WordPress is a great Content Management System, it’s easy to use, maintain and there is an ocean of plugins and themes from developers worldwide. What started out as a very simple blogging platform is now much more.
In the early versions, vulnerabilities were found much more frequently than today. Some of them were really bad – take this one for example:
“WordPress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.”
This nasty vulnerability was found back in 2009.
However, fewer and fewer vulnerabilities are found in the core and WordPress takes security very seriously. Despite that, there are still several outdated WordPress installations out in the wild. According to WP White Security – in 2014 over 70% of all WordPress installations were vulnerable. The core is relatively secure but the more you add to the installation, themes, and plugins, the higher the risk of your site becoming vulnerable.
You can never be 100% secure and this also applies to WordPress. However, there are easy fixes that can make your site more difficult to target.
- Don’t use admin or any variants of this username on any account
- Of course – set a strong password and have a good password policy if you have multiple users
- Don’t use ‘wp_’ as any table prefix, choose something that is less obvious
- Avoid posting with the administrator account
- Enable two factor authentication for each of your users
- And again – keep everything updated
- This may be obvious to most people, but download WordPress from the official site, WordPress.org!
- Keep an eye on vulnerabilities by using a security monitoring tool like Detectify
Remember, it’s not just the WordPress CMS you need to keep secure and updated, don’t forget about the WEB server, FTP server, database, file permissions, etc.
Author: Anders Raldin