With headlines such as this frequently in the news, you could be forgiven for thinking that WordPress is a security nightmare. Does it deserve the bad press that it frequently receives? Should be be putting our trust, sometimes our livelihoods behind it?
The above headline How to avoid being one of the “73%” of WordPress sites vulnerable to attack would lead you to believe that there’s a 3 in 4 chance that you are going to be hacked. But, once you open the article and read past the headline, it does, to an extent, show to be a bit of scare mongering.
In this case 73% of WordPress installations had the same potential security flaw. However, server side protection, as provided by many hosts, prevented the potential flaw from becoming an actual security whole and many non-secure hosts were deploying fixes to improve their servers too.
“Millions of sites at risk” claims this site. With approaching 75,000,000 websites using WordPress millions represents quite a low chance in some respects, but where did this bug come from? In this case it was from third party add ons – the themes and plugins that you can freely add to a WordPress blog to customise and improve upon it.
And this is what we need to remember when we are using WordPress. The core of the code is downloaded from them, however we then install themes and plugins galore. Where are they coming from? I could publish a theme or a plugin today and you could be downloading it tomorrow. But, why should you trust me?
According to the WordPress site there are 40,832 plugins with 1,070,638,954 total downloads are at your fingertips. That’s a lot of plugins and even more downloads. Yet these plugins can change the behaviour of your website. They can, and it is frequently their job to, change the behaviour of your installation. Some actively prevent admin logons from working (e.g. Limit Logon Attempts, which is approaching 1,000,000 installations and yet comes with a large warning that it hasn’t been updated for 2 years.
Presumably that’s because it doesn’t need to be changed. It was written, does what it needs to and that’s the end of the story. But we’re then subjected to a warning that we’re learning to ignore – on a security plugin!
In all fairness WordPress do work hard themselves to patch security issues. As soon as they are found the team works hard to put out a a fix, even if those fixes are less than a week apart (see April 21 & 27 above).
But, why is WordPress in need of so many security patches? The issue is exactly what WordPress is and the way that we use it. In simple terms, it is known as “Open Source” because the source code is shared and anyone can view the code.
With packages such as Microsoft Windows and Mac OSx all that you receive is the compiled code. There’s no way of looking through the code to see if the programmer has made any mistakes. Because WordPress distributes the raw source code anyone can look through the code and check for omissions and errors that leave hackers ways into the site.
On top of this, we then let anyone and everyone write add ons – “plugins” as they are known, without any possible way of security checking other than finding out too late that something is wrong.
Furthermore, we then distribute the same potentially insecure code to 75,000,000 websites. Half of these are self host (not hosted at WordPress.com). That allows hackers to set up installations themselves to test on and then they have a huge audience of websites to attack. And it only needs 1 hacker to successfully attack 1 website for it to be a successful attack.
What can we as WordPress users hope to do about it? First, we have to basically cross our fingers and hope ours is not the site attacked when a new vulnerability is found. If it is, then there’s not much we can do about it other than report it to WordPress. Backups should allow us to roll back the site to before the attack, but that’s about as far as we can go.
If we are not the unfortunate few then upgrading is essential. If WordPress have released a security fix then it needs applying ASAP. No excuses – if there’s a fix then someone knows how to hack into your version and you need to be off that version ASAP.
But it’s the themes and especially the plugins that leave us most exposed. Various publishers have recently found that their products have opened up security holes and been exposed. However, short of some form of policing of both of these I don’t think there is a way to fix this “hole”.
And policing theme writers, with over 40,000 active plugins alone, isn’t a small job. That’s just the number of plugins that you can download from WordPress. Many thousands more are available from other sources and we happily install and use them.
Keeping everything up to date, that’s WordPress, plugins & themes, deleting unused plugins and themes, using secure passwords and logon protection will help us but I don’t think they can ever 100% protect us on such a gigantic open source project.
WordPress is constantly evolving, adding in new features and improvements. It moves with the times so that the dashboard looks modern and uses modern techniques. But changing code always means risk and one of those risks is security.
And I think all that we can do is to take backups and cross our fingers.