A client recently contacted me regarding some WordPress specific security concerns that stemmed from a recently read article at entrepreneur.com titled ‘3 Hidden Security Risks for WordPress Users‘. The 3 concerns are 1. WordPress is susceptible to attacks and URL hacking 2. Free WordPress themes frequently contain security exploits 3. WordPress’s default login process can be easily hacked.
I will not dispute any points as they are valid WordPress security concerns, however I think that any good developer will not only be aware of these risks but can help secure your system from these and other specific threats.
First an over all statement, which I know is a stale point but still very important; There is no such thing as a 100% ‘secure’ Website. Hackers and/or ‘security experts’ are always one step ahead of the masses. The masses are only able to patch and protect themselves against known threats. This is why keeping any system up to date in regards to security patches and software versions is vital.
Now to address these 3 points:
1)WordPress is susceptible to attacks and URL hacking
Yes it is, however so is any public facing Website which utilizes a SQL database and is not programed to security standards. ‘URL hacking’ is technically known as ‘SQL injection’. This is basically where a hacker or bot (automated attack) adds a string of text to the URL/Web address that includes database commands. These commands are the same that a programmer would use to modify the database and database contents themselves. These commands include the ‘injection’ of malicious code into the Website content, deleting data or modifying the database so that it becomes unusable.
There is protection in place within WordPress or any other Web application or CMS (or at least their should be) to keep these malicious strings from having any effect on the database. As a part of standard development programmers should be validating and sanitizing all database queries. The WordPress core for example reamins fairly secure from this kind of threat and any related exploits are typically patched very quickly (the importance of keeping your software up to date).
2 )Free WordPress themes frequently contain security exploits
I think the word ‘frequently’ is very strong here though I admit I don’t know the numbers. There have been known exploits to be written into WordPress themes. To help protect yourself from such a threat, buy from sources you trust, read theme reviews and utilize both desktop security software and WordPress security plugins to scan for issues within theme files. Your developer should have sources that they have used and trust.
3) WordPress’s default login process can be easily hacked.
The key word here is ‘default’, meaning the out of the box setup prior to a developer hardening the process for you. The biggest issue is that WordPress (and other popular CMS’s) have a standard login URL. Identifying a WordPress site is typically very easy and once you know that it is WordPress you can typically access the login screen by going to the standard adress. From here brute force / alphabet attacks can made against the site. From here it depends on how secure your password and username are to how fast access can be gained. To combat against this it is possible for your developer to change the URL of your login screen. They should also never use the username ‘admin’ and the password should be as secure as possible (please see my post on password security). In addition there are some great security plugins that limit the number of tries any one IP address can have before it is locked out amongst other security hardening measures.
This article seems to attack WordPress, though the same arguments could be made for just about any other popular CMS and they are not specific WordPress security issues. A good developer will include security as part of their standard build process and will help secure your site against these and the thousands of other known security issues facing dynamic Websites. Some WordPress security best practices are to use a security hardening plugin, strong passwords, known/well used and maintained plugins and themes.