In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question.
What Makes WordPress Vulnerable?
“Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for a vulnerable website.” – Tony Perez
The most common threats to any CMS are associated with vulnerabilities that have been introduced by third-party modules, plugins, themes and extensions.
Making sure that your WordPress plugins and themes are being audited on a regular basis will improve your security posture, minimizing possible vulnerabilities and threats. Both plugins and themes can be used as a backdoor by hackers seeking to gain access to your website.
Outdated or poorly maintained plugins and themes are what every hacker is looking for: an opportunity to force entry. Malicious users run automated scripts (a.k.a. bots) to identify if there is a website vulnerability present. It has nothing to do with who you are, or how big your website is. If malicious actors find a vulnerability in one of your WordPress themes or plugins, you can bet that they will exploit them.
How to Perform a WordPress Plugin & Theme Audit
You can assess the security of your WordPress plugins and themes by measuring the following indicators:
Does the plugin or theme have a large install base?
This can help you determine the reputation of the developer. If the theme or plugin has a large user base, there is a better chance of it being supported by reliable resources.
Are there a lot of user reviews, and is the average rating high?
The assessment here is a common sense call. Try and read both good and bad reviews to get a grasp the average user experience.
Are the developers actively supporting their plugin and pushing updates or security patches?
Ensure that the developers are actively working on any plugins and themes that have been installed on your WordPress website. Check to see that patches are being regularly provided to usershappening. When was the plugin last updated? If it was over 6 months ago, you may want to consider an alternative plugin or theme that is being supported
Does the vendor list terms of service or privacy policy?
If they do, it’s a good sign that the plugin or theme is legitimate. You’ll want to carefully read over the terms of service, because they may include unwanted extras or “features” that were not advertised for the plugin or extension.
Does the vendor include a physical contact address in the ToS or a contact page?
It’s important to be able to reach the author/developer in case you need additional assistance or information. Having a physical address serves as a credibility indicator, and indicates that it may come from a reliable source.
Does the plugin have a support page?
Plugins and themes from the official WordPress repository include a support page where users can go to ask questions to the developer or report issues. It’s a good idea read up on what kind of issues people are reporting—and check to see how often the developer responds to (and patches) bugs or complaints.
Now that we have identified how to choose the safest possible plugin and theme for your WordPress website, let’s move on to how to secure your WordPress installation.
Have a WordPress Backup Solution
Every website should be backed up on a regular basis. Look for the following requirements in your backup solution
- Off-site: Backups should not be stored on your website’s server, but rather as a separate instance.
- Automatic: just as a precaution method for when memory fails.
- Reliable recovery: Maintain backups of your backups and test them to make sure they work.
If you would like to learn more about backups and other website security practices, our 10 Tips to Improve Your Website Security blog post is an excellent start.
Remove Outdated or Unused Plugins & Extensions
When it comes to website security, less is more. Remove unused third-party components and keep things tidy to reduce vulnerabilities.
You can think about your WordPress installation as your house: the more things you have, the more difficult it is to notice when something is out of place, or when an item goes missing.
To audit your website, use this quick checklist from our How to Perform a Website Audit article, along with the assessment points we just went over.
Ongoing Security Audit Checklist:
- Update
- Check software
- Check plugins
- Passwords
- Remove
- Inactive or unused plugins
- Outdated or unsafe extension
- Review
- User and account access – least privilege
- File permissions
- Security plugin settings
- Backup settings
- SSL Certificate
- Changes to files
Your website’s security should be top of mind at all times. Our free security plugin can help you audit your site and identify and protect against potential threats: Sucuri Security – Auditing, Malware Scanner and Security Hardening WordPress plugin.
How to Clean up a Hacked WordPress Website
If you believe your WordPress website has been compromised, you can follow the instructions from our how to remove a WordPress hack guide and webinar.
Conclusion
“For whatever reason, there is this perception among WordPress users that the hardest part of the job was paying someone to build the website and that once its built, that’s it, it’s done, no further action required. Maybe that was the case seven years ago, but not today.
WordPress’ ease of use is awesome, but I think it provides a false sense of assurances to end users and developers alike. I think, though, this perception is starting to change.” ~ Tony Perez
Change starts with you. Our team is always ready to chat if you have questions or doubts on how to better protect your assets and information.
If you are looking for managed website security, we have put together The Best Website Security Services 2019 page, to help you decide on a solution and choose a provider.
John Castro
Daniel Cid
Denis Sinegubko
Northon Torga
Rianna MacLeod
Luke Leal
Stephen Johnston
Pedro Peixoto
Allison Bondi