WordPress Security Part 1: Plugins

Welcome to the first instalment of what will be a 4-part miniseries of posts focussing on one of the most important factors for many-a-blogger – WordPress security. In Part 1, we will be giving a general overview of the world of WordPress security, identify what the risks are, and then focus our attention specifically on the vulnerability of plugins. In Part 2, we will be taking a close look at malware detection and what you do to defend against attacks. Part 3 will be an extended step-by-step tutorial explaining how to secure WordPress. And finally in Part 4 we will give you a detailed list of the top 10 security plugins that you can add to the backend of your site. We hope you enjoy this series.

Despite the fact that WordPress is a very popular blogging and website platform that is used by literally millions of people and businesses all around the world, at the end of the day it is still just a system like any other, and therefore vulnerable to the same amount attacks as everything else. There can be an assumption – especially for businesses who pay to use WordPress to build and host their website – that because it is so large, then the risk is minimal. This just simply isn’t the case.

WordPress does of course take its security very seriously, but it is still up to each account holder to take some extra security precautions to ensure that their site is protected as much as possible.

What Does ‘Security’ Really Mean?

An absolutely 100% secure system is pretty much impossible – or at least impossible to maintain indefinitely. Servers can be made secure up to a point, and are of course in place to protect the integrity, privacy and availability of the resources that the server administrator has under control.

Web hosts will also endeavour to try and keep your site as protected as possible, and should offer you reliable backup and recovery, the most recent and most stable versions of server software, and should be ready and willing to discuss all of your security concerns going forward.

So, to answer the question in the above heading – what does security really mean? – when it comes to WordPress (and the internet in general for that matter), ‘security’ refers to an ongoing process whereby the account holder and web host are constantly in a game of trying to keep up with and stay ahead of any new threats as they emerge. Put simply, you cannot just build a website or blog on WordPress and sit back and hope for the best. You need to be proactively maintaining the security on your account and making sure that your web host is doing the same also.

Identifying The Risks

Access

Who has access to the backend of your WordPress account? You need to make sure that your passwords are protected so as reduce the risk of a malicious person gaining access.

Sources

When building your site on WordPress you will almost inevitably resort to using a theme at some point or another – even if you’re hiring a developer to add to the code to customize your site from time to time, even they will normally start out with a theme. So, only source your themes (or plugins, for that matter – see below) from trusted sources of great repute.

Containment

If your system does ever become compromised, then you want any damage that is caused to be as limited in its reach as possible, and you should therefore configure your system from the outset to ensure this.

Vulnerabilities on your computer

Even if WordPress itself could guarantee absolute 100% secure protection, this will only ever be as good as the computers on which you use to access the system. Your computers must be just as amply secured as your WordPress site, and you should also never browse any untrusted websites whilst online.

WordPress Vulnerabilities

One of the most important things that you can do on WordPress is to make sure that you keep up to date with the latest version of the software. Just as with any modern software package, WordPress is constantly being updated in order that any new security issues that arise are addressed, and you must remember that older versions of WordPress are not maintained with security updates. So, keep up with the latest versions to ensure that you’re always protected.

Server Vulnerabilities

Web servers are as susceptible to vulnerabilities as any other element. The easiest way around this is to use a trusted and reputable web host who is contracted to take care of running a secure and stable server and the software that is on it.

If you’re using a shared server, then if any other website that’s on the same server becomes compromised then yours is potentially vulnerable as well. This is where it is absolutely imperative that you are in constant contact with your web host to make sure that they are taking all the necessary precautions to protect you against such an eventuality.

Network Vulnerabilities

You should ensure that the network on WordPress server side and the client network side are both completely trusted. Your web host should of course be making sure that everything is being done to secure their network from attackers, but you need to make sure that you’re doing the same. Your firewall rules on your home router should be updated regularly, and you should take the utmost care when working from other networks. You may, for instance, find yourself working in a coffee shop one day on your lunch break. This will not be a trusted network, and so you never enter or send passwords or any other sensitive data when connected to a network of this nature, as it is liable to be intercepted.

Plugins

On top of all of the above vulnerabilities to WordPress, one of the most important ones is of course plugins, and we are going to dedicate the remainder of this post focussing on these.

Plugins are favoured by many WordPress users who are trying to make their site stand out from the crowd with a few nifty bells and whistles. You will probably be using one or two already – you might even be using a security plugin (watch out for Part 4 of this series where we’ll be detailing the top 10 very best security plugins for WordPress) – but, just as with everything else that you do online, you need to be fully aware of the potential vulnerabilities of any plugin that you choose to use, especially if it comes from a third party.

Revslider

Revslider, also known as Slider Revolution, is one of the most popular WordPress plugins that allows users to create customisable slide displays on their websites. Quite often, Revslider comes as part of the package when you buy a WordPress theme, though you can of course purchase Revslider as a standalone plugin for any WordPress site that you want.

If you are using Revslider, then it is imperative that you check right away that the version that you have installed is above 4.2. Several vulnerabilities of older versions of Revslider have recently become apparent, which could potentially allow remote attackers to upload files to your WordPress site, run shell commands, or download files that wouldn’t normally be accessible online.

If you find yourself in the position of having an older version of Revslider, then you must update it immediately. You can actually enable automatic updates so that you never have to worry about this, so that will be your best bet. However, if Revslider came as part of your theme’s package, then you will have to update the WordPress theme itself to one that includes a more recent version of the Revslider plugin.

WPTouch (et al.)

In May last year, security company Sucuri discovered a series of holes in 4 very popular WordPress plugins – WPTouch, Disqus, All In One SEO Pack, and MailPoet Newsletters.

Combined, these plugins have been downloaded nearly 20 million times – and if you’re running any of them then you need to update them to latest versions without delay.

All of the vulnerabilities have since been patched in each new version of the respective plugins, so updating them is considered a safe way to secure them.

If you do nothing, then you are leaving the door open for an attacker to use your website to send out SPAM, send out phishing lures, as a malware host, infect other sites if you’re on a shared server, and much more besides.

Update, Update, Update!!

No plugin is ever completely invulnerable to attack. The developers know this as much as you do, and that is why they constantly release new updates to try and stay ahead of the game. And you need to make sure that you are updating your plugins to the latest versions as soon as they are released.

This is just the beginning of your effective WordPress security – by no means is it the end. Defending WordPress is an ongoing endeavour, and one that involves maintaining your awareness of any new threats as well as your own network environment. Plugins are just the tip of the iceberg, but by keeping them updated you will be utilising the developer’s efforts to stay ahead of any new threats that may arise. Look out next week for Part 2 of this series where we will be delving into the world of WordPress malware and what you can do to defend against it.