WordPress is one of the most-known content management systems (CMS) out there. It’s the most popular platform to build websites and that might be partially due to the ease of use, allowance for beginners to build websites but also for advanced web developers.
WordPress has an impressive plugin repository of over 50,000+ plugins and 5,000+ themes listed in their library, public to anyone who wants to download it. The platform has grown to become a flexible, reliable and secure CMS, widely used by startups, e-commerce, photographers, designers, non-profit, and many other industries.
Here are some stunning facts published by CodeinWP:
- 32% of the internet is running on WordPress websites
- WordPress dominates the global CMS market with a total share between 50-60% of the entire market!
- Approximately 19.5 million websites run on the WordPress CMS
However, these impressive statistics naturally place WordPress projects at the top of the most-targeted websites by hackers. Security exploits, breaches, and newly discovered vulnerabilities are something that WordPress’ security team is constantly fighting against.
Although the security team is constantly patching out loopholes and vulnerabilities, WordPress users must also be aware and update their theme and plugins at all times.
In this article, I’ll shortly introduce the WordPress security whitepaper, a short explanation on how to stay safe and I’ll also talk about how WordPress has fundamentally improved its security over the years.
The WordPress whitepaper is free and available to anyone who wants to read it, the complete whitepaper can be found on WordPress’ website.
I’ll highlight some important sections of the whitepaper below:
- The WordPress security team consists of 50 experts, including lead developers and security researchers that collaborate with trusted other trusted security researchers and hosting companies.
- Since WordPress 3.7, users are enabled to activate automatic updates for all minor updates (which is incredibly important)
- The Open Web Application Security Project (OWASP) is an online community working round the clock to improve and fix web application security.
- The most common threats WordPress faces is SQL-injections and Cross-site scripting (XSS-scripting).
As you can imagine with the volume of users WordPress has, hackers tirelessly attack websites.
I can’t stress this too much, yet it’s often denied or underestimated. However, the most important weapon against potential attacks is to always stay up to date. Thus, preferably enable automatic updates for both themes and plugins. In addition, you should install a WordPress security plugin to keep your site secure.
Which brings us to the next section, where I’ll address 5 ways how WordPress has increased its security and what incidents caused WordPress’ response.
1. External User-Level Access Verification
Little over 10 years ago, when WordPress was at version 2.1.1., one of the WordPress servers suffered a massive breach. Hackers were able to exploit a vulnerability, which allowed them to modify the downloadable files.
The hackers obtained user-level access to one of the servers and used the ability to access the server to modify and inject the download files with malicious code. The malicious code the hackers injected into the WP server files allowed the hackers to execute remote PHP code.
Thus, most of the users who downloaded WordPress 2.1.1, in fact, downloaded a malicious version. WordPress was quick to respond and released an improved 2.1.2 version shortly after to fix the vulnerability.
WordPress improved its security here by implementing minutely external verification of the download package, which means that they’ll receive an update every minute when something out of places happens. In addition, they reset many passwords of accounts who had user-level access to the servers.
2. Legacy PHP4 and MySQL Code Removal
WordPress experienced serious issues when a security vector exploit was reported in 2009. The exploit allowed hackers to view and modify various plugin options. The same exploits lead to the discovery of an URL sanitation issue. Which allowed anyone familiar with a specific string of code to remove admin users to another site.
In response, the WordPress security team released several core updates, closing off security vector loopholes. In addition, the security team has put in a lot of effort to remove a significant amount of legacy PHP4 and MySQL code. Which was patched in WordPress 3.2.
Ever since 3.2, there have been very little major updates. Simply because the sanitation issues and the PHP and SQL code were updated and heavily improved.
3. Plugin Vulnerabilities Minimized
As mentioned before, WordPress is home to over 50,000+ plugins. Most of these plugins are developed and updated by third-parties. Although WordPress has a team working full time on reviewing plugins and checking for security vulnerabilities.
The online OWASP community is also involved in strengthening the core software against third-party plugins.
As stated on the security whitepaper page:
“WordPress’ internal access control and authentication system will protect against attempts to direct users to unwanted destinations or automatic redirects. This functionality is also made available to plugin developers via an API, wp_safe_redirect()16.”
Thus, the internal access and control authentication system has been updated and strengthened intensively and help plugin developers to build secure plugins.
When a plugin vulnerability is identified by a researcher or the security team. The plugin developer is contacted to collaborate to fix the issue and release an update to improve the security of the plugin.
In case the developer isn’t responding and the vulnerability is a serious threat. The plugin is removed from the public repository. If needed, the security team can update the code of the plugin and update it without the need of the plugin author.
4. SQL-injection & XSS-scripting Fixes
SQL-injection and XSS-scripting attacks are still one of the most popular techniques hackers use to infiltrate websites and inject malicious code.
The SQL-injections is used to send malicious code to a database, often enable the ability to send other executable code. XSS-scripting allows a hacker to execute malicious code in a website or visitor’s browser. If input fields on a website are unprotected. It’s relatively easy for a hacker to abuse these input fields, such as a name or telephone number field.
The WordPress security team fixed a significant amount of code to close off these vulnerabilities in WordPress 4.1.2, strengthening the core of the platform.
5. Swift Security Updates
The greatest improvement WordPress made throughout the years is the extremely quick responsiveness of the security team and the online community.
The number of incidents where the core files of WordPress were exploited is very low. Which tells us that the code is secure. However, maintaining security is an ongoing process that will never stop. Eventually, hackers will find new vulnerabilities.
The security team has proven time and time again that they’re very capable to respond swiftly, fix and patch out new vulnerabilities in no-time to minimize the damage. And as the platform grows. I’m pretty sure the security team will grow as well in order to maintain the status as a secure platform.
Here’s what you can do to improve the security of your WordPress site!
Marcel here from PixelPrivacy.com, Whether it be one of our in-depth guides or our expertly crafted “how-to” articles, I and the team are here to show you how to stay safe online. We believe everyone has the power to keep their data secure. No matter what your level of tech expertise is and we’re here show you how!
Latest posts by Editorial Staff (see all)
- 20 Most Asked WordPress Themes Questions & Answers - January 22, 2019
- The Top 5 Tips to Finding Products to Sell Online - December 21, 2018
- WordPress 2019: How to Shield Yourself from Cybersecurity Threats - December 5, 2018
Where Should We Send
Your WordPress Deals & Discounts?
Subscribe to Our Newsletter and Get Your First Deal Delivered Instant to Your Email Inbox.
Thank you for subscribing.
Something went wrong.