Another day, another hacking story; at least, that’s what it’s starting to feel like around here.
WordPress is no stranger to security issues. In fact, we’ve talked about them repeatedly in the past. The TimThumb Saga, caching plugin vulnerabilities, brute force attacks…the list goes on. Let’s not forget the Heartbleed issue, which extended way beyond WordPress and highlighted security vulnerabilities on the Internet as a whole.
And while security is always improving for WordPress, having yet another issue pop up today makes it abundantly clear that WordPress security still isn’t 100% under control. The issue isn’t WordPress Core though; the issue is with some of the people using WordPress.
But before I get into that, let’s briefly discuss what this latest hacking debacle entailed.
The MailPoet Plugin Hack
In late July, it was revealed that the MailPoet plugin – formerly Wysija Newsletter – had a serious security vulnerability that had the potential to allow an attacker to inject malware, spam, and a variety of other unsavory things into sites that had the plugin installed.
According to Daniel Cid, security researcher and CEO of Sucuri, the vulnerability had resulted in 50,000 websites being hacked. Basically, hackers used it to remotely install backdoors that target the plugin. These backdoors gave hackers free reign, allowing them to create an admin account and everything!
What made this even worse is the malware hackers were using can infect any site that shares a server with a hacked WordPress site. Yikes!
So, to put it plainly, the MailPoet plugin vulnerability was the way hackers were gaining access to websites; any website on the same server as the plugin, in fact. And malware doesn’t just infect; it breaks sites and overwrites files. (Hopefully these people had their files backed up.)
The most recent version of MailPoet has repaired this vulnerability, so if you run anything other than version 2.6.7, you need to update it right away.
Previously, Sucuri discovered other plugin-based vulnerabilities affecting WPtouch, All in One SEO Pack and Disqus Comment System.
All of this leads me to believe that plugin security is a problem, as I’m sure you agree. But talk about making WordPress look bad! What gets my ire up is that these security breaches are so easily prevented.
What’s the solution here? How do you prevent these backdoor entry, malware injecting, site breaking hacks from happening to you? I’ll break it down into the simplest terms I can muster.
Update Your Stuff!
That’s seriously all you need to do. At least in the aforementioned situations, MailPoet and otherwise, simply updating your plugins as soon as they became available would put you in the clear.
According to Sucuri, as much as 80% of vulnerabilities to WordPress are the result of using outdated software – that’s plugins and themes – and using ‘bad’ passwords.
An alarming number of people still use passwords like 123456, by the way, which makes my brain hurt.
So while WordPress gets all of this bad press for not being secure enough and seemingly letting hackers go hog wild over its installations, the truth of the matter is that WordPress users are often responsible for these issues.
When a new security update rolls out, notes are released regarding everything that was fixed from the previous version. This often includes security fixes. This means vulnerabilities to old versions become common knowledge. Can you say hacker field day?
Now, everything would be right as rain if everyone who’d installed this particular plugin updated it as soon as the new version became available, but that’s not what happens. People let their sites sit and don’t update things right away. Meanwhile, hackers get to work immediately on exploiting these now-public vulnerabilities. Which means the longer you wait to update your plugins or themes, the more you leave yourself wide open to an attack.
Seriously – it’s sort of your fault if it happens. And it’s certainly not WordPress’ fault, like so much of the mainstream news coverage likes to convey.
The truth, however, is that WordPress Core hasn’t seen very many security vulnerabilities since its pre-3.0 days. And when issues have been discovered, they’ve been taken care of right away. But again, it’s on the user to update to the latest version to limit their exposure.
Implementing Security Best Practices is Your Responsibility
Whether it’s updating your plugins in a timely manner or setting a password that isn’t password, it’s on you – the WordPress user–- to follow best practices regarding security. It is your responsibility to make sure your site is secure. Plain and simple.
The security “rules” aren’t all that complicated, but if you need a little reminding, here’s our best suggestions:
- Update as updates become available. We’ve discussed this at length already but it bears repeating: update everything on your site as updates become available. That means the core installation, security releases, plugins, and themes. Check your site for update notifications at least once a week to make sure everything is current.
- Listen to that boring old advice about passwords. I know, I know, it’s hard to remember passwords, especially when they have to contain upper and lowercase letters, numbers, and symbols. And it’s even more difficult when they need to be different on every site you have a login for. But just do it already, would you? You’ll thank me when you’re not scrambling to restore your site from a backup because it got wiped out by a hacker.
- Install two-step authentication. Why just stick with a password when you can install two-factor authentication? ManageWP offers this; we have an SMS Two Factor Authentication available in our Business Plan.
- Be selective in who has admin access. Don’t give any old person access to your site’s backend. And even those you’d like to contribute a guest post let’s say, choose their user role carefully. A writer doesn’t need to have full admin access.
- Get rid of plugins/themes you’re not using. Take a few minutes out of your day and uninstall everything you don’t need. Go do it now. I’ll wait. Not only will this make your site less vulnerable to security breaches, it’ll also speed it up. Win/win!
- Backup your site regularly. Failing to back up your site on a regular basis is like playing Russian roulette with your business. I’m going to assume here that you take pride in your website and what you’re offering to the world through it. So why wouldn’t you do everything in your power to protect it? Use a backup solution (ManageWP has that, too) that you can schedule to backup your site automatically. The less you have to think about it, the better.
Conclusion
Though the media loves to make each new security issue related to WordPress out to be the end of the world, the vast majority of the time, the problem has nothing to do with the CMS itself. In fact, it often doesn’t have a whole lot to do with plugins or themes, either. What it does have to do with is you – the user.
In the case of MailPoet and countless others, the vulnerability was only exposed to the public after it had been repaired in an update. Users’ failure to update their sites in a timely manner puts them at risk for all sorts of hacking-related problems. Yeah, it might take a few minutes of your time, but why take the risk when the fix is so simple?
What do you think about this whole MailPoet plugin thing? Where do you think the blame lies for all of these recent hacking incidents – other than the hackers, of course? We’d love to hear your thoughts below!
Image source: Sarah Deer
4mostip
Let me get this clear, please:
No matter how careful we are with current updates; strong and unique passwords; etc,
all those precautions count for NOTHING on a shared server hosting any other user employing a hackable WP plugin?
Which I imagine would describe 99%+ of ALL shared hosts.
Because, if this understanding is correct, the shared server industry is dead in the water!
Including their shared reseller offerings.
Is Cloud based VPS the only safe architecture remaining for the modest budget?
VPS is the route I chose after suffering a shared server hack.
But most WP users lack the skills and inclination to go up that kind of learning curve.
It was a severe challenge for me, and still throws up painful hurdles from time to time!
So Is a “newbie friendly”, “fully serviced” VPS model a viable way forward?
Possibly, but I fear it may prove too costly to provide at affordable price points.
Alternatively, should we encourage a new breed of hardened, “WP only”, shared hosting – where security is centrally provided (and enforced) for all plugins, themes, malware/spam protection, and access control.
WP performance is also an issue as WP can be a terrible resource hog with injudicious choices of theme and plugins.
Again, most users lack the expertise and inclination to address performance issues.
So maybe perfomance optimisation could also represent a revenue opportunity for “WP-only” shared hosts.
Steve1943
Zak Cagaros
Excellent point Nemanja, at the end of the day – it’s important to invest a little upfront if you’re serious about your website. But, what I would like to add is that users will always be lazy, I’m guilty of this myself at times, if you look at what hackers exploit it’s always the weakest link: the end user.
Darragh McCurragh
“… malware hackers were using can infect any site that shares a server with a hacked WordPress site …” So, what you are saying if I am on a shared service arrangement with my hoster (as many of us are) then another (!) client can affect the way I run my website by simply installing unsafe plugins and/or not updating regularly. As a matter of fact there are probably hundreds of thousands of sites where people bought a hosting package, started dabbling in blogging, e-commerce or affiliate marketing, then when it didn’t work out, lost interest and just let the site slip. But it is still there to be hacked by others. And now I hear that these people, who by virtue of not having any great investments to loose, are actually endangering my sites? Now even if this is a plugin issue, to me that sounds like WordPress CORE insofar as WP should not allow plugins to do what this one does, like any good operating system shouldn’t allow software to e.g. overwrite other software’s RAM “estate”
Nemanja Aleksic
You brought up a good point, Darragh. How much is it worth to have a secure site? It’s too easy to shift the blame on WordPress, hosting companies and other users, but we forget that we (along with other users on the shared server) opted for a free CMS hosted on the cheapest hosting package, so basically we get what we pay for.