The fourth post in our security series is an in-depth look at the history of the security of WordPress written by Jason Cosper, the head WordPress Expert at WP Engine. Jason has led support teams for 10 years at places like DreamHost, and now at WP Engine. He also has a strong background in Information Security growing up inside the Los Angeles hacker community.
It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.
Recently, there were even stories about a large botnet that was trying to “brute force” its way into WordPress sites, but wasn’t able to touch sites where site owners set strong passwords, were running the latest version of WordPress core, and were vigilant about security.
But, if you’re still skeptical, that’s ok. I’m going to make a case and change your mind.
Fair Criticism
During the summer of 2009, WordPress took some knocks in the web publishing community for a series of security vectors that were exploited. The internet realized WordPress could become huge, and aimed some criticism and blog posts in the hopes of making sure WordPress would be secure enough for the crowds of end-users it was attracting.
In many ways, the internet was saying,
“Hey there, WordPress, we know you’re ambitious, and we love you for that, but we gotta know your security is bulletproof for your end-users before you get too popular.”
WordPress core developers responded, and in the months that followed, collectively added patches and tightened up security across the board to make WordPress one of the most secure CMS’s on the internet. That was four years ago. An eternity in terms of technological innovation.
The Summer of 2009
Within a span of a few weeks in 2009, the WordPress core team released a series of 4 security patches. The team was rapidly and systematically closing off remaining security vectors in WordPress core. And by the end of the summer, the WordPress codebase had begun to look like Fort Knox.
However, if you owned more than one WordPress site at the time, you had to update WordPress as often as a security patch was released. In total, six versions of WordPress were released, starting with 2.8.1 on July 9th, and ending with 2.8.6 the week before Thanksgiving. That’s a lot of updating.
Updating WordPress isn’t hard. But, new updates every few weeks can quickly become a pain. Each new security update means testing the update against plugins and themes before pushing it live. Then the next update meant doing that all over again. But software is only as secure as the latest version, so you have to update every time a version is released.
But, imagine having to do that every 2-3 weeks. For every site you own.
That might create some lingering emotion.
Fun like a root canal
In the span of just 34 days, four security updates were released for WordPress 2.8. This was before managed hosting or WordPress management tools made maintaining installs easy. No, each of the updates was done manually.
Honestly, this whole run of updates ranked between “standing in line at the DMV” and “having a root canal” on the fun scale.
And, not everyone was updating. And some of the out of date sites got hacked. I know, because that year I was doing a ton of the cleanup work from hacked sites that had been running old versions of WordPress. This is why we harp on the importance of keeping WordPress up to date, and why WP Engine automatically updates customer sites. Up to date software is secure. Out of date software is a target.
Hacking is newsworthy
WordPress installs were already ubiquitous in 2009, so this whole saga was fairly newsworthy to boot. A constant stream of bloggers, posted, about the security of WordPress that year. We got so used to seeing those blog posts, that they remained in the internet’s collective memory.
Now, four years later, you can’t have a discussion about WordPress without someone chiming in to ask, “Wait, isn’t WordPress insecure?” HackerNews, I’m looking at you.
WordPress suddenly had a reputation, fair or not, for being a platform that always needed to be updated, and might not be secure.
In reality, by the end of 2009, WordPress had become secure enough for millions of end users to use it without problems, not to mention massive sites like The New York Times, and AllThingsD. WordPress’s popularity is even reflected in the growing trend of large organizations and the enterprise moving to WordPress in droves.
Shared Responsibility with WordPress Users
WordPress users must be responsible for their own security, maintain strong Passwords, and keep plugins and themes up to date, as well as WordPress itself.
The user’s responsibility will never go away. Many users who understand the value of extensive security host with WP Engine because we add additional security layers, like forcing strong passwords, and performing routine security scans. We also back up our security with a guarantee.
Secure enough to be the most popular
I hate to go with the “most popular” argument, but it’s the final bit of evidence.
With 64 Million installations and counting (17% of all sites are built with WordPress), the math is compelling. No other technology (Ruby on Rails, Python, etc.) even comes close to having as much adoption.
WordPress core is secure enough to support that massive user base, so it always puzzles me when brilliant developers are unaware how secure WordPress core has been for years.
At that scale, even the .1% security vectors should become downright common, and yet WordPress is doing nothing but grow without any major problems.
Looking at the evidence, it’s time to put the debate to rest. Maintaining security is an on-going process, and constant vigilance is essential. But, the core team has done an amazing job to ensure the security of WordPress, and will continue to do so as the platform continues to grow.
But, we’ve reached a point in the history of the internet where WordPress has earned a reputation for its security. It’s time to act like it.
Interesting because I was just told by a security scanning company that WordPress was not secure and has a comment posting forgery exploit:
This vulnerability allows to run an automatic script in order to post spam/ads on a mass of WordPress sites without actually visiting them with a browser.
Running the following code on a WordPress site wp-comments-post.php page will allow to automatically post the comment.
Proof of concept:
1. Edit the spamcode.html and change the domain of the website on line 1 to your testing site. you can change the “value” field value to the desired contents.
2. Run the somepage.html from the same folder of of spamcode.html
3. Check for new comments on the test site admin panel.
While the ability to spam sites is an annoyance to both users and admins, it’s far from an actual security vulnerability. This is more of a, “you should’ve installed Akismet on your site,” problem, and thus a bad admin vulnerability.
A true security vulnerability in a site would give a hacker access to sensitive user information, redirect them to a phishing site, or steal the user’s sessions and thus gain access to ecommerce or banking sites as the user (these are just a few examples).
To me it sounds like this security scanning company wants your money. A true security vulnerability can’t be solved with a spam filter or active admin.
source: My Computer and Network Security/Computer Science Degrees
Nope, the “problem” described above is called Cross-Site Request Forgery and yes, CSRF is a vulnerability indeed.
The stuff you can do when your website is vulnerable to CSRF depends on a lot of cases. I guess, that here, “sending spam” is one of the answer for questions like “what can you do with CSRF vuln. in this scenario”.
AFAIR, described vuln. (in wp-comments-post.php) has been already spotted and fixed (please google for 3.3.1 version).
Whether this is true or not I can’t confirm.
Great post, Jason! Written like a true pro! One thing you didn’t touch on though, are plugins and themes. Recently, there was an exploit with a very popular social sharing plugin.
However, as you clearly convey, this was not an issue with the software, but one of process. Sharing passwords, giving the wrong people access, and lack of best practices will always get you in trouble.
Now that we’ve all established best practices, it’s time we all start taking responsibility for security – including non technical users. Thanks again for this straight forward post.
Great article! Thanks for the history. It is good to see how the WordPress community/team has been working hard to secure our installs.
It is worth noting that nearly all compromised WordPress sites are due to poorly coded plugins or theme, and probably the biggest issue is due to users with insecure passwords.
I agree wholeheartedly.Hacking is not a WordPress problem. It’s a internet problem. All sites get hacked, and frankly I don’t think WordPress is anymore insecure than other cms.
I would never say that any software is secure. If you have the knowledge you can hacking everything.
How is keeping wp-includes under the WP root directory secure?
If it’s so secure, why it is recommended to do this:
http://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes
?
Maybe the included library source code should be placed above the root accesible via the web server instead of this clockwork absurd of matching file extensions?
No, the correct question is how exactly is having the wp-includes directory under the root *insecure*?
Note that the codex is written by volunteers, it may not always have the latest and most up-to-date information. Additionally, that whole article about “Hardening” is written with the generally paranoid person in mind.
It’s not particularly insecure to have wp-includes accessible. It’s also not particularly useful to have it accessible, but the only thing that directly accessing any of those files will get you is an error message or a blank screen.
The blank page will appear until someday someone creates a lib file that has not only functions declared but also executed or has some side effects. It requires a continuous control apart from the general code correctnes. It would be much simpler to just separate it to an upper level directory.
You call it paranoid, I call it usual.
Yeah the WP core is pretty secure now. Most times WP gets hacked it either because it wasn’t up to date with latest security releases, plugins (and to be fair there are always plugin exploits… think there was a big one recently with WP Super Cache (which is so widely used!)) or the server was hacked through other means. Often on shared hosting with read/write file permissions… but the scripts that ‘hack’ it know to look for WP so infect the WP files with their js etc.
The only issues are scale of adoption – it’s popular so it will be targeted – and user education – how to create strong passwords, identify poor quality plugins, and keep stuff updated.
But those *are* pretty major issues, particularly the user responsibility.
I like this post a lot because I feel it is up to us as WordPress advocates to (a) ensure that users understand their responsibilities, and (b) ensure that we do everything possible to make it easy for them to do so.
I don’t think WordPress is right to put all responsibility on the user only, They should try to promote security in wordpress and preventively enforce security principles be default. As this is not the case they put their unaware user into serious risk.
As an example, so widespread lack of ssl for wp-admin login. So easy to intercept, taking into account 17% of all websites is powered by WP.
And big fail imo, session management and NO feasible way to clear session. Once you authenticate your cookie will always be accepted on the server side, even when you push the log out button. I wrote more about this issue on my blog: http://intothebug.com/insecurity-in-the-wordpress-session-management/
@WPENGINE don’t you like my pov as you delete my comments?
Because we all know the most popular software option is always the best and most secure, right? 🙂
That’s why I run the latest WordPress on the latest Windows Server.
Great post! I can now sleep soundly at night.
Still very surprised that people use some other CMSs when WordPress is so good on so many levels. I don’t think WordPress is as big in Australia as it seems to be overseas.
How do I know how secure my plug-ins are?
As long as you download plugins from the WordPress plugin repository (or a reputable professional plugin developer) and keep them up to date, you should be okay.
Outside of that, consider looking for WordPress plugins that haven’t been updated in over two years. An easy way to tell if a plugin hasn’t been recently updated is to install & activate the Plugin Last Updated plugin.
Hope that helps, Janice!
WordPress is the most secure cms indeed. Brute force attacks are always going to be there.
Thanks for your comment Vikas, we agree.
– Kirby
WordPress is the most secure cms indeed. Brute force attacks are always going to be there.
WordPress is a hackers dream. We have had two sites hacked and as they were hosted on the same server, it allowed them access to our main website. Avoid WordPress.org at all costs. Without plugins WP is useless, and that’s the problem. Just look at WordPress.com – it is much more secure but totally SUCKS without plugins. You can’t do anything with it.
I agree, and it is even more so true today than when you wrote this post. WordPress is very secure if you have the right things in place such as ensuring you do not get brute forced via admin panel guessing passwords / user names.
Its time people realize WordPress is just as secure as any other platform if you actually take the time to keep your software up to date and use quality plugins.
Unquestionably believe that which you stated. Your favourite
justification seemed to be at the wweb the easiest thing to remember of.
I say to you, I certainly get annoyed at the same time as people
think about worries that they just don’t realize about.
You managed to hit the nail upon the top and defined out the
whole thing without having side-effects , people could take a signal.
Will likely be again to get more. Thank you