WordPress security update: go in hard or go home


There is no doubting that WordPress is popular, very popular. In use by around 25% of the top 10 million websites currently, that gives it a content management system market share of 59%, which makes WordPress security very important.

That WordPress is also a magnet for hackers is beyond doubt. Any software with a market share of that scale is going to attract the attention of the bad guys.

But does this mean that WordPress is inherently insecure, and any site built on the platform a security risk? You might think so, what with the news this week that WordPress version 4.4.1 and earlier have been impacted by a newly discovered Server Side Request Forgery (SSRF) vulnerability and an Open Redirect one for good measure.

However, let’s stop right there before getting carried away: WordPress has put a ‘security and maintenance’ release out there already in the shape of 4.4.2 and is recommending everyone apply this immediately.

WordPress 4.4.2 not only addresses the two pressing security vulnerabilities already mentioned, but 17 other ‘bugs’ as well.

Obviously, it’s vital to apply these updates as they appear if you truly value your site’s security. The server side request forgery vulnerability would enable an attacker to access the local server where WordPress is installed, and the open redirection attack can be used by phishing perpetrators to send unknowing victims to a malicious site.

Harden your WordPress installation and it doesn’t have to be any more of a security risk than any other software or service you buy into

According to WordPress security experts, and developers of one of the most popular security plugins, a proof of concept exploit for these vulnerabilities is expected in the wild any time now. “This expectation is based on the fact that within 24 hours of the previous release on 6th January (release 4.4.1), someone had posted a proof of concept exploit to twitter” WordFence explains.

WordFence has also this week analysed an attack platform infecting WordPress that actually consists of a single meta script, just two lines long, that points to a pastebin source for downloading and execution.

Once installed, an astonishing 43 threat tools were made available to the attacker; once again for download from pastebin. Tools that enable such things as managing the file system, DoS’ing other systems, accessing the WordPress database through a SQL client, a FTP brute forcer and so on.

You can see a video of this attack platform in action here.

So, going back to our original question, doesn’t this just prove the point that WordPress is insecure? Not at all. What it proves is that WordPress is an attractive target, and a poorly configured, ill-protected installation provides easy pickings for the bad guys.

Harden your WordPress installation and it doesn’t have to be any more of a security risk than any other software or service you buy into.

And that’s where the real problems start. For many website operators WordPress is a fire-and-forget solution, and they forget to fire up the updates as a result. Not just core updates, not just security and maintenance updates, but also updates to all those plugins they have installed to make their sites user friendly and attractive.

WordPress security lesson 1: update everything, and quickly.

The threat opportunity window is such that as soon as an update is ready you can bet that the exploits will follow (if not already out there) in the wild. Running legacy plugins, or old platform cores, is asking for trouble.

The main reason people don’t update, other than apathy, is a fear of breaking something. This is understandable, when they have spent time and money creating a site that just works.

Truth be told, if a plugin doesn’t work with the latest and most secure version of WordPress then you should be looking for another one to replace it. Or just doing without. Ditto when it comes to ‘themes’ that break when the WordPress core gets a point upgrade.

WordPress security lesson 2: use as few plugins as possible.

Seriously, we have seen sites with literally hundreds of plugins installed. They are like some bizarre web-design version of Pokemon in that someone has to collect them all.

The more plugins you have, the bigger the attack surface you are creating. The more legacy plugins you have, which have not been updated by the developer for months or years, so that attack surface grows once again.

What you want to do is reduce the attack surface, and you can do that by applying lesson 3.

WordPress security lesson 3: lock it down.

Leaving your WordPress installation in the default directory isn’t a major crime as the bad guys will know how to find it easily enough anyway. Leaving your admin defaults as is, that’s a different kettle of sharks.

Not only should you change your logins, using something other than ‘admin’ as a username and creating a long and strong password, but we recommend applying two-factor authentication as well. Anything that makes the job of the bad guy that bit harder is worth investing some time and effort into.

2FA prevents brute forcing attempts being successful, and is relatively easy to configure via a general security plugin or a dedicated 2FA one.

WordPress security lesson 4: install a security suite

Lesson 4 can almost be merged with lesson 3, in that you should install a WordPress security suite by way of a plugin. There are a handful of market leaders that become apparent when you take a look at the reviews etc. Any of these will do, so base your decision on what features you need, what you can afford and what sits at the user level you are at.

The minimum feature set should include scanning for code changes and malware, notifying you of every admin login, enforcing login attempt counts, adding admin 2FA and warning of outdated installations.

Of course, a word of warning: whenever you change anything to do with WordPress there is an opportunity to break something. So it’s best practise to keep regular updates of your site and that means both the database and the whole thing. If anything goes wrong, you can quickly jump back to a working instance.

Don’t store your backup files on the same server that hosts your website and WordPress installation; that’s just adding to the attack magnetism. Use a suitably secured cloud service, or download and store offline.

The clever money also creates a local server that clones the site and allows you to test plugins and updates away from the live one. There are plenty of tools out there that enable you to do this without too much technical knowhow.

So, to summarise: harden your WordPress security by keeping your site updated, locking it down, monitoring it, logging it and backing it up.