WordPress is, by far, the most popular way to build a website. That popularity has the unfortunate side effect of also making WordPress sites a juicy target for malicious actors all across the world. And that might have you wondering whether WordPress is secure enough to handle those attacks.
First – some bad news: Every year, hundreds of thousands of WordPress sites get hacked.
Sounds grim, right? Well…not really, because there’s also good news:
Hackers aren’t getting in due to vulnerabilities in the latest WordPress core software. Rather, most sites get hacked from entirely preventable issues, like not keeping things updated or using insecure passwords.
As a result, answering the question of “is WordPress secure?” requires some nuance. To do that, we’re going to cover a few different angles:
Ok, you know that plenty of WordPress sites are getting hacked each year. But…how is it happening? Is it a global WordPress issue? Or does it come from those webmasters’ actions?
Here’s why most WordPress sites get hacked, according to the data that we have…
Here’s an unsurprising correlation from Sucuri’s 2017 Hacked Website Report. Of all the hacked WordPress sites Sucuri looked at, 39.3% were running out-of-date WordPress core software at the time of the incident.
So right away, you can see a pretty close relationship between getting hacked and using out-of-date software. However, this is definitely an improvement over 61% from 2016. 👏
According to the WPScan Vulnerability Database, ~74% of the known vulnerabilities they logged are in the WordPress core software. But here’s the kicker – the versions with the most vulnerabilities are all way back in WordPress 3.X:
But – unfortunately – only 62% of WordPress sites are running the latest version, which is why many sites are still unnecessarily vulnerable to those exploits:
Finally, you can see this connection once more with the major WordPress REST API vulnerability from February 2017 where hundreds of thousands of sites were defaced.
WordPress 4.7.1 contained multiple vulnerabilities that were eventually used to deface those sites. But…weeks before the vulnerabilities were exploited, WordPress 4.7.2 was released to fix all of those vulnerabilities.
All the WordPress site owners who hadn’t disabled automatic security patches or otherwise had promptly updated to WordPress 4.7.2 were safe. But those who didn’t apply the update weren’t.
Takeaway: The WordPress Security Team does a great job at quickly fixing issues in the WordPress core software. If you promptly apply all security updates, it’s highly unlikely that your site experiences any issues as a result of core vulnerabilities. But if you don’t, you take a risk once an exploit gets out into the wild.
One of the things people love about WordPress is the dizzying array of available plugins and themes. As of writing this, there are over 56,000 on the WordPress repository, and thousands of additional premium ones scattered across the web.
While all those options are great for extending your site, each extension is a new potential gateway for a malicious actor. And while most WordPress developers do a good job of following code standards and patching any updates as they become known, there are still a few potential issues:
So how big is the issue?
Well, in a survey from Wordfence of hacked website owners, over 60% of the website owners who knew how the hacker got in attributed it to a plugin or theme vulnerability.
Similarly, in Sucuri’s 2016 report, just 3 plugins accounted for over 15% of the hacked websites they looked at.
Here’s the kicker, though:
The vulnerabilities in those plugins had long since been patched – site owners just hadn’t updated the plugin to protect their site.
Takeaway: WordPress themes and plugins introduce a wildcard and can open your site to malicious actors. Much of this risk can be mitigated by following best practices, though. Keep your extensions updated and only install extensions from reputable sources.
We also have to mention these GPL clubs you might see floating around the internet where you can get any premium WordPress plugin or theme for just a couple dollars. While WordPress is licensed under GPL, which is awesome and one reason we love it, buyer beware. These are sometimes also referred to as nulled plugins.
Buying plugins from GPL clubs mean you’re trusting a third-party to grab the latest updates from the developer and a lot of times you won’t get support. Getting plugin updates from the developer is the safest route. Also, we are all about supporting developers and their hard work!
Ok, this one isn’t really WordPress’ fault. But a non-trivial percentage of hacks are from malicious actors getting their hands on WordPress login credentials, or the login credentials for webmasters’ hosting or FTP accounts.
In that same Wordfence survey, brute force attacks accounted for ~16% of hacked sites, with password theft, workstation, phishing, and FTP accounts all making a small, but noticeable, appearance.
Once a malicious actor gets the metaphorical key to the front door, it doesn’t matter how otherwise secure your WordPress site is.
WordPress actually does a great job mitigating this by automatically generating secure passwords, but it’s still up to users to keep those passwords safe and also use strong passwords for hosting and FTP.
Takeaway: Taking basic steps to keep account credentials secure can prevent malicious actors from walking right in. Use/enforce strong passwords for all WordPress accounts and limit login attempts to prevent brute force attacks (Kinsta hosting does this by default 👍).
For hosting accounts, use two-factor authentication if available and never store your FTP password in plaintext (like some FTP programs do).
If you have a choice between FTP and SFTP (SSH File Transfer Protocol), always use SFTP. This ensures that no clear text passwords or file data is ever transferred. We only support secure connections at Kinsta.
Recently, there have been some instances where hackers gain access to sites through a nasty trick called a supply chain attack. Essentially, the malicious actor would:
Wordfence has a deeper explanation if you’re interested. While these types of attacks are by no means widespread, they are harder to prevent because they result from doing something you should be doing (keeping a plugin updated).
With that being said, the WordPress.org team usually quickly spots these issues and removes the plugin from the directory.
Takeaway: This one can be hard to prevent because it’s a good thing to always update to the latest version. To help, security plugins like Wordfence can alert you when a plugin is removed from WordPress.org so that you quickly address it. And a good backup strategy can help you roll back without any permanent damage.
Beyond what’s happening on your WordPress site, your hosting environment and the technologies that you use make a difference, too. For example, despite PHP 7 offering many security enhancements over PHP 5, only ~33% of WordPress sites are using PHP 7 or higher.
PHP 5.6’s security support officially expires at the end of 2018. And earlier versions of PHP 5 haven’t had security support for years.
That means using a hosting environment using PHP 5.6 or below will soon open you up to the potential of unpatched PHP security vulnerabilities.
Despite that fact, a whopping ~28% of WordPress websites are still using PHP versions under 5.6, which is a huge issue when you consider that recently we’ve seen record years for the number of discovered PHP vulnerabilities.
Beyond giving you access to the latest technologies, using secure WordPress hosting can also help you automatically mitigate many of the other potential security vulnerabilities with:
Takeaway: Using a secure hosting environment and recent versions of important technologies like PHP helps further ensure that your WordPress site stays safe.
Now you might be wondering, who’s responsible for combating all the issues above?
Officially, that responsibility falls to the WordPress Security Team (though individual contributors and developers from around the world also play a huge role in keeping WordPress secure).
The WordPress Security Team is “50 experts including lead developers and security researchers”. About half of these experts work at Automattic. Others work in web security, and the team also consults with security researchers and hosting companies.
If you’re interested in a detailed look at how the WordPress Security Team functions, you can watch Aaron Campbell’s 48-minute talk from WordCamp Europe 2017. But in general, the WordPress Security Team:
The WordPress Security Team has a policy of disclosure which means that, once they’ve successfully patched the bug and released the security fix, they publicly disclose the issue (this is part of why so many sites were defaced in 2017 – they still hadn’t applied the update even after the security team publicly disclosed the bug).
What the WordPress Security Team does not do is check all the themes and plugins at WordPress.org. The themes and plugins at WordPress.org are manually reviewed by volunteers. But that review is not “a guarantee that they are free from security vulnerabilities”.
If you look at all the data and facts above, you’ll see this general trend:
While no content management system is 100% secure, WordPress has a quality security apparatus in place for the core software and most of the hacks are a direct result of webmasters not following basic security best practices.
If you do things like…
…then WordPress is secure and your site should remain hack-free both now and in the future. If you’re a Kinsta client, you also don’t need to worry. If by an off chance your site is hacked, we’ll fix it for free!
Send this to a friend