WordPress is under attack. Literally.
You have no doubt heard about it — the latest WordPress security scare has been publicized everywhere from the BBC, to NBC, to Technorati. A giant botnet made up of “tens of thousands” of computers has attacked an enormous number of vulnerable WordPress websites.
This comes on the back of other worrying recent news (such as the major security vulnerability present in two popular caching plugins) and more historical events (such as the TimThumb saga). It would seem that WordPress has endured its fair share of high profile security scares over the past few years.
I recently spoke to an employee of a major hosting company and he explained that he had moved away from WordPress due to security concerns. That hit me for six — switching WordPress for an alternative Content Management System (CMS) like Drupal or Joomla seemed like a drastic step I would never even consider taking, and yet people are doing it.
With all of this going on, I knew the pertinent question had to be answered: Is WordPress safe? Should we entrust our websites (and for many of us, our livelihoods) with the world’s most popular CMS?
I decided to find out.
A Short History of Recent WordPress Security Breaches
I have already mentioned three security breaches above, of which two are arguably the most major in recent years.
TimThumb was a huge story when it first emerged in April 2011. It only took a security flaw within an image-resizing library present in many premium themes to expose literally hundreds of thousands of WordPress blogs to nefarious hackers. Fortunately, the WordPress community quickly jumped into action to patch the vulnerability. Here’s how Matt Mullenweg (WordPress founder) reported on the events:
…the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0.
Within days, anyone who updated their themes were safe again. Unfortunately, many people didn’t update and the security exploit continued to claim victims long thereafter.
But that wasn’t all. Just two months later WordPress.org enforced a password reset on all of its users in response to “suspicious commits [to the WordPress.org Plugins Repository] to several popular plugins…containing cleverly designed backdoors.” Again, the response was swift — the commits were rolled back, the plugins were updated and and access to the repository was temporarily shut down as a precautionary measure.
Fast forward to present day and two recent breaches have brought scrutiny from many concerning WordPress’ security. The first was the now infamous brute force attack. Matt Mullenweg’s response to this outbreak alluded to scaremongering by companies that could benefit from fears regarding security, and proposed a very simple fix:
[The botnet attack] has turned into a news story (especially from companies that sell “solutions” to the problem).
Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password…and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.
Top web security firm Sucuri confirmed that the attack was predominately targeting common usernames such as ‘admin,’ ‘test,’ and ‘administrator’ and obvious passwords such as ‘password,’ ‘123456,’ and ‘qwerty.’ Their conclusion was simple:
…by the shear [sic] fact of having a non-admin / administrator / root username you are automatically out of the running.
Furthermore, a strong username and password combination would be likely to protect you even further against these brute force attacks, as Mullenweg argued in his response to the furore.
So it is fair to say that WordPress has had its fair share of security scares over the years. So is it truly secure?
What Causes High Profile Security Exploits?
You may have noticed a pattern emerge amongst the above security exploits — each and every one was largely driven by the exploitation of known (or quickly exposed and patched) vulnerabilities. This leads us to a curious line of thinking, as explained by Dre Armeda, CEO and co-founder of Sucuri:
It’s not a WordPress problem if you’re not updating your software in general. This goes for themes, plugins, modules, templates — any of those fun things that enable you extend any open source platform. Nearly 80% of actual infections across all platforms are due to some type of vulnerability in outdated software or access/password exploits.
Or to put it another way, if there is a freely available fix for an exploit, it is not the fault of your CMS if you do not implement it.
If we take a moment to consider high-profile WordPress security exploits in recent years, every single one has targeted known vulnerabilities that are easily fixed with a simple update. As soon as an update becomes available, the vulnerability essentially ceases to be a WordPress problem and instead becomes an end user responsibility. This reality is underlined by the experience of Michael VanDeMar — a guy who “de-hacks” and secures WordPress installations for a living (in fact, he wrote a popular guide on de-hacking WordPress):
I clean many [hacked] websites…and it has been a long time since I had to clean one due to an insecurity in the WordPress Core. Most of the time it’s either due to an insecure script (such as an older version of TimThumb), an insecure host, or someone whose FTP access has been intercepted by a local virus.
So the conclusion should be pretty apparent — the issue is less to do with security from the developer’s perspective and far more about the end user’s own security measures through website maintenance best practice. This applies not only to WordPress, but to all Content Management Systems.
The Real Question
Armeda feels that WordPress has unparalleled prowess in diagnosing and fixing secuirty vulnerabilities. But how secure is WordPress compared to comparable Content Management Systems? How does it stack up against the likes of Joomla and Drupal? That is the pertinent question, because the security of any CMS must ultimately be judged by how well it stacks up against the competition.
VanDeMar had some interesting comments to make on the relative popularity of WordPress and how that affects our perception of security:
WordPress is in use ~3.5x more than Drupal and Joomla combined…Since an exploit found in WordPress means a much larger base of exploitable sites available, hackers will target WordPress more than the other two, which can lead to exploits in WordPress being discovered sooner, which is turn might leave the impression that it has more issues with hacking than the other two. I do not think this is the case currently.
Although there is a very real risk that WordPress will be subject to more attacks than less popular Content Management Systems, VarDeMar does not feel that WordPress is inherently less secure than other platforms for that fact. He also feels that WordPress is far more secure now than it has ever been:
Historically speaking, WordPress has had it’s share of insecure versions, of course, and while new issues are always being discovered I do not think that they are with the same frequency or severity that they were pre-2.9.2, which was released in February 2010.
VanDeMar’s sentiments are backed up by Armeda:
We haven’t seen a major vulnerability in WordPress since the pre-3.x days. There have been some minor security bugs and those have been fixed pretty quickly, but in terms of major security vulnerabilities, we haven’t seen one in quite a while.
But what about other Content Management Systems? The security of the Joomla platform is very much in question at the moment due to the discontinuation of support for 1.x versions. Sucuri are seeing a “heavy influx” of 1.x users who are potentially vulnerable to attack. Armeda’s thoughts are that the discontinuation of support puts many Joomla users “in an extremely poor security posture.” The issue here, as is becoming the common theme, is centered upon known security exploits and keeping your software up to date.
However, our own Predrag Cujanovic argues that Joomla updates are often hamstrung by “a complicated update process.” This leads to sites being “left behind” on old versions. One certainly cannot argue that WordPress has a complicated process — Armeda goes as far as to call it “the best one-click update feature in any web software I have seen.” In fact, he summed up WordPress’ prowess in terms of security to me perfectly:
When you look at the team and the effort behind the community that comprises WordPress, if you look at the processes that are in place to mitigate vulnerabilities when they are discovered and disclosed, all the way through getting that launch into a patch that’s going to hit over 17% of the internet, bar none I would say that in marriage the triad that makes up a successful project like [WordPress] (people, process and technology), hands down it takes the cake.
So if all platforms are of a reasonably comparable standard in terms of “base” security, the real impact comes in adjudging the speed with which emerging exploits are recognised and patched, and the ease with which those patches can be implemented by the end user. There seems little disagreement amongst security experts that WordPress rules the roost in that regard.
The Key to WordPress Security
During our chat, Armeda referred to what he named the “five key principles of website security” (whether you be operating WordPress or any other CMS):
- Update everything
- Delete any redundant extensions/files
- Create unique passwords
- Manage administrator access
- Take regular backups
In short, if you follow those principles, the likelihood of your site being hacked is reduced down to an absolute minimum.
Anecdotal and empirical evidence demonstrates that the WordPress core is secure and the WordPress team is unparalleled in its reaction to emerging exploits, which means that the weak link is us — the end user. If you want WordPress to be secure you must ultimately focus on your actions, which should revolve around the five key principles of website security named above.
If you would like an in-depth guide to taking the most important actions to secure your WordPress site, I recommend the following article I recently wrote: Everything You Need to Know About WordPress Security.
WordPress: As Good As It Gets?
There is no such thing as a 100% secure website, nor is there such a thing as a 100% secure Content Management System. Therefore, all we can do is work with the most secure software and take sensible precautions as our responsibility as a website administrator dictates.
If we keep our house in order by following the five principles of website security, you can rest assured that the WordPress team will keep up their end of the bargain in diligently spotting and patching emerging vulnerabilities. The experts will tell you that there is no one else out there doing a better job, and that’s all the proof I need to know that my websites are in safe hands.
WordPress can be as secure as any other CMS out there, but it is ultimately up to you to determine your site’s own security by ensuring that the development team’s hard work in keeping it safe is implemented by you in your administrator role. You are the key to effective security more than anything else.
Is WordPress secure? Yes. Are you keeping your website secure? Only you can answer that question.
Photo Credit: FutUndBeidl
bhuva keval
how secure is wordpress? A very common issue with most WordPress websites is Brute Force Attempts. This basically means that your wp-login page is bombarded with login requests with different username and password combinations, so that if you have a weak password, or a common username, the attackers can get control of your website.
Jeff
Hi,
what about wordpress.com? wordpress.com and wordpress.org, which one is safer?
Nemanja Aleksic
WordPress.com is like being in a police station: you’re very safe but you have to mind your manners, otherwise you’re going to get arrested.
WordPress.org gives you the complete freedom to do whatever you like, but you have to take care of yourself. Tom’s article was mostly about the latter.
Bill Catz
Regarding WordPress, have they bothered to get a Common Criteria EAL (Evaluation Assurance Level) certification? If not, why not. If so, what is the certified security level of the product.
WordPress and WordPress users are not the ones to certify their own product. That’s like asking a politician if they’re political. Lets get an outside certification authority to confirm what you say is true.
There is a whole lot more than passwords to secure a website — a LOT more. Protecting against SQL insertion, buffer overflows, URL redirects, cookie data security and other common attack methods would be just as important.
Andrew Mooers
Thanks for the wisdom, logic and how to protect, keep the platform up and running!
Tom Ewer
Thanks Andrew! Will do 🙂
Ron Masas
The real question is whether ManageWP secure?
Currently it is not.
Javier
Can you argue your comment, please?
Chris M.
I would also like to hear something more than just a blanket, faceless assertion. Maybe it will help ManageWP improve. Why keep it a secret?
Matt Cassarino
The brute force attack essentially brought down my servers due to high server load. So even though none of my sites were hacked (due to strong passwords) the servers were crashing all day long trying to handle all the requests to /wp-login.php.
The only solution that seemed to work well was having my hosting company set an apache level password for the WordPress login form across all sites. This was not ideal because when my clients wanted to login to their sites, they would see the apache login and call me wondering what was going on.
Suggestions for a better solution to protect /wp-login.php ??
Javier
I use Limit Login Attemps Plugin. You can also use Better WP Security for a stronger protection.
Tom Ewer
That doesn’t always work if the attacker is using multiple IPs. I would whitelist IPs (rather than blacklist). You may also want to check this out: http://www.smartpassiveincome.com/server-problems/.
overtone
Another argument that vulnerabilities are largely due to user:
If a cms is easy to use you’ll find more users with low programming skills and a smaller proportion of professionally hosted websites. Typo3 is often installed by professionals because it is too complicated for lay people.
Mahesh
One of the sites that I managed was under attack by brute force trying out different combinations other than user name admin too. However they were unsuccessful. The most important thing is as mentioned in the post is to update regularly. Here is a plugin that I used to update my WordPress site automatically. http://wordpress.org/extend/plugins/automatic-updater/
Nice post
Darnell Jackson
Good topic Tom,
Yeah I just backed up my domains thanks for the reminder.
I wonder if all these new attacks will be followed by some new security software and then ultimately even that won’t protect you like computers with anti-virus. It’s crazy it seems like the best defense is a good backup.
Tom Ewer
Hi Darnell,
Some basic security measures will have kept most sites secure against the recent brute force attacks so I wouldn’t get too carried away 😉
Having said that, you are absolutely correct — the best defence is a backup.
Cheers,
Tom
Keith Davis
Hi Tom / Chris
Well written and thoughtful piece with great input from Dre Armeda.
One of the things that has always confused me about the use of Admin as a username is that if you click on the name of the author at the top of a post it takes you to a URL that shows the author’s username.
If I click on Tom’s name I’m taken to…
https://managewp.com/author/tom-ewer
So I’m asuming that Tom’s username is tom-ewer.
Have I got that wrong?
Tom Ewer
You have 😉 You can set WordPress to display your name as something other than your username.
Furthermore, practically any username is better than “admin”. It’s not so much about people being able to discover what your username is; it’s about stopping automated programs from being able to attempt brute force login attempts by using common usernames.
Javier
I think Authors should not be Administrators, you have to use a secret administrator user and an author user for publishing content.
Am I wrong?
Mary
Chris, thank you! I knew it had to be something obvious that I just wasn’t seeing. Thanks again, and have a great week.
Chris M.
No problem! My pleasure.
You too, have a great week!
Mary
Thanks for this post. Once I create a new administrator, etc., how do I ascribe all the blog posts to the new “me”? I’m not seeing anything obvious. Thought you might be able to help. Thanks in advance.
Chris M.
Hey Mary!
I thought I would jump in here. Here’s one way to do it:
1.) Go to your ALL POSTS page in the WordPress Admin area.
2.) Click the checkbox next to TITLE. This will select all the posts in view.
3.) Then hit the dropdown box that currently says BULK ACTIONS.
4.) Select EDIT, and hit “Apply”.
Now you can edit just the AUTHOR for all of those selected posts. And voila, done! 🙂
~ Chris M.
Tom Ewer
Thanks for helping out Chris 🙂