other software and device you use including your internet home router, which typically has default credentials.

Addressing A7: Cross-site Scripting (XSS) in WordPress

Cross-site Scripting, also known as XSS is a technical application vulnerability. It is caused by not validating and escaping untrusted data. When a malicious attacker exploits a cross-site scripting vulnerability they can steal logged in users’ cookie and impersonate them. They can also hijack their session.

When a cross-site scripting vulnerability is identified in WordPress core or a plugin, typically a fix is available within a few days. So to ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability always use the latest version of the software. Also, always use maintained plugins.

Addressing A8: Insecure Deserialization in WordPress

Insecure Deserialization is a technical application vulnerability. It is typically caused when the application uses serialized objects from untrusted sources without doing any integrity checks.

When a vulnerability of this type is identified in WordPress core or a plugin, typically a fix is available within a few days. So to ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability always use the latest version of the software.

Addressing A9: Using Components with Known Vulnerabilities on a WordPress Website

Not using software and web applications that have known vulnerabilities might sound like something obvious. Though unfortunately it isn’t. The WordPress foundation has been doing a lot in this regards. They have auto updates for WordPress core. On the plugins repository they tag plugins that have not been updated for a while.

However it is not always easy for businesses to use the latest and most secure version of a software. Many use legacy software and web applications that are not compatible with the latest version of WordPress or other plugins. So they are stuck using old and vulnerable version of WordPress and plugins. In such cases, if possible contact the developers to update the code.

To ensure your website is compliant, this goes without saying: always use the latest version of WordPress core and plugins. Also, it is important to deactivate and uninstall any unused plugins, scripts and themes from your website. For example many do not delete the default themes and plugins WordPress is shipped with. If you are not using them, delete them.

This applies to new software as well: when looking for a new plugin always research it. Read our guide on how to choose a WordPress plugin for more information on what you should do when looking for a new WordPress plugin.

Addressing A10: Insufficient Logging & Monitoring on WordPress

Logging and monitoring is vital for the security of your WordPress website and multisite network. WordPress activity logs also help you better manage your website, identify suspicious behaviour before it becomes a problem, ensure user productivity and much more. Learn more about the benefits of keeping a WordPress activity log (audit log).

The WordPress Activity Log

 

To ensure your WordPress website is compliant install the WP Security Audit log, the most comprehensive WordPress activity log plugin. It will keep a record of everything that happens on your WordPress website and multisite network in an activity log. Refer to addressing insufficient logging with a WordPress activity log plugin for more detailed information on how to address this part of the OWASP Top 10 list.

Building an OWASP Compliant WordPress Website with OWASP Top 10

WordPress security can be complex, especially when dealing with large setups. Though getting started and covering the basics is not that difficult as this article highlights. You can have an OWASP Top 10 compliant WordPress website by taking care of these basics:

Boost the security of your WordPress website by using this OWASP Top 10 list as a guide. Refer to the official OWASP Top 10 page for more detailed information.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

3 comments

Voja 22/08/2018

Although seems obscure, A8 is a big issue in WP. There was a great workshop on the subject in WCEU ’18 by https://2018.europe.wordcamp.org/speaker/robert-rowley/ . Basicly, it’s a PHP issue http://php.net/manual/en/function.unserialize.php that is usually overlooked by plugin developers.

Robert Abela 06/09/2018

Thanks for sharing the links @Voja. You are right, it is indeed a big issue but for non developers and WordPress site admins there isn’t much they can do, as in as long as they keep their software up to date they should be covered if the developer fixes all reported issues.

Nikita 07/09/2018

Thanks for the information I didn’t know about OWASP. I always found your post with new information. Thanks for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *