What Is the State of WordPress Security in 2015?

Is it safe to use WordPress? Has security improved over time or has it become worse?

The ongoing Ashley Madison meltdown and a series of high profile data breaches in 2014 have kept online security at the top of the worldwide news agenda in recent times.

With five security releases out the door already this year, we thought it high time to revisit the topic in the context of WordPress as we head towards 2016.

In this article we’ll cover the background of the recent 4.2.4 security release in particular, address the question of WordPress’ overall security, and point you in the direction of resources you can use to make your sites and servers safer.

Let’s start with the most recent security release.

Why Was the WordPress 4.2.4 Security Release Necessary?

2015 has been fairly hectic for the WordPress Security Team with the 4.2.4 release being the fifth security release this year alone – a significant uptick in activity compared to 2013 and 2014’s totals of three per year.

For those new to the WordPress release cycle, minor versions (or point releases) are reserved for addressing security vulnerabilities and fixing critical bugs. Basically, if you a see a release with three numbers in it, it’s definitely time to update.

The specific vulnerabilities addressed in 4.2.4 were uncovered by a combination of members of the WordPress Security Team (hat-tip to Helen Hou-Sandí) and third-party developers.

Issues addressed included three cross-site scripting (XSS) vulnerabilities, a potential SQL injection point, and a side-channel attack source.

You can find a breakdown of the XSS vulnerability over at the Sucuri blog, and the SQL injection issue has been discussed in some detail online by its discoverer Netanel Rubin.

The developers also managed to squeeze in fixes to shortcode bugs introduced in WordPress 4.2.3 which had previously caused some significant headaches for plugin developers.

There’s an excellent interview with Gary Pendergast of the WordPress Security Team over at WP Tavern where he and Jeff Chandler discuss many of the issues raised by previous security releases this year as well.

Where Does This Rank in Recent WordPress Security Scares?

The various recent issues uncovered on the 4.0 branch are undoubtedly serious and real. The 4.2.4 SQL injection door, in particular, has been categorized as critical.

But though the rate of vulnerabilities uncovered in 2015 has picked up, there has still been nothing unearthed in core to rival the impact of previous third-party problems such as the TimThumb debacle or the Pharma Hack.

And, while the run of security releases is certainly troubling, it’s a long way from being the sort of slapstick sequence that older WordPress users will remember with the 2.8 branch back in 2009.

The good news is that ever since WordPress 3.7’s introduction of automatic updates for security releases, a significant proportion of WordPress sites will already have picked up all of the recent fixes silently and smoothly in the background.

As confirmed by Gary Pendergast, even if you’re not running the very latest version of WordPress, the fixes in 4.2.4 have been automatically back-ported to all subsequent versions with automatic updates enabled.

Not every site owner will have enabled automatic updates of course. The biggest WordPress security risk remains running on older versions of the software, so you should update immediately if you have not already done so.

Should I Be Worried about WordPress Security in 2015?

Security should always be a concern for any responsible site owner, but – as evidenced by recent showstoppers such as Heartbleed, Winshock and the Apple Xara revelations – WordPress is no more at risk than any other high-profile software project.

Far from implying that there is a fundamental problem with the platform, this year’s run of security updates merely demonstrate how well the systems in place for core are working.

As one of the highest profile online targets for over a decade, WordPress has had solid security processes in place for years, along with a dedicated Security Team of 25 members composed of Automattic employees and third-party web security experts.

The recent appointment of Nikolay Bachiyski as WordPress’ first official Security Czar shows that efforts to harden the platform and improve communication around the topic of security are active and ongoing.

There’s a good interview with Nikolay over at VaultPress where he goes into more detail about aspects of his new role and his recent presentation on security principles at WordCamp Europe is also worth a look.

At its heart, WordPress is a fundamentally secure platform but site owners still need to follow the basics in hardening WordPress and pay particular attention to plugin and theme selection. Robert Abela has a great overview of the main current vulnerabilities in those departments over at WP White Security.

How Secure is My Server?

Though WordPress remains a juicy target in its own right for attackers, the reality is that your install is only as secure as the server it sits on.

One of the many appealing points of the recent emergence of dedicated managed hosting offers for WordPress is their emphasis on security. Companies such as WP Engine are putting considerable resources into lifting the security burden from site owners and providing truly robust environments to build within.

At the opposite end of the scale, shared hosting providers have long been accused of being a weak link in the chain when it comes to WordPress security. While you’re highly unlikely to experience problems with any of the larger players in the space such as GoDaddy or Bluehost, lesser known names have been shown to be vulnerable over the years.

Perhaps the biggest risk point is in the middle though, where site owners attempt to take advantage of the power and affordability of Virtual Private Server (VPS) solutions without necessarily having the security chops to really lock down their servers.

If you do find yourself going down the VPS route, make sure you’re at least following the basic security steps suggested by providers such as Digital Ocean and Linode.

What are the Best Current WordPress Security Plugins?

Plugins are famously a fairly significant attack vector in their own right, and even high profile providers such as Yoast have run into difficulties over the years.

There are, however, a number of excellent security-related plugins available you can use to take some of the hard work out of hardening your site.

Sucuri have a superb, detailed examination of the security plugin landscape broken out into the categories of prevention, detection, auditing and utility that’s well worth some of your reading time. It’s a great starting point for getting your head around the many issues involved.

The following two plugins in particular are highly recommended:

Sucuri’s malware scanning and security hardening plugin is available for free and the company also offers a range of higher-end solutions for site owners.

With over 600,000 active installs, iThemes Security has been one of the leading WordPress security plugins since 2008.

Where Can I Find out More about Security?

Online security is a huge and ever-shifting domain of knowledge, but there are a number of introductory resources we recommend to help keep you up to speed and sharpen your security skills:

• WP Engine’s Security Best Practices: As one of the leading managed hosting solutions for WordPress, WP Engine know more than most about what it takes to run a tight ship. Their security white paper is an excellent introduction to current best practices.
• Sucuri.net: In addition to making one of the best WordPress security plugins around, Sucuri also provide an absolute treasure trove of information on both their main site and blog. Posts such as How Did My WordPress Website Get Hacked? and 10 Tips to Improve Your Website Security are great jumping off points.
• Security blogs: Online security is a subject that can quickly get baffling for the non-technically minded, but Bruce Schneier and Brian Krebs both cover serious topics in an accessible and engaging manner.
• Online courses: Lynda.com offers a range of web security courses targeting all levels of expertise. For those looking to take things to the next level, the Coursera Computer Security course has you covered.

Conclusion

Though the recent spate of security updates has set some users’ nerves on edge, the reality is that WordPress has never been safer than it is today and is happily used by Fortune 500 companies and major news organizations.

That said, it is still your responsibility as a site owner to make sure you’re covering the basics:

• Always update to the latest version.
• Make sure you’ve reviewed the standard WordPress hardening advice.
• Carefully review any third-party plugins or themes you use on your site.
• Review your hosting provider’s security track record before signing up.
• Use a security plugin to add an extra layer of protection to your site.

We’re curious to hear your thoughts on the recent run of security updates and whether there is a particular aspect of WordPress security you’d like to see us cover in more detail.

Get in touch in the comments below and share your thoughts!