This is my first blog in an ongoing “It’s Not Rocket Science” series featuring articles on Information security.
"Security is not an absolute, it's a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It's about employing the appropriate security controls that best help address the risks and threats as they pertain to your website."—codex.wordpress.org
As of March 20, 2017, WordPress powers 27.7 percent of the web; it has a content management system (CMS) market share close to 60 percent, including over 49,000 different plugins with 1,609,901,724 total downloads. According to a 2016 Wordfence survey, 61.5 percent of 1,032 respondents (site owners) were oblivious about how their site was compromised. For the remaining 38.5 percent of respondents (who were able to pinpoint the attack origin), the incident traced back to plugins, brute force, core hacks, themes and hosting services. Two of the top risks involved plugin vulnerabilities (55.9 percent) and brute force attacks (16.1 percent), together representing 70 percent of all known entry points. Querying Google for the term "WordPress” kicks back about 1,850,000,000 results (in less than one second). This simple Google search query returns over six million results:
Search headlines like those listed below tend to embrace simplicity and ease:
- How to Start a Blog (to Make Money or Otherwise) in 2017
- How to Start a WordPress Blog The RIGHT WAY (Step by Step)
- How to Launch a Self-Hosted WordPress Blog in 20 Minutes or Less
- How to Build Your Own Business Website with WordPress
- Revealed: 19 Things to Know Before You Start a Blog
- 5 Steps to Take to Start Your Small Business Blog Today
- How to Start a Blog in 2017 - Easy to Use Free Guide for Beginners
- How to start a blog in WordPress (in less time than it takes to have a pizza delivered!)
What’s the problem with the above search results? It’s replete with generic advice about how to launch a self-hosted blog, inviting an entirely clueless population of WordPress novices to launch a WordPress site devoid of security. Kindergarten level at best. For a small business or startup, the first two pages of Google search results would make one think you could launch a WordPress site in siesta mode while slurping a few glasses of Sazerac.
WordPress security is not rocket science
Though securing and hardening a self-hosted WordPress site is not rocket science, this particular CMS is novice-unfriendly and can quickly become highly toxic on the digital highway. Though WordPress is truly an amazing CMS, it has also opened a pandora’s box for amateur and inexperienced admins to mismanage and invite bad actors to stumble in via a back door. A novice (naive) WordPress admin is equivalent to handing a commercial pilot her license when she’s reached 50 hours of flying time. A novice admin lacks backend and database experience, as well as strong security knowledge. I am not talking down to the novice WordPress admin, either. I’m just saying: if you are going to launch and administer a self-hosted blog, you need to know how to maintain, harden and secure it first. If you are the type of WordPress administrator who would settle down comfortably and fly with the 50-hour-flying-time commercial pilot, please don’t launch any self-hosted WordPress sites. I would consider your lack of judgment as equally pernicious to the bad actors who contribute to our threat landscape today.
A little history
Now that I’ve moved away from my novice [podium] WordPress admin mini-rant, let’s back up in time to 2012. I’m thinking to myself: “Do I really want to put this out there again?” Possibly. But I’m already embarrassed. Humiliated, too. I’ve got this vision [of my readers] in my mind, watching me and scoffing “Wow! A twice-hacked WordPress expert.” Let’s dive in. I wrote a blog post about security mistakes that self-hosted WordPress blogs make—mentioning the sackcloth and ashes cringeworthy fact that I had previously been victim to two WordPress hacks.
My First WordPress Hack
In 2009, I was on a managed VPS where all administrative and maintenance tasks were deployed via my hosting provider. Unknown to me, it was a hosting company that was rather lax with updates. I wrote about the severity of my first hack at Antonin Januska's blog:
"It was a major hack where all WordPress index pages was injected with malicious code that redirected vulnerable visitors to malware-infected domains. All WordPress sites on my VPS was affected with malicious iframes, so that any visitor to my website (who had operating system or browser vulnerabilities) became infected. Many plugin files was also injected with bootstrap code. I also found modified file permissions (0777 -chmod) for the themes and plugins directory. It was such a flopping mess that it could make a grown woman cry. [sic]"
Yes, pity party me. I was lamenting an area of WordPress security that I had never considered a threat. Why? Because my blog was managed by my hosting provider....
My Second WordPress Hack
The second hack was quite the facepalm for me. I was hacked via an automated theme script injection. I lamented at Januska's blog:
"I set myself up for this exploit because I forgot to disable the backend editor (after I edited my theme). This oversight resulted in a .404 defacement that was recorded at Zone-H."
Well beyond toddlerhood
Ironically, I was no squalling infant to WordPress, having been with the CMS since the advent of nl2br on steroids [highly intelligent line breaks]. My first database experience was with Oracle and MySQL (back in the 90s) when I developed my first love for databases. This was at a time when I was also learning programming languages and found Cobol to be entirely unimpressive. The only reason I did not lean toward a career move in the realm of database security was due to limitations in the field (my perception at the time) in my ongoing security endeavors.
In this blog post, we covered how easy it is for any novice to set up a self-hosted Wordpress site by simply searching Google for instructions. We learned that in setting up Wordpress, the majority of sites (returning search results on the first few pages) lacked information on how to harden and secure Wordpress. You learned about my sackcloth and ashes twice-hacked woes (keep it quiet), and we also covered a little history. In the next part of this series, I will share with you what to look for in a webhost provider, how to secure and harden WordPress, and some often overlooked items during this process. If you would like to comment or add your thoughts about this blog post, feel free to hit me up on Twitter with the hashtag #TekTripW.
About the Author: Bev Robb is a freelance writer/editor/social media manager and "thought leader" for information security. Previously, she wrote security articles for Dell Powermore and was the Fortscale Security Technology Editor and Publication Manager for Norse Corporation. She can be found on Twitter and LinkedIn. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.