WordPress sites are one of the most common targets for attack on the internet. They’re hacked more than any other type of site. If you, your friends, or someone you know has never had an experience of a WordPress site getting “hacked”, you’ve either been extremely lucky or have abnormally careful people surrounding you in your life.
In this post, I’ll be talking about the importance of WordPress security and why you should be protecting your WordPress sites.
Security matters because WordPress sites are online, are running literally hundreds-of-thousands of lines of code, and WordPress is a common-enough platform that it’s going to be targeted by attackers. When Microsoft Windows was a relatively new and dominant platform with regular headlines about security issues, its defenders pointed out that the number of attacks was a big reason. While there were security mistakes being made by Microsoft, it was also the case that many security errors which were commonly exploited first on the Windows platform.
So too with WordPress. WordPress powers about 27% of the internet. That’s great, but it also means that if someone finds a fundamental security flaw that’s common on all WordPress sites, or even a big percentage, they can easily have thousands of servers mustered in a matter of hours. That’s why WordPress is such a big target, and why we must take WordPress security seriously. It’s important stuff.
“I Heard It’s Insecure…” Is WordPress Secure?
One of the most common reasons people start looking into the security of WordPress, and the best practices for WordPress security, is that they either doubt that WordPress is secure, or they hear from someone who insists it isn’t. As I mentioned above, there is a lot of FUD around WordPress security. There are tons of people selling you something — Squarespace, a WordPress security or hosting plan, a password manager, whatever — who try to exploit and not end your ignorance. (My goal is eliminating your ignorance, or at least minimizing it.)
The heart of answering this question comes down to defining your terms. WordPress is a vast ecosystem with a huge variety of habits of practice and different configuration. There are absolutely WordPress sites out there today that are insecure and which are likely to be hacked in the next 24 or 48 hours.
But if we mean “WordPress” as that core piece of software contained in a zip file that you downloaded from WordPress.org, I think it’s pretty completely secure. On any given day, there’s a 0.00001% chance of an unpatched problem in that WordPress software is being attacked in the world.
WordPress now comes with built-in auto-update, and most hosts have the ability to make sure that your site gets patched if that fails. This is crucial, because WordPress 4.9.1 probably has a security problem that someone will find in the next months or years. But WordPress the organization is staying atop those newly discovered issues and making point releases like 4.9.2 or 4.9.20 that fix those sorts of issues.
WordPress the tool is secure if you stay up on the latest versions. And if you make sure your site’s on hosting you trust, with updates to trusted plugins installed, it’s completely secure. But when those things aren’t done, it’s absolutely possible that a given WordPress installation is insecure.
The Real Threat To WordPress: Botnets!
WordPress sites are, generally, not at risk because a single person anywhere is trying to bad things to one of them. Quite the opposite in fact. There is a possibility that you have a single person trying to breach your WordPress site, but unless you’ve recently angered your techno-wizard niece, you probably don’t need to worry about that.
The real thing that regularly threatens and harms WordPress sites is instead automated attacks by people trying to take over your site. People control these attacks, but they are completed by computers. No person is trying to log in to your WordPress site themselves with various usernames and passwords.
Instead, they write programs to scan the internet for WordPress sites and try to log in to all the ones they find. Or try to exploit known plugin vulnerabilities on all of them. When you understand that your threat model mostly consists of automated attacks on WordPress sites from non-human actors, a different set of security practices become important.
Why WordPress Sites Get Hacked
So, we mostly need to worry about botnets, rather than single people. Why are botnets trying to take over your little WordPress site. After all, it’s just your website to…
- share pictures with friends
- sell your pet carriers online
- write for fun
Botnets don’t really care what your site is for. If you have an insecure WordPress site, they’ll take it over. And their motive differ. But the most commonly seen reasons that a WordPress site are taken over are things like:
- Forwarding traffic to their own site(s)
- Taking over your SEO rankings to send Google-juice to their pages
- Defacing for pride or political messaging
- Drive-by-downloads — making visitors to your site download malware, etc
- To back-door your site for later use
- To gain access to your site data — user lists, purchase history, etc
- Sending spam — if your WordPress site can send email, they can use that sending for their emails too
- To use your server resources (CPU mostly) to do useful computation, most likely mining crypto-coins like Bitcoin
- Those are just the ones I could think of from a bit of thinking and research. It’s quite possible that a clever hacker has even more they’d add to the list.
What I hope the list makes clear is that your site’s relative obscurity isn’t protection. Surely you may not have an interesting user list, but you do have a server which can be used to make Dogecoins or to send spam. Because every server has a CPU, and the vast majority of them can send an email.
WordPress Security Relies On The Whole Stack, Not A Single Thing
Another important thing to realize about WordPress sites is that WordPress really sits atop a large variety of technologies, and the other parts of the stack can also have vulnerabilities. For example, WordPress runs atop PHP. Just as with WordPress, sometimes versions of PHP contain security vulnerabilities. If you’re updating regularly, they’re no big deal. If you aren’t, those PHP issues can compromise your WordPress site.
There’s also the possibility that something else in your WordPress site’s underlying security stack is misconfigured. This is different than being out of date, but has a similar effect. If you’re new to configuring web servers, you may make a change that seems to be necessary to get the thing working without realizing that it will have profound negative security implications. It’s more common than you’d hope, and is one of the big reasons I like to leave as much of the non-WordPress configuration to professionals.
I’m not saying that you can’t set up your own physical server yourself, or buy a cheap VPS and set it up with someone else’s configuration script. But it’s really important to trust the configuration you run WordPress atop. Because if you do the WordPress right, but MySQL configuration wrong, very bad things can still happen.
Start Protecting Your WordPress Site
Making your WordPress site completely and forever safe is impossible via a single process. Instead, it’s a continually evolving and changing task. In the next 2 weeks, I’ll be talking about what you should and shouldn’t bother to do to protect your WordPress site.