WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. However, with compliance and standards such as the OWASP Top 10 list business can easily get started with WordPress security.
This article explains what is the OWASP Top 10 list. It also explains how WordPress site administrators can have an Owasp Top 10 compliant WordPress website.
What is the OWASP Top 10 List?
The OWASP Top 10 is a list of the 10 most critical web application security risks. As such it is not a compliance standard per se, but many organizations use it as a guideline. The Open Web Application Security Project (OWASP) organization published the first list in 2003. Now they release an updated list every three years.
Which are the OWASP Top 10 vulnerabilities and security risks?
OWASP published the most recent OWASP Top 10 list in 2017. Following is the list of security risks in it:
A2: Broken Authentication
A3: Sensitive Data Exposure
A4: XML External Entities
A5: Broken Access Control
A6: Security Misconfiguration
A7: Cross-site Scripting (XSS)
A8: Insecure Deserialization
A9: Using components with known vulnerabilities
A10: Insufficient logging & monitoring
Applying OWASP Top 10 Security on your WordPress
This section explains what you need to do to ensure your WordPress website is not vulnerable to any of the OWASP Top 10 vulnerabilities and security flaws.
Addressing A1: Injection in WordPress
SQL Injection is a technical application vulnerability that is typically caused by lack of sanitization of user input. By exploiting it, malicious hackers can gain access to data in the WordPress database.
The WordPress core team typically fixes injection vulnerabilities within a few days. The same applies for most of the WordPress plugins developers. Hence why it is important to always use well maintained plugins that are developed by responsive developers.
The only way you can ensure your WordPress core, plugins and themes are not vulnerable to this type of vulnerability is by keeping all your software up to date. Always install all the security patches the developers release.
Addressing A2: Broken Authentication in WordPress
These type of security flaws are also technical vulnerabilities. These vulnerabilities are the result of a broken design of the web application, lack of planning. Attackers can exploit broken authentication issues to access sensitive data.
Only developers can address these issues. As long as you use the latest version of WordPress core and plugins, your website will not be prone to such vulnerabilities. Of course, assuming you always use well maintained plugins.
Though since we are talking about authentication, it is worth reminding you to implement two-factor authentication on your WordPress website. If you are not sure which plugin to use, here is a list of some of the best two-factor authentication WordPress plugins.
Addressing A3: Sensitive Data Exposure in WordPress
Sensitive data exposure have become quite an issue. Data breaches are featured almost on a daily basis in web security news. In fact GDPR and other regulatory compliance requirements are making a big emphasis on the need to properly handle and store sensitive and personal data.
According to GDPR, sensitive and personal data is any data related to an identifiable user. It could be the name of your customers, their billing details and cardholder data in case of an ecommerce website. In case of financial services it could also be the bank account details, or in healthcare it could be their medical history. Note that even though an IP address can be classified as sensitive data you can still keep a WordPress activity log, which allows you to keep track of everything that is happening on your websites.
To ensure your WordPress website is compliant, if you store sensitive data on your WordPress website make sure that only the users who need to use the data have access to it, and of course, the data should be encrypted. Always use the WordPress users and roles to better manage users’ privileges and access to sensitive data.
Should you store sensitive data on your WordPress website?
There is no definitive answer. It all depends on the setup and resources. Though small businesses would typically be better off storing data on third party provider.
For example in case of an e-commerce store, it is much easier to use payment systems such as Stripe or PayPal to handle and store cardholder data. They have the infrastructure in place already. Refer to our guide on e-commerce security for WordPress administrators for more information on how to keep and run a secure e-commerce site.
The same applies for customer’s email addresses and newsletters lists. Ideally you should not store such data on your website. Use a third party service, such as Mailchimp to store the data on a more secure and reliable infrastructure, rather than on your WordPress website.
Addressing A4: XML External Entities (XXE) in WordPress
This is a technical software vulnerability. This happens when the application incorrectly handles XML files and data. An out of the box WordPress install does not deal much with remote XML files, though you might use plugins that do.
To ensure your WordPress website is not vulnerable to such type of vulnerability use the latest version of WordPress core, plugin and other software. Always use plugins that are maintained. Consider changing any plugin that you use that has not been updated in more than a year.
Addressing A5: Broken Access Control in WordPress
This is a technical application vulnerability. This issue occurs when the application does not enforce the necessary restrictions on authenticated users. Therefore when attackers exploit such vulnerabilities they can access sensitive data.
Only developers can fix this type of issue. To ensure your website is not vulnerable keep your WordPress core, plugins and other software you use on your website up to date.
Addressing A6: Security Misconfiguration in WordPress Websites
Security misconfigurations are very common in WordPress websites. Unpatched software and exploitation of defaults are two of the most common successful attacks on WordPress websites. In the last few years the WordPress core team has done a lot to help users address such issues. For example WordPress no longer has a default admin username, which was the culprit of many WordPress hacks.
To ensure your WordPress website does not have any security misconfigurations change all the defaults. This applies to WordPress, plugins and any other software & device you use. For example if a plugin has a default set of credentials, does not password protect sensitive data, or stores it in a default location, configure strong authentication and change default paths. This applies to any other software and device you use including your internet home router, which typically has default credentials.
Addressing A7: Cross-site Scripting (XSS) in WordPress
Cross-site Scripting, also known as XSS is a technical application vulnerability. It is most probably one of the most common technical vulnerability. A XSS vulnerability occurs when untrusted data is not validated and escaped. When a malicious attacker exploits a cross-site scripting vulnerability they can steal logged in users’ cookie and impersonate them. They can also hijack their session.
The WordPress core team typically addresses reported XSS issues in core within just a few days. So to ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability always use the latest version of the software. Also, always use maintained plugins.
Addressing A8: Insecure Deserialization in WordPress
Insecure Deserialization is a technical application vulnerability. This vulnerability can occur when the application uses serialized objects from untrusted sources without doing integrity checks.
The WordPress core team typically addresses this type of issue within a few days. So to ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability always use the latest version of the software.
Addressing A9: Using Components with Known Vulnerabilities on a WordPress Website
Not using software and web applications that have known vulnerabilities might sound like something obvious. Though unfortunately it isn’t. The WordPress foundation has been doing a lot in this regards. They have auto updates for WordPress core. The WordPress plugins review team tags the plugins on the repository that have not been updated for a while as unsafe.
However it is not always easy for businesses to use the latest and most secure version of a software. Many use legacy software and web applications that are not compatible with the latest version of WordPress or other plugins. So they have to use old and vulnerable version of WordPress and plugins. In such cases, if possible contact the developers to update the code.
To ensure your website is compliant, this goes without saying: always use the latest version of WordPress core and plugins. Also, it is important to deactivate and uninstall any unused plugins, scripts and themes from your website. For example, many site administrators do not delete the default WordPress themes and plugins. If you are not using them, delete them.
This applies to new software as well: when looking for a new plugin always research it. Read our guide on how to choose a WordPress plugin for more information on what you should do when looking for a new WordPress plugin.
Addressing A10: Insufficient Logging & Monitoring on WordPress
Logging and monitoring is vital for the security of your WordPress website and multisite network. WordPress activity logs also help you better manage your website, identify suspicious behaviour before it becomes a problem, ensure user productivity and much more. Learn more about the benefits of keeping a WordPress activity log (audit log).
To ensure your WordPress website is compliant install the WP Security Audit log, the most comprehensive WordPress activity log plugin. It will keep a record of everything that happens on your WordPress website and multisite network in an activity log. Refer to addressing insufficient logging with a WordPress activity log plugin for more detailed information on how to address this part of the OWASP Top 10 list.
Building an OWASP Compliant WordPress Website with OWASP Top 10
WordPress security can be complex, especially when dealing with large setups. Though getting started and covering the basics is not that difficult, as this article highlights. You can have an OWASP Top 10 compliant WordPress website by taking care of these basics:
- Use the latest version of the WordPress core, plugins and themes,
- Ensure you change all of the defaults in your WordPress core and plugins,
- Enforce strong password policies,
- Enable 2FA with a two-factor authentication WordPress plugin,
- Use WordPress users and roles appropriately,
- Keep a record of everything that happens on your website in a WordPress activity log.
Boost the security of your WordPress website by using this OWASP Top 10 list as a guide. Refer to the official OWASP Top 10 page for more detailed information.
Although seems obscure, A8 is a big issue in WP. There was a great workshop on the subject in WCEU ’18 by https://2018.europe.wordcamp.org/speaker/robert-rowley/ . Basicly, it’s a PHP issue http://php.net/manual/en/function.unserialize.php that is usually overlooked by plugin developers.
Thanks for sharing the links @Voja. You are right, it is indeed a big issue but for non developers and WordPress site admins there isn’t much they can do, as in as long as they keep their software up to date they should be covered if the developer fixes all reported issues.
Thanks for the information I didn’t know about OWASP. I always found your post with new information. Thanks for sharing.
WordPress checks for proper authorization and permissions for any function level access requests prior to the action being executed. Access or visualization of administrative URLs, menus, and pages without proper authentication is tightly integrated with the authentication system to prevent access from unauthorized users.
Correct, WordPress addresses A5 very well.