It’s only fair to mention WordPress security risks in first post to anyone who uses or intends to use it. WordPress security issues are unhappily more common than one would like. Just try searching it in google and you’ll be surprised at the amount of results.
It’s a good platform and it’s open source. That means hundreds if not thousands of programmers “chip in” with their code… and any hacker/PHP developer can read it. Apart of that anyone can make a plugin and apart of community there’s really no one checking it security wise.
Let’s make it short and sweet as its first post, we’ll cover much more of related subjects in close future.
Top security risks for WordPress:
- getting your site pwned/hacked/defaced or simply off-line,
- getting your customers data hacked and sold on Darknet or some other weird place,
- using a plugin or plugins with undiscovered vulnerabilities that makes any of above or below possible, its even worse if you use one with publicly known issues, that’s why you need to use a WordPress security scanner (look for WpScan below)
- a lot of time you might get nasty popups, but watch out… not when you logged in as admin and not from your typical or home IP, smart WordPress malware will try to prevent admin from noticing its effects
- you can get a miner installed on your server through one of many bugs, it will slow down your site
- another risk is getting your site encrypted by ransomware
Most of above apply to non WordPress sites as well, but in case of WP site these can much more often than with not-so popular or custom CMS.
Here’s another list to help you down the road.
WordPress security best practices:
- Keep your WordPress and plugins updated,
- Keep multiple backups of your database from different time, it can help you to go back to healthy state in case you’d detect infection or intrusion late,
- scan your installation using WordPress malware & security scanners (i.e. my favourite one which is totally free, the WpScan,
- WpScan its connected to live exploits database at ExploitDb – just make sure your plugins don’t popup there and if they do update or replace if their creators haven’t made a fix,
- you can keep a git repository, its source control tool, but it will show you each and every change in any file, that’s lovely, but if you can’t for any reason at least use a WP security plugin showing the changes in your files,
- secure uploads and make sure your installation has the right permissions, watch out with “throwing” chmod 777 (allows writes for everyone), as well forbid PHP file execution in your wp-content/uploads folder in case someone manages to upload nasty thing
That’s it for first batch of WordPress security tips, as mentioned before there many other ways to keep your installation secure, but keeping it up to date and not allowing exploited plugins is definitely the first step.
Most popular ways that gets your WordPress blog hacked…
1. Malware Attacks
We live in dangerous times of automatic scanners. If your website is easily identified by so called footprints (i.e. “powered by WordPress”) you can count that sooner or later some software will find your blog. If that’s the case and your installation is not up to date you’re an easy target. Don’t believe it? Leave experimental installation on older version and see what happens after couple of months, just do it on a separate hosting! 🙂
2. Injection Attacks
This includes OS Command, SQL, XSS and others. The basic idea is that attacker uses unsecured form field or endpoint in your API in order to inject either code or shell commands. The latter can be quite dangerous as it can lead to further penetration of your system. Malware can attack through such injections performed in automatic manner.
3. Noob Attacks
If you’re not updating your plugins or theme your in danger of script kiddies attacks. Lots of newbies are constantly checking out sites like WPVULNDB or ExploitDB and then just google the footprints in order to find owners of WP still running those plugins or themes.
Here are holes in WordPress itself if version is 5.0 or lower (which is pretty recent):
- Your Authenticated File Deletion – i.e. any NON admin user can delete any file as long as they logged in. That sucks doesn’t it? Especially that you’re running 4.9.2 🙂
- Easy Authenticated Post Type Bypass – any level, authenticated user can create custom post type and show it on your blog, not funny.
- Custom PHP Object Injection – any contributor is able to inject their own PHP objects using post meta data (custom fields etc.), if that’s the case it means that they can inject password hijackers for other users or anything they really want.
- Stored Authenticated Cross-Site Scripting – sounds complicated? It’s not. It just means that any user can edit comments of other users… including injecting them with custom scripts (i.e. key-loggers).
- Plugin XSS – same as above, but if the bad guy will use specific URL they might inject your plugins with some nasty code. We won’t give you details though as some things are best kept simple.
- WP User Activation Screen – if you’re WP is misconfigured and allows for search engine to index it your passwords and emails are in danger of being harvested by automatic bots.
- Good Old File Upload Hack – MIME type on every file defines what it actually is. Researches discovered that if you’re running on Apache (no worries if you’re NGINX fan like me 🙂) hackers can actually craft a special file which your server will thing is image, but in reality it might be a piece of evil code!
So above you have 7 really good reasons to update your WordPress version to 5.0.2 and again these wholes gets public on every update so keep an eye on your installation and make sure you’re up to date with… updates!