If you’re a WordPress user who is even remotely concerned about security — and, honestly, as a citizen of the internet, security should always be on your mind — the past few months have likely been a little crazy for you. Over the course of 16 days, the WordPress core team put out both a major release (4.2) and three critical security releases.
And, as Andrew Nacin revealed at LoopConf in early May, WordPress 4.2 included a “secret” security fix. Months in the making, this clandestine fix was cleverly disguised as emoji support.
So, if you really want to get pedantic, that was technically four security releases in a little over two weeks’ time. However, it’s likely that all of these releases — with the exception of 4.2, of course — were applied to your site without you even noticing. Automatic updates FTW, right?
As I’ve said in the past, WordPress core is secure. That statement is as true today as it was two years ago. And since the release of WordPress 3.7 in October 2013 — which included the aforementioned automatic updater — the core team has done an extremely good job of keeping things that way.
For anyone who tends to be OCD about the little numbered dots in their dashboard, however, things have probably gotten a little overwhelming as of late.
According to the phenomenal WPScan Vulnerability Database, April and May 2015 saw the release of 139 non-core (see: plugin and theme) exploits. And while the numbers were skewed by the large number of `add_query_arg()` and `remove_query_arg()` XSS fixes pushed out in April, that’s still an upward trend from previous months.
But that’s actually okay. Every single vulnerability that’s found, and every single fix that’s released — be that to WordPress core, a plugin, or a theme — only continues to make things stronger.
As long as you keep things up to date, that is.
Staying on top of updates might be an easy task for someone who has a handful of sites. But what about people who maintain dozens of sites? Fortunately, tools like InfiniteWP, WP Remote, and ManageWP exist for this exact purpose. Some also possess additional features like backups and centralized single sign-on. If you’re one of the harried folks suffering from update fatigue, they’re all worth a look.
There’s also a great solution available for the ridiculously busy or incredibly lazy. As of a few months ago, the popular Jetpack plugin now possesses functionality that will allow you to put your site’s plugin updates on autopilot. I use it on a few of my personal installs and love knowing that they’re taken care of.
If you consider yourself the do-it-yourself type and want to have your hands on all parts of the upgrade process, the least you can do is know what’s happening on your sites. I suggest following the @WPVuln Twitter account to get updates on vulnerable plugins or installing Plugin Security Scanner. PSS leverages the aforementioned WPScan Vulnerability Database and sends nightly mails to site admins if any of their plugins are found to be exploitable.
No matter how you chose to engage potential security threats against your site, there’s literally something for folks from every skill and comfort level.
Do you have any favorite tricks that I might’ve missed? Disagree with my assessment of the state of WordPress security? I’d love to hear what you think in the comments!
Jason Cosper works as the Developer Advocate for WP Engine. He loves going full OCD over interesting problems and learning new things. In his spare time, Cosper enjoys hanging out with his wife and two very tiny dogs, grilling meats, sampling assorted whiskeys, writing cranky tweets about the Lakers and brewing coffee.
Great tip regarding Jet Pack enabling auto-updates of plugins. I didn’t know about that. One of the difficult things about doing updates, especially auto-updates of plugins, is that they sometimes break your site. When you manage more than a couple of sites, it’s hard to test every one of them each time an update happens, especially if you have the updates on automatic. Here’s an interesting tool that addresses that problem by comparing visual snapshots of your site on a regular basis and letting you know if it has visually changed in a significant way. http://www.wpboom.com.
Great information, Jason!
For non expert bloggers and coders, I suggest installing a WordPress plugin, to make things easier.
I found “Wordfence Security” plugin a free solution to secure blogs and make them faster.
Tested and happy with it!