Introduction
WordPress is the most popular blog system on the Internet. On average, every third page uses this system to handle its content. However, many myths have accumulated around this tool over the years. Is WordPress secure? Does its use have any consequences?
Number of Errors
To answer the question posed in the title, let's try to trace the number of vulnerabilities found in the entire ecosystem. I will use WPScan Vulnerability Database website, which is the aggregator of all errors that are currently known and relate to this system. On the home page, we can read that over 14,000 errors have been cataloged now. A lot for just one script. Based on such data, we can get the false impression that using WordPress to build your brand on the Internet may not be the best idea. And how is it actually?
The vulnerabilities on this page are divided into 3 main categories. The first - vulnerabilities in Wordpress itself, the so-called core-engine of the site. Further vulnerabilities in extensions (or plugins) - that is, additional functions that we install to our site to get additional options and possibilities. And last - errors in topics - that is, pieces of code responsible for the appearance of our site.
XSS
When considering security in these categories, the situation is quite different. It turns out that the last known vulnerability comes from March 2019. It is marked as an XSS attack using comments. In short, XSS allows malicious JS code to be executed within our domain. Only that, going to the details of this error, it turns out that to use it, it is necessary to make several specific points. For someone to attack our site, we - as an administrator - must log in to the admin panel. Then - being logged in - we have to go to the malicious page, which will only execute the malicious code. So it falls under a social engineering attack rather than a mistake in itself. Especially if comments are disabled on our site. And this is nothing special - especially on small business websites that look more like business cards with a price list and contact information than large information portals. Then - the malicious attacker would have to send us a link to an external site using another method - for example, via email. What's more - we would have to open this link - while being logged in to the site.
Code Execution
Well then, let's look at another mistake. This time from February. We see that this is Code Execution - that is, code execution. Sounds ominous? And indeed - this is one of the worst types of vulnerabilities we can encounter because it allows the execution of arbitrary code on our site, which means that a potential attacker gains full control over our website. Only this time we are dealing with authenticated vulnerability. For someone to attack our blog this time - he must have a user account on this website. Reading the description of this error, it turns out that in this case "the attacker must have the author's permissions". And this is a very rare situation. Why? WordPress has several built-in user groups as standard. Depending on which group we are assigned to - we obtain the appropriate rights to perform certain activities. An author is a person who can publish and manage their own entries. So this is a person whom the administrator trusts enough to allow them to add new content to the site. So we can assume that it will be difficult for an ordinary attacker to access such an account. Yes, it can get a login and password using at least phishing - an attack in which we impersonate someone or something to gain unauthorized access. Only that phishing is not a vulnerability in WordPress, but a social engineering attack to which each of us is exposed. to give her the ability to add new content to the site. So we can assume that it will be difficult for an ordinary attacker to access such an account. Yes, it can get a login and password using at least phishing - an attack in which we impersonate someone or something to gain unauthorized access. Only that phishing is not a vulnerability in WordPress, but a social engineering attack to which each of us is exposed. to give her the ability to add new content to the site. So we can assume that it will be difficult for an ordinary attacker to access such an account. Yes, it can get a login and password using at least phishing - an attack in which we impersonate someone or something to gain unauthorized access. Only that phishing is not a vulnerability in WordPress, but a social engineering attack to which each of us is exposed.
So we have two vulnerabilities that look poor on paper - but in practice, they will be difficult to use. So it turns out that for more than half a year no new critical vulnerability has been published in the engine itself. So why the bad fame of this tool?
Plugins
It's about extensions - plugins. These are additional pieces of code created by independent developers that drastically increase the capabilities of the system itself. I dare say that it is thanks to them that WordPress is so popular. Currently, there are over 55,000 additions in the plugins catalog. It is thanks to them that this system is not just a blog system. With a few clicks, it can become an online store, photo gallery or social platform. The key is the fact that anyone who has a bit of programming knowledge can contribute to creating a new add-on that can then be run on any page. On the one hand, this is great news for users.
At the moment there is a good chance that even without programming knowledge we can create an extensive website using only ready-made solutions. Try to search the database yourself by entering keywords. Are you looking for a hair salon management system? No problem. You have a lot of photos and you want to sort them in the gallery. It's just a few clicks. Do you want to create an advanced survey for your users? It is already there. Finding the right look for your page is also a few clicks away. There are quite a few companies on the market that prepare templates for this particular system. For a few dollars, you can become the owner of a nice-looking website, where you only need to change the logo, add a few photos and that's it.
Who Creates Add-Ons?
Only there is one but. These extensions are not created by Automattic - the company responsible for WordPress development - but by users. This means that most of the code does not pass any quality control. Nobody checks these additional functionalities. Of course - users report on forums that something is wrong - but hardly anyone pays attention to the security of the code itself. This means that with the installation of each additional extension - our site becomes more and more dangerous.
But of course, you should not be paranoid. Not all add-ons are bad. Especially since the most popular ones are developed and supported by companies that have turned their activities into their source of income.
Security
To sum up: the security of your site depends mainly on the number and quality of extensions you install on it. When choosing, it is worth considering the number of installations. Popular applications are usually updated more often. You can also check the bug history of an add-on. Remember that having vulnerabilities in the past does not necessarily disqualify a given extension. Why? No application is 100% secure. Sooner or later someone will always find something that is not working properly or new attack techniques will be invented. More important than quantity is the speed and response of producers to such an incident. If the error after reporting it is quickly patched, it means that the company takes such matters seriously.
In such situations, with the normal use of WordPress, we are usually safe. Most errors are found by security professionals. Before publishing all information about a given vulnerability, the producer is first informed about it. There is also an appropriate time in which to react. In the case of WordPress - extensions can be updated automatically without our knowledge. This means that we do not need to track error notification services. The manufacturer will release the patch and it will automatically install on our server.
Additional Security
Okay, but readers of this blog are interested in security. What more can you do to increase the security of our site? The market's answer to this question are extensions whose sole purpose is to protect our site from attacks. There are at least a few of them. I don't want to favor any of them here. They all work more or less similar and offer a similar set of tools. The choice is your dear readers and from your personal preferences. The most popular is Wordfence security, all in one wp security, sucuri security or ithemes security. I will now try to describe the most important functions that can be found in them, as well as explain why using them can positively affect your security.
Bruteforce
First of all - protection against brute force attacks. The script monitors how often a person tries to log in to the admin panel. If there are too many wrong attempts - access to login from the given IP address is blocked for some time.
This is especially important in slightly larger installations. While our password can be long and complicated enough, what about the passwords of our colleagues? Are they also aware of these threats? A natural extension of this security is the list of IP addresses that are blocked from the machine.
How are such letters created? Some of the extensions send statistical information to their developers' servers. There, this information is aggregated and processed. From a global perspective - if one IP address tries to log in to many different WordPress instances, then something is wrong. It's hard to believe that one person owns and supervises 100 other parties. Thanks to this, we proactively block access to potentially dangerous people.
2FA
Another option that I think should be built into a standard installation is two-factor authentication. So - in addition to the login and password, the user must provide an additional component. Here the options are different. It can be an SMS code, a one-time code from a special application on the phone or simply rewriting the key from the email. Thanks to this - even if someone steals our password using a phishing attack - they will not be able to use it to log into our account.
Next - if we are the only authors of the blog and it so happens that our Internet provider provides us with a permanent IP address - we can block access to the administrator panel only for that specific address. Thanks to this, even if someone has our login details will not be able to use them. Of course - this has its drawbacks. Then we will be able to edit the content only from the level of one particular Internet provider. Situations in which our IP address changes are also problematic.
Geolocation
Geolocation of users is an extension of this protection. If our website is in an XYZ country and we sell our products only in that language, it is unlikely that someone from ABC country will want to use our offer. This approach has its drawbacks. Firstly, People from XYZ country can also live outside XYZ country - then they will lose access to our content. Secondly - this will not stop advanced attackers, who can buy a server in XYZ country and direct attacks towards us.
By default, WordPress returns the version number that is currently used on our site in several places. This is potentially interesting information for attackers. Because if there is any new vulnerability to a specific version of WordPress, they will be able to search for potential targets by using search engines. They will index the version number we are using - so it's worth removing this information.
Next - the website is not only text but also graphic files. They are usually stored in a specially designed directory. In the case of properly configured WordPress, only these directories allow you to save new files in them. Because of this behavior, it is where malicious files get the most often when some vulnerability is used. The exploitation of loopholes usually takes place in two stages. First, you gain access to the system and then save a new PHP file to it - the so-called backdoor. He then accepts commands from the attacker and then executes them. Thanks to this - someone who has once gained access to our site does not have to use the vulnerability every time, and refers directly to the file sent earlier. If we block the possibility of executing PHP files in media directories - we will significantly hinder criminals' lives. They will be able to put the malicious file on our server but it will not give them any value.
File Editor
Vulnerabilities do not always directly lead to the possibility of remote code execution on the server being attacked. Sometimes you only get access to the administrator account. Only that in the case of WordPress it is synonymous with the possibility of executing arbitrary code. Why? Because it has a built-in file editor. Thanks to it, we can modify any template file or extension without logging in via ssh or FTP from the web interface. And because the expansions are PHP files - if we can edit them - we can add any code to them. On the one hand, convenience - on the other, an additional point for attackers. Therefore, you can disable this option by adding the DISALLOW_FILE_EDIT constant in the wp-config.php file. Then it will not be possible to modify the files.
wp-login.php
Another option is to change the file address wp-login.php. If we want to log in - we use this address. So this is a kind of blackout protection. We can change the name of this file to one known only to us. Then even if someone learns our login details - they will not know where to enter them. Another minor obstacle to attackers.
If your site is just a simple business card, consider turning off the registration and commenting options. As I said at the beginning - a lot of vulnerabilities found require having an account on the site. If you turn off registration - the only person who has the account will be you and other persons authorized by you. Therefore, the attack vector is reduced - because the attacker would have to otherwise gain access to the admin panel.
The server should be configured so that it does not display a list of files that are in a given directory. This may prevent you from indexing files that were in the directory by mistake.
File Integrity
Some tools allow you to check the integrity of our installation. After installing them, they create an internal list of all files on our server along with their checksums. Then cyclically - every defined time - the whole procedure is repeated. Then you can compare whether a file has been added, changed or deleted. Thanks to this - as a last resort - if an attacker gained access to our server - we can see what changes he has made in it.
Stolen Templates
Finally, it's worth mentioning the nulled versions of extensions and templates. These are unauthorized copies of paid scripts that can be found for free on the Internet. However, I advise against using such files. First of all, it is illegal and unethical. What's more - we are never sure if there is any additional malicious code in the source code of such spread.
XMLRPC
The last point on the list is disabling the XMLRPC protocol. It was established a long time ago when constant Internet access was not as popular as it is today. At that time, blog entries were written offline. Then at the time of publication, the appropriate application sent a request to the server - creating a new entry. Nowadays, this option is used if we use a mobile management interface for a mobile phone. However, if you do not use remote management - it should be turned off. Why? Because this protocol can be used in brute force attacks. Normally, to check if the login and password provided is correct, we must send one request to the server. If we want to check 100 such combinations - it is necessary to send 100 requests. And each of them lasts.
And that's all in this episode. And you, what methods of WordPress protection do you know and recommend? Let me know in the comments.
I have referred these websites while writing this blog.
https://wpvulndb.com
https://automattic.com
WordPress is the most popular blog system on the Internet. On average, every third page uses this system to handle its content. However, many myths have accumulated around this tool over the years. Is WordPress secure? Does its use have any consequences?
Number of Errors
To answer the question posed in the title, let's try to trace the number of vulnerabilities found in the entire ecosystem. I will use WPScan Vulnerability Database website, which is the aggregator of all errors that are currently known and relate to this system. On the home page, we can read that over 14,000 errors have been cataloged now. A lot for just one script. Based on such data, we can get the false impression that using WordPress to build your brand on the Internet may not be the best idea. And how is it actually?
The vulnerabilities on this page are divided into 3 main categories. The first - vulnerabilities in Wordpress itself, the so-called core-engine of the site. Further vulnerabilities in extensions (or plugins) - that is, additional functions that we install to our site to get additional options and possibilities. And last - errors in topics - that is, pieces of code responsible for the appearance of our site.
XSS
When considering security in these categories, the situation is quite different. It turns out that the last known vulnerability comes from March 2019. It is marked as an XSS attack using comments. In short, XSS allows malicious JS code to be executed within our domain. Only that, going to the details of this error, it turns out that to use it, it is necessary to make several specific points. For someone to attack our site, we - as an administrator - must log in to the admin panel. Then - being logged in - we have to go to the malicious page, which will only execute the malicious code. So it falls under a social engineering attack rather than a mistake in itself. Especially if comments are disabled on our site. And this is nothing special - especially on small business websites that look more like business cards with a price list and contact information than large information portals. Then - the malicious attacker would have to send us a link to an external site using another method - for example, via email. What's more - we would have to open this link - while being logged in to the site.
Code Execution
Well then, let's look at another mistake. This time from February. We see that this is Code Execution - that is, code execution. Sounds ominous? And indeed - this is one of the worst types of vulnerabilities we can encounter because it allows the execution of arbitrary code on our site, which means that a potential attacker gains full control over our website. Only this time we are dealing with authenticated vulnerability. For someone to attack our blog this time - he must have a user account on this website. Reading the description of this error, it turns out that in this case "the attacker must have the author's permissions". And this is a very rare situation. Why? WordPress has several built-in user groups as standard. Depending on which group we are assigned to - we obtain the appropriate rights to perform certain activities. An author is a person who can publish and manage their own entries. So this is a person whom the administrator trusts enough to allow them to add new content to the site. So we can assume that it will be difficult for an ordinary attacker to access such an account. Yes, it can get a login and password using at least phishing - an attack in which we impersonate someone or something to gain unauthorized access. Only that phishing is not a vulnerability in WordPress, but a social engineering attack to which each of us is exposed. to give her the ability to add new content to the site. So we can assume that it will be difficult for an ordinary attacker to access such an account. Yes, it can get a login and password using at least phishing - an attack in which we impersonate someone or something to gain unauthorized access. Only that phishing is not a vulnerability in WordPress, but a social engineering attack to which each of us is exposed. to give her the ability to add new content to the site. So we can assume that it will be difficult for an ordinary attacker to access such an account. Yes, it can get a login and password using at least phishing - an attack in which we impersonate someone or something to gain unauthorized access. Only that phishing is not a vulnerability in WordPress, but a social engineering attack to which each of us is exposed.
So we have two vulnerabilities that look poor on paper - but in practice, they will be difficult to use. So it turns out that for more than half a year no new critical vulnerability has been published in the engine itself. So why the bad fame of this tool?
Plugins
It's about extensions - plugins. These are additional pieces of code created by independent developers that drastically increase the capabilities of the system itself. I dare say that it is thanks to them that WordPress is so popular. Currently, there are over 55,000 additions in the plugins catalog. It is thanks to them that this system is not just a blog system. With a few clicks, it can become an online store, photo gallery or social platform. The key is the fact that anyone who has a bit of programming knowledge can contribute to creating a new add-on that can then be run on any page. On the one hand, this is great news for users.
At the moment there is a good chance that even without programming knowledge we can create an extensive website using only ready-made solutions. Try to search the database yourself by entering keywords. Are you looking for a hair salon management system? No problem. You have a lot of photos and you want to sort them in the gallery. It's just a few clicks. Do you want to create an advanced survey for your users? It is already there. Finding the right look for your page is also a few clicks away. There are quite a few companies on the market that prepare templates for this particular system. For a few dollars, you can become the owner of a nice-looking website, where you only need to change the logo, add a few photos and that's it.
Who Creates Add-Ons?
Only there is one but. These extensions are not created by Automattic - the company responsible for WordPress development - but by users. This means that most of the code does not pass any quality control. Nobody checks these additional functionalities. Of course - users report on forums that something is wrong - but hardly anyone pays attention to the security of the code itself. This means that with the installation of each additional extension - our site becomes more and more dangerous.
But of course, you should not be paranoid. Not all add-ons are bad. Especially since the most popular ones are developed and supported by companies that have turned their activities into their source of income.
Security
To sum up: the security of your site depends mainly on the number and quality of extensions you install on it. When choosing, it is worth considering the number of installations. Popular applications are usually updated more often. You can also check the bug history of an add-on. Remember that having vulnerabilities in the past does not necessarily disqualify a given extension. Why? No application is 100% secure. Sooner or later someone will always find something that is not working properly or new attack techniques will be invented. More important than quantity is the speed and response of producers to such an incident. If the error after reporting it is quickly patched, it means that the company takes such matters seriously.
In such situations, with the normal use of WordPress, we are usually safe. Most errors are found by security professionals. Before publishing all information about a given vulnerability, the producer is first informed about it. There is also an appropriate time in which to react. In the case of WordPress - extensions can be updated automatically without our knowledge. This means that we do not need to track error notification services. The manufacturer will release the patch and it will automatically install on our server.
Additional Security
Okay, but readers of this blog are interested in security. What more can you do to increase the security of our site? The market's answer to this question are extensions whose sole purpose is to protect our site from attacks. There are at least a few of them. I don't want to favor any of them here. They all work more or less similar and offer a similar set of tools. The choice is your dear readers and from your personal preferences. The most popular is Wordfence security, all in one wp security, sucuri security or ithemes security. I will now try to describe the most important functions that can be found in them, as well as explain why using them can positively affect your security.
Bruteforce
First of all - protection against brute force attacks. The script monitors how often a person tries to log in to the admin panel. If there are too many wrong attempts - access to login from the given IP address is blocked for some time.
This is especially important in slightly larger installations. While our password can be long and complicated enough, what about the passwords of our colleagues? Are they also aware of these threats? A natural extension of this security is the list of IP addresses that are blocked from the machine.
How are such letters created? Some of the extensions send statistical information to their developers' servers. There, this information is aggregated and processed. From a global perspective - if one IP address tries to log in to many different WordPress instances, then something is wrong. It's hard to believe that one person owns and supervises 100 other parties. Thanks to this, we proactively block access to potentially dangerous people.
2FA
Another option that I think should be built into a standard installation is two-factor authentication. So - in addition to the login and password, the user must provide an additional component. Here the options are different. It can be an SMS code, a one-time code from a special application on the phone or simply rewriting the key from the email. Thanks to this - even if someone steals our password using a phishing attack - they will not be able to use it to log into our account.
Next - if we are the only authors of the blog and it so happens that our Internet provider provides us with a permanent IP address - we can block access to the administrator panel only for that specific address. Thanks to this, even if someone has our login details will not be able to use them. Of course - this has its drawbacks. Then we will be able to edit the content only from the level of one particular Internet provider. Situations in which our IP address changes are also problematic.
Geolocation
Geolocation of users is an extension of this protection. If our website is in an XYZ country and we sell our products only in that language, it is unlikely that someone from ABC country will want to use our offer. This approach has its drawbacks. Firstly, People from XYZ country can also live outside XYZ country - then they will lose access to our content. Secondly - this will not stop advanced attackers, who can buy a server in XYZ country and direct attacks towards us.
By default, WordPress returns the version number that is currently used on our site in several places. This is potentially interesting information for attackers. Because if there is any new vulnerability to a specific version of WordPress, they will be able to search for potential targets by using search engines. They will index the version number we are using - so it's worth removing this information.
Next - the website is not only text but also graphic files. They are usually stored in a specially designed directory. In the case of properly configured WordPress, only these directories allow you to save new files in them. Because of this behavior, it is where malicious files get the most often when some vulnerability is used. The exploitation of loopholes usually takes place in two stages. First, you gain access to the system and then save a new PHP file to it - the so-called backdoor. He then accepts commands from the attacker and then executes them. Thanks to this - someone who has once gained access to our site does not have to use the vulnerability every time, and refers directly to the file sent earlier. If we block the possibility of executing PHP files in media directories - we will significantly hinder criminals' lives. They will be able to put the malicious file on our server but it will not give them any value.
File Editor
Vulnerabilities do not always directly lead to the possibility of remote code execution on the server being attacked. Sometimes you only get access to the administrator account. Only that in the case of WordPress it is synonymous with the possibility of executing arbitrary code. Why? Because it has a built-in file editor. Thanks to it, we can modify any template file or extension without logging in via ssh or FTP from the web interface. And because the expansions are PHP files - if we can edit them - we can add any code to them. On the one hand, convenience - on the other, an additional point for attackers. Therefore, you can disable this option by adding the DISALLOW_FILE_EDIT constant in the wp-config.php file. Then it will not be possible to modify the files.
wp-login.php
Another option is to change the file address wp-login.php. If we want to log in - we use this address. So this is a kind of blackout protection. We can change the name of this file to one known only to us. Then even if someone learns our login details - they will not know where to enter them. Another minor obstacle to attackers.
If your site is just a simple business card, consider turning off the registration and commenting options. As I said at the beginning - a lot of vulnerabilities found require having an account on the site. If you turn off registration - the only person who has the account will be you and other persons authorized by you. Therefore, the attack vector is reduced - because the attacker would have to otherwise gain access to the admin panel.
The server should be configured so that it does not display a list of files that are in a given directory. This may prevent you from indexing files that were in the directory by mistake.
File Integrity
Some tools allow you to check the integrity of our installation. After installing them, they create an internal list of all files on our server along with their checksums. Then cyclically - every defined time - the whole procedure is repeated. Then you can compare whether a file has been added, changed or deleted. Thanks to this - as a last resort - if an attacker gained access to our server - we can see what changes he has made in it.
Stolen Templates
Finally, it's worth mentioning the nulled versions of extensions and templates. These are unauthorized copies of paid scripts that can be found for free on the Internet. However, I advise against using such files. First of all, it is illegal and unethical. What's more - we are never sure if there is any additional malicious code in the source code of such spread.
XMLRPC
The last point on the list is disabling the XMLRPC protocol. It was established a long time ago when constant Internet access was not as popular as it is today. At that time, blog entries were written offline. Then at the time of publication, the appropriate application sent a request to the server - creating a new entry. Nowadays, this option is used if we use a mobile management interface for a mobile phone. However, if you do not use remote management - it should be turned off. Why? Because this protocol can be used in brute force attacks. Normally, to check if the login and password provided is correct, we must send one request to the server. If we want to check 100 such combinations - it is necessary to send 100 requests. And each of them lasts.
And that's all in this episode. And you, what methods of WordPress protection do you know and recommend? Let me know in the comments.
I have referred these websites while writing this blog.
https://wpvulndb.com
https://automattic.com
Is WordPress Secure? What You Should Know?
Reviewed by Vaishno Chaitanya
on
September 14, 2019
Rating:
Reviewed by Vaishno Chaitanya
on
September 14, 2019
Rating:
Posts
The most dire outcome imaginable is that updating WordPress could really break your site. premium wordpress blog themes
ReplyDelete