WordPress Security — Issues & Vulnerabilities
Open to Exploits
WordPress, first released on May 27 2003, by its founders, Matt Mullenweg and Mike Little, as a fork of b2/cafelog is a content management system (CMS) based on PHP and MySQL and licensed under the GPLv2 (or later).
Over the years WordPress and it's many plugins (written by a host of developers who are independent of WordPress) have been subject to a number of security issues, particularly in 2007, 2013 and 2015.
A May 2007 study revealed that 98% of WordPress blogs being run were open to exploits because they were running unsupported and outdated versions of WordPress.
In June 2013, it was found that a number of the 50 most downloaded WordPress plugins were vulnerable to attacks such as SQL injection and XSS. A separate survey of e-commerce plugins showed that 7 out of 10 of them were vulnerable.
Then again in 2015 a large number of well known WordPress plugins were shown to have blind SQL injection and Cross-site Scripting (XSS) vulnerabilities.
Keeping your WordPress Website Secure
So you may be asking. Why use WordPress — is it safe?
Like all software WordPress and it's plugins can be vulnerable to attacks and hacking. Even companies like Microsoft and Apple have had (and will continue to have) software security issues forcing them to issue security fixes e.g. a Microsoft Windows vulnerability which could be exploited by a hacker to carry out a remote code execution and a flaw in Apple's OS X operating system which left users vulnerable to security breaches while browsing online.
Just like any other software your WordPress website and plugins can be kept secure by being vigilant and updating to the latest versions.
WordPress Security Planning
- Ensure WordPress and it's plugins are kept up to date.
- Have a backup plan in place to allow you to "fall-back" to an earlier version of your site.
- Install a security plugin to safeguard your site and alert you when your site has been attacked or hacked.
Wordpress security shouldn't be passive, it should be proactive.
You can install "automatic WordPress and plugin updaters" however these aren't recommended as a plugin which isn't compatible with the latest WordPress version may break your site or stop some functionality from working correctly. Therefore it's best to update and test your site to ensure everything is working as expected after a WordPress or plugin update.
If you'd rather someone else maintains your site security we offer a WordPress management service which includes:
- Updates: We will ensure that your site is updated each time WordPress releases a minor or major update after checking if it is compatible with your plugins (or straight away in the case of security updates). We will also monitor plugins and update these as they become compatible with the latest WordPress version (or straight away in the case of security updates).
- Conflict Resolution: Where the WordPress core or a plugin update causes the site to go down or where a conflict arises, we will restore the site to it's previous (fully working) version or disable the plugin causing the issue and look to resolve the conflict before updating again.
- Backups: We will take regular site backups.
- Security: We will continuously monitor site security and let you know if any issues occur, including plugin security issues e.g. if a plugin is removed from the WordPress repository due to security concerns or when it is no longer being updated and could lead to a security risk.
Contact us to find out how we can help keep your WordPress website secure and give you peace of mind.