In an interview with Smashing Magazine, Sucuri CoFounder Tony Perez was asked the following question.
What Makes WordPress Vulnerable?
“Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.” – Tony Perez
The most common threats to any CMS are associated with vulnerabilities that have been introduced by third-party modules, plugins, themes and extensions.
Making sure that your WordPress plugins and themes are being audited on a regular basis will improve your security posture, minimizing possible vulnerabilities and threats. Both plugins and themes can be used as a backdoor by hackers seeking to gain access to your website.
Outdated or poorly maintained plugins and themes are what every hacker is looking for: an opportunity to force entry. Malicious users run automated scripts (a.k.a. bots) to identify if there is a website vulnerability present. It has nothing to do with who you are, or how big your website is. If malicious actors find a vulnerability in one of your WordPress themes or plugins, you can bet that they will exploit them.
How to Perform a WordPress Plugin & Theme Audit
You can assess the security of your WordPress plugins and themes by measuring the following indicators:
Does the plugin or theme have a large install base?
This can help you determine the reputation of the developer. If the theme or plugin has a large user base, there is a better chance of it being supported by reliable resources.
Are there a lot of user reviews, and is the average rating high?
The assessment here is a common sense call. Try and read both good and bad reviews to get a grasp the average user experience.
Are the developers actively supporting their plugin and pushing updates or security patches?
Ensure that the developers are actively working on any plugins and themes that have been installed on your WordPress website. Check to see that patches being regularly provided to users are happening. When was the plugin last updated? If it was over 6 months ago, you may want to consider an alternative plugin or theme that is being supported
If they do, it’s a good sign that the plugin or theme is legitimate. You’ll want to carefully read over the terms of service, because they may include unwanted extras or “features” that were not advertised for the plugin or extension.
Does the vendor include a physical contact address in the ToS or a contact page?
It’s important to be able to reach the author/developer in case you need additional assistance or information. Having a physical address serves as a credibility indicator, and indicates that it may come from a reliable source.
Does the plugin have a support page?
Plugins and themes from the official WordPress repository include a support page where users can go to ask questions to the developer or report issues. It’s a good idea read up on what kind of issues people are reporting—and check to see how often the developer responds to (and patches) bugs or complaints.
Now that we have identified how to choose the safest possible plugin and theme for your WordPress website, let’s move on to how to secure your WordPress installation.
Have a WordPress Backup Solution
Every website should be backed up on a regular basis. Look for the following requirements in your backup solution:
- Off-site: Backups should not be stored on your website’s server, but rather as a separate instance.
- Automatic: just as a precaution method for when memory fails.
- Reliable recovery: Maintain backups of your backups and test them to make sure they work.
If you would like to learn more about backups and other website security practices, our 12 Best Practices for Maintaining and Securing Your Website blog post is an excellent start.
Remove Outdated or Unused Plugins & Extensions
When it comes to website security, less is more. Remove unused third-party components and keep things tidy to reduce vulnerabilities.
You can think about your WordPress installation as your house: the more things you have, the more difficult it is to notice when something is out of place, or when an item goes missing.
To audit your website, use this quick checklist from Sucuri’s How to Perform a Website Audit blog post, along with the assessment points we just went over.
Ongoing Security Audit Checklist:
- Check software
- Check plugins
- Inactive or unused plugins
- Outdated or unsafe extension
- User and account access – least privilege
- File permissions
- Security plugin settings
- Backup settings
- SSL Certificate
- Changes to files
“For whatever reason, there is this perception among WordPress users that the hardest part of the job was paying someone to build the website and that once its built, that’s it, it’s done, no further action required. Maybe that was the case seven years ago, but not today.
WordPress’ ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike. I think, though, this perception is starting to change.” ~ Tony Perez
*This article includes content originally published on the Sucuri blog