Is WordPress Secure?

WordPress is under attack. Literally.

You have no doubt heard about it — the latest WordPress security scare has been publicized everywhere from the BBC, to NBC, to Technorati. A giant botnet made up of “tens of thousands” of computers has attacked an enormous number of vulnerable WordPress websites.

This comes on the back of other worrying recent news (such as the major security vulnerability present in two popular caching plugins) and more historical events (such as the TimThumb saga). It would seem that WordPress has endured its fair share of high profile security scares over the past few years.

I recently spoke to an employee of a major hosting company and he explained that he had moved away from WordPress due to security concerns. That hit me for six — switching WordPress for an alternative Content Management System (CMS) like Drupal or Joomla seemed like a drastic step I would never even consider taking, and yet people are doing it.

With all of this going on, I knew the pertinent question had to be answered: Is WordPress safe? Should we entrust our websites (and for many of us, our livelihoods) with the world’s most popular CMS?

I decided to find out.

A Short History of Recent WordPress Security Breaches

I have already mentioned three security breaches above, of which two are arguably the most major in recent years.

TimThumb was a huge story when it first emerged in April 2011. It only took a security flaw within an image-resizing library present in many premium themes to expose literally hundreds of thousands of WordPress blogs to nefarious hackers. Fortunately, the WordPress community quickly jumped into action to patch the vulnerability. Here’s how Matt Mullenweg (WordPress founder) reported on the events:

…the incident brought out the best in the community. The core team sprang into action searching through the theme directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it. Mark Maunder, who originally discovered and broke down the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up. Forking is not usually ideal because it fragments the market for users but Mark soon connected with Ben Gillbanks, long-time WordPress community member, and they’ve teamed forces to release TimThumb 2.0.

Within days, anyone who updated their themes were safe again. Unfortunately, many people didn’t update and the security exploit continued to claim victims long thereafter.

But that wasn’t all. Just two months later WordPress.org enforced a password reset on all of its users in response to “suspicious commits [to the WordPress.org Plugins Repository] to several popular plugins…containing cleverly designed backdoors.” Again, the response was swift — the commits were rolled back, the plugins were updated and and access to the repository was temporarily shut down as a precautionary measure.

Fast forward to present day and two recent breaches have brought scrutiny from many concerning WordPress’ security. The first was the now infamous brute force attack. Matt Mullenweg’s response to this outbreak alluded to scaremongering by companies that could benefit from fears regarding security, and proposed a very simple fix:

[The botnet attack] has turned into a news story (especially from companies that sell “solutions” to the problem).

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password…and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.

Top web security firm Sucuri confirmed that the attack was predominately targeting common usernames such as ‘admin,’ ‘test,’ and ‘administrator’ and obvious passwords such as ‘password,’ ‘123456,’ and ‘qwerty.’ Their conclusion was simple:

…by the shear [sic] fact of having a non-admin / administrator / root username you are automatically out of the running.

Furthermore, a strong username and password combination would be likely to protect you even further against these brute force attacks, as Mullenweg argued in his response to the furore.

So it is fair to say that WordPress has had its fair share of security scares over the years. So is it truly secure?

What Causes High Profile Security Exploits?

You may have noticed a pattern emerge amongst the above security exploits — each and every one was largely driven by the exploitation of known (or quickly exposed and patched) vulnerabilities. This leads us to a curious line of thinking, as explained by Dre Armeda, CEO and co-founder of Sucuri:

It’s not a WordPress problem if you’re not updating your software in general. This goes for themes, plugins, modules, templates — any of those fun things that enable you extend any open source platform. Nearly 80% of actual infections across all platforms are due to some type of vulnerability in outdated software or access/password exploits.

Or to put it another way, if there is a freely available fix for an exploit, it is not the fault of your CMS if you do not implement it.

If we take a moment to consider high-profile WordPress security exploits in recent years, every single one has targeted known vulnerabilities that are easily fixed with a simple update. As soon as an update becomes available, the vulnerability essentially ceases to be a WordPress problem and instead becomes an end user responsibility. This reality is underlined by the experience of Michael VanDeMar — a guy who “de-hacks” and secures WordPress installations for a living (in fact, he wrote a popular guide on de-hacking WordPress):

I clean many [hacked] websites…and it has been a long time since I had to clean one due to an insecurity in the WordPress Core. Most of the time it’s either due to an insecure script (such as an older version of TimThumb), an insecure host, or someone whose FTP access has been intercepted by a local virus.

So the conclusion should be pretty apparent — the issue is less to do with security from the developer’s perspective and far more about the end user’s own security measures through website maintenance best practice. This applies not only to WordPress, but to all Content Management Systems.

The Real Question

Armeda feels that WordPress has unparalleled prowess in diagnosing and fixing secuirty vulnerabilities. But how secure is WordPress compared to comparable Content Management Systems? How does it stack up against the likes of Joomla and Drupal? That is the pertinent question, because the security of any CMS must ultimately be judged by how well it stacks up against the competition.

VanDeMar had some interesting comments to make on the relative popularity of WordPress and how that affects our perception of security:

WordPress is in use ~3.5x more than Drupal and Joomla combined…Since an exploit found in WordPress means a much larger base of exploitable sites available, hackers will target WordPress more than the other two, which can lead to exploits in WordPress being discovered sooner, which is turn might leave the impression that it has more issues with hacking than the other two. I do not think this is the case currently.

Although there is a very real risk that WordPress will be subject to more attacks than less popular Content Management Systems, VarDeMar does not feel that WordPress is inherently less secure than other platforms for that fact. He also feels that WordPress is far more secure now than it has ever been:

Historically speaking, WordPress has had it’s share of insecure versions, of course, and while new issues are always being discovered I do not think that they are with the same frequency or severity that they were pre-2.9.2, which was released in February 2010.

VanDeMar’s sentiments are backed up by Armeda:

We haven’t seen a major vulnerability in WordPress since the pre-3.x days. There have been some minor security bugs and those have been fixed pretty quickly, but in terms of major security vulnerabilities, we haven’t seen one in quite a while.

But what about other Content Management Systems? The security of the Joomla platform is very much in question at the moment due to the discontinuation of support for 1.x versions. Sucuri are seeing a “heavy influx” of 1.x users who are potentially vulnerable to attack. Armeda’s thoughts are that the discontinuation of support puts many Joomla users “in an extremely poor security posture.” The issue here, as is becoming the common theme, is centered upon known security exploits and keeping your software up to date.

However, our own Predrag Cujanovic argues that Joomla updates are often hamstrung by “a complicated update process.” This leads to sites being “left behind” on old versions. One certainly cannot argue that WordPress has a complicated process — Armeda goes as far as to call it “the best one-click update feature in any web software I have seen.” In fact, he summed up WordPress’ prowess in terms of security to me perfectly:

When you look at the team and the effort behind the community that comprises WordPress, if you look at the processes that are in place to mitigate vulnerabilities when they are discovered and disclosed, all the way through getting that launch into a patch that’s going to hit over 17% of the internet, bar none I would say that in marriage the triad that makes up a successful project like [WordPress] (people, process and technology), hands down it takes the cake.

So if all platforms are of a reasonably comparable standard in terms of “base” security, the real impact comes in adjudging the speed with which emerging exploits are recognised and patched, and the ease with which those patches can be implemented by the end user. There seems little disagreement amongst security experts that WordPress rules the roost in that regard.

The Key to WordPress Security

During our chat, Armeda referred to what he named the “five key principles of website security” (whether you be operating WordPress or any other CMS):

1. Update everything
2. Delete any redundant extensions/files
3. Create unique passwords
4. Manage administrator access
5. Take regular backups

In short, if you follow those principles, the likelihood of your site being hacked is reduced down to an absolute minimum.

Anecdotal and empirical evidence demonstrates that the WordPress core is secure and the WordPress team is unparalleled in its reaction to emerging exploits, which means that the weak link is us — the end user. If you want WordPress to be secure you must ultimately focus on your actions, which should revolve around the five key principles of website security named above.

If you would like an in-depth guide to taking the most important actions to secure your WordPress site, I recommend the following article I recently wrote: Everything You Need to Know About WordPress Security.

WordPress: As Good As It Gets?

There is no such thing as a 100% secure website, nor is there such a thing as a 100% secure Content Management System. Therefore, all we can do is work with the most secure software and take sensible precautions as our responsibility as a website administrator dictates.

If we keep our house in order by following the five principles of website security, you can rest assured that the WordPress team will keep up their end of the bargain in diligently spotting and patching emerging vulnerabilities. The experts will tell you that there is no one else out there doing a better job, and that’s all the proof I need to know that my websites are in safe hands.

WordPress can be as secure as any other CMS out there, but it is ultimately up to you to determine your site’s own security by ensuring that the development team’s hard work in keeping it safe is implemented by you in your administrator role. You are the key to effective security more than anything else.

Is WordPress secure? Yes. Are you keeping your website secure? Only you can answer that question.

Photo Credit: FutUndBeidl