Thoughts on WordPress Security

WordPress is actually the most used CMS platform, with over a good 60% of the market share. This means that in a global average on the wild Internet, more than half of the websites (powered by a CMS) runs WordPress. Congratulations Matt ! Well, as it is true that this software is great, my point is, this is also exactly why it will, again, be the favorite target in 2016.

You are next !

1452162002_Halloween-14Lot’s of people still think that, as they do not manage critical websites, they will not be targeted by attackers. Well, reality is a bit different. Like the fact that you need strong security features for your personal computer (antivirus software or a decent operating system), your web site also deserves additional protections. The server is, and will always be, under attacks, since it’s part of the Internet. This is it; viruses and malwares do not care if your name is John Doe or Facebook Events. If your site is not precisely a target, automated attacks collect user’s information (like the passwords hashes or emails) and inject ads or malwares. Most of time, it will use the website as a rebound to spread and infect others.

Unfortunately, the threat is real. After a break-in, user’s emails are cracked and malwares exploits Web browsers to infect people’s personal computers. It’s an endless loop, and that’s why, by facing this manually, you will inevitably fail.

As it is proven that attacks are now automated and propagate with less human control, we need to change our point of view. Webmasters are not able and should not try to manage this threat. Security needs to be managed by hosters or specialised companies directly, in an automated and recurring way.

What’s new ? We all know problems occur with plugins.

1452161898_Halloween-13WordPress’s core is still fairly secure and except for a yearly critical vulnerability, problems still occur with plugins. The bad news is, as you probably guessed, nobody only uses the core, since extensions is exactly what makes WordPress such a great software. I was surprised, in a good way, during my last case how WordPress improved and simplified updates management. I was able to clean, upgrade and push back online 21 infected websites really fast. Security tools are now mature and vulnerability databases are more organised and up-to-date. This is great, but as most plugins, they forgot the rules of secure coding. Malwares infections will probably happen again in the next few days if security is not (as said before) automated and delegated to a dedicated entity.

What are the options and how much does a security system really cost ?

1452162051_Halloween-07There are different ways to secure your platforms, depending on your actual hosting plan, technical resources and how many WordPress you run. All options have pros and cons that need to be well analysed to match your case.

Regardless of your choice, the goal will be the same : “Constant vigilance and daily updates”.

One solution consists of adding security modules in your WordPress installation. Today, leaders are WordFence, Sucuri and iThemes Security.

Most of them will need a paying subscription to be fully functional. But, they do offer a good basic (scans, files integrity checks). Subscriptions costs are about $15 / Month / Website and generally include proactive scans, advanced reporting and central management.

Adding modules to your WordPress might not be a good choice if you need high performance or do not want to manage security at this level. It all depends on your needs/business case. You might be able to advise your WordPress administrator to use it, but you won’t be sure they will.

As new modules and companies are coming out every months in the WordPress market place, if this is what you need, i would suggest to do the analyse of all the security modules at the very last moment.

You can also find your security partner in the cloud. Technically, you will point your DNS records to this provider and it will act as a reverse proxy. The network traffic will be inspected live. Legit requests will be forwarded to your WordPress, but attacks will be rejected and suspicious IP black-listed. Sucuri is providing this service, but also black-box WordPress pentesting and anti DDoS.

Depending on the business cases, numbers of hosts and criticity, you will be ask to choose a plan. The average cost is $500 / Year / Website. This is a good option to secure critical business or if you host your own infrastructure and don’t plan investing/managing Web Application Firewalls.

In some projects, you can look for a Hosting Company that offers full management services for WordPress and its security. They have tools to updates core source and extensions in a very industrialized way. Web hosting that offer security perspective also take care to protect WordPress with specific Web Application Firewall and not exposed directly on the Web. A typical setup is built with NGINX and NAXSI. As an example, you can find some kind of strong configurations at NBS SYSTEM. For a full managed WordPress you can also check directly. A very few number of companies like to use it, as very few extensions are officially supported, but in some case, it could be very effective.

How can i help ?

1452162364_Halloween-03When working as a freelance, my goal is to find best solution available matching your expectations and your budget. In some projects, I can spend time to build and harden a  custom configuration using Web Application Firewalls. In other cases, I will mainly focus on analysis and maybe migrate your data to a serious Web hosting companies.

In any case, the key is constant vigilance.


I have been working as an IT engineer (mostly in Web hosting industry) for more than 15 years, with specific interest in Linux internals, TCP/IP networks and software security. I have lived in Montreal (Canada), since 2013.

Leave a Reply