The most widely used content management system on the Web relies heavily on plug-ins and add-on software — and that requires rigorous security measures at every level.
What’s the best way to secure a WordPress website? The answer varies depending on whether you’re talking about sites hosted on WordPress.com (the hosting provider) or those running on the WordPress content management system (CMS), hosted on a different server. Either way, it’s a question that matters greatly given the huge presence WordPress has on the Web.
According to survey site W3Techs, WordPress powers more than 38% of the top 10 million sites on the Web. When any single product is used by more than one-third of the Web, its security is important. And given WordPress’s structure, in which so much functionality comes through plug-in and add-on software, the details of that security are likely to be found in best practices rather than hard prescriptions.
In looking at the question of WordPress security, we chose to look at the broad WordPress installed base rather than those hosted on WordPress.com.
WordPress security begins with a secure hosting provider. Each hosting provider will deliver its own set of features and add-in services, and WordPress administrators should understand what can be provided and how those hosting-provided services support or collide with separate, customer-added, security features. As an example, Cloudflare presents a number of content delivery network (CDN), DNS, and anti-DDoS services to its customers in both free and paid versions, but it does so through a proxy mechanism, which means hosting-provided DNS and DDoS services are not compatible.
“Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10,” says Timothy Chiu, vice president of marketing at K2 Cyber Security.
WordPress itself calls attention to the OWASP Top 10 and its response to those vulnerabilities in its white paper on WordPress security.
“It’s critical to keep up with patches. Even if a WordPress is up-to-date, some of the common plug-ins may be vulnerable and will require immediate patching as [their revised code becomes] available,” says Ryan Smith vice president of marketing at SaltStack. “Some plug-ins don’t automatically update with plug-in managers and still need to be manually updated.”
In addition to the version of any updates, their provenance is something WordPress developers and enterprise security teams should keep in mind, says Ameet Naik, security evangelist at PerimeterX.
“Though updating the plug-in with the latest version is important, it does not guarantee the integrity of the third-party code,” he says.
Adds Leo Pate, application security consultant at nVisium: “Any plug-ins or templates used within WordPress should be from reputable sources and be kept up to date.”
What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.
Another factor many WordPress administrators say should be considered is how large the support group for the plug-in happens to be. Because WordPress is written in four very popular languages — HTML, CSS, PHP, and Javascript — many plug-ins are the work of individual developers. While these are not inherently dangerous, some administrators caution that vulnerabilities can take longer to discover and remediate when a single developer is maintaining the codebase.
It’s critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.
In addition to keeping software up to date, “don’t run the WordPress server’s services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3,” he advises. “The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency.”
WordPress administrators in online forums write of the importance of choosing security-focused plug-ins to help defend a WordPress installation. Common choices for plug-ins include Securi and Wordfence. Securi, available in both free and paid versions, provides malware scanning, configuration file hardening, and core integrity checks in the free version, and integrates with DNS-level firewall and DDoS protection services in paid versions. Wordfence, also in free and paid versions, provides malware scanning, login attempt limiting, and a web-application firewall (WAF) to WordPress installations.
Many other security plug-ins are available, many of which focus on a single issue, such as protecting authentication certificates, thwarting brute-force attacks by limiting the number of login attempts, or continuously checking the version and status of other plug-ins. Unfortunately, this breadth means installing and deploying security plug-ins can be as complex in concept and practice as deploying any other WordPress plug-in.
Chiu stresses that basic security processes are as critical for WordPress installations as for any other piece of enterprise software.
“The simplest thing any organization can do to help reduce vulnerabilities is to keep their code up-to-date and patched,” he says. “It’s important to ensure you’re only enabling and using the plug-ins you really need for your site, while ensuring you have full security for your site, including edge security, runtime application security, and server security.”
Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users. Attack Mechanism Revealed Storm-1811 primarily employs voice …
Introduction When most people hear “blockchain,” they think of cryptocurrencies like Bitcoin and Ethereum. However, blockchain technology has potential far beyond being just a ledger for cryptocurrencies. This article explores the diverse and innovative real-world applications of blockchain technology that are shaping various industries. Supply Chain Transparency Example: Food Safety and Traceability Blockchain technology is …
OpenAI is rolling out limited access to its text-to-voice generation platform called Voice Engine, as reported by The Verge. This innovative platform can synthesize a voice based on a 15-second audio clip, enabling the creation of realistic-sounding artificial voices. These AI-generated voices are capable of reading text prompts in multiple languages and have potential applications across …
Expert Tips to Keep WordPress Safe
The most widely used content management system on the Web relies heavily on plug-ins and add-on software — and that requires rigorous security measures at every level.
What’s the best way to secure a WordPress website? The answer varies depending on whether you’re talking about sites hosted on WordPress.com (the hosting provider) or those running on the WordPress content management system (CMS), hosted on a different server. Either way, it’s a question that matters greatly given the huge presence WordPress has on the Web.
According to survey site W3Techs, WordPress powers more than 38% of the top 10 million sites on the Web. When any single product is used by more than one-third of the Web, its security is important. And given WordPress’s structure, in which so much functionality comes through plug-in and add-on software, the details of that security are likely to be found in best practices rather than hard prescriptions.
In looking at the question of WordPress security, we chose to look at the broad WordPress installed base rather than those hosted on WordPress.com.
WordPress security begins with a secure hosting provider. Each hosting provider will deliver its own set of features and add-in services, and WordPress administrators should understand what can be provided and how those hosting-provided services support or collide with separate, customer-added, security features. As an example, Cloudflare presents a number of content delivery network (CDN), DNS, and anti-DDoS services to its customers in both free and paid versions, but it does so through a proxy mechanism, which means hosting-provided DNS and DDoS services are not compatible.
“Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10,” says Timothy Chiu, vice president of marketing at K2 Cyber Security.
WordPress itself calls attention to the OWASP Top 10 and its response to those vulnerabilities in its white paper on WordPress security.
“It’s critical to keep up with patches. Even if a WordPress is up-to-date, some of the common plug-ins may be vulnerable and will require immediate patching as [their revised code becomes] available,” says Ryan Smith vice president of marketing at SaltStack. “Some plug-ins don’t automatically update with plug-in managers and still need to be manually updated.”
In addition to the version of any updates, their provenance is something WordPress developers and enterprise security teams should keep in mind, says Ameet Naik, security evangelist at PerimeterX.
“Though updating the plug-in with the latest version is important, it does not guarantee the integrity of the third-party code,” he says.
Adds Leo Pate, application security consultant at nVisium: “Any plug-ins or templates used within WordPress should be from reputable sources and be kept up to date.”
What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.
Another factor many WordPress administrators say should be considered is how large the support group for the plug-in happens to be. Because WordPress is written in four very popular languages — HTML, CSS, PHP, and Javascript — many plug-ins are the work of individual developers. While these are not inherently dangerous, some administrators caution that vulnerabilities can take longer to discover and remediate when a single developer is maintaining the codebase.
It’s critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.
In addition to keeping software up to date, “don’t run the WordPress server’s services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3,” he advises. “The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency.”
WordPress administrators in online forums write of the importance of choosing security-focused plug-ins to help defend a WordPress installation. Common choices for plug-ins include Securi and Wordfence. Securi, available in both free and paid versions, provides malware scanning, configuration file hardening, and core integrity checks in the free version, and integrates with DNS-level firewall and DDoS protection services in paid versions. Wordfence, also in free and paid versions, provides malware scanning, login attempt limiting, and a web-application firewall (WAF) to WordPress installations.
Many other security plug-ins are available, many of which focus on a single issue, such as protecting authentication certificates, thwarting brute-force attacks by limiting the number of login attempts, or continuously checking the version and status of other plug-ins. Unfortunately, this breadth means installing and deploying security plug-ins can be as complex in concept and practice as deploying any other WordPress plug-in.
Chiu stresses that basic security processes are as critical for WordPress installations as for any other piece of enterprise software.
“The simplest thing any organization can do to help reduce vulnerabilities is to keep their code up-to-date and patched,” he says. “It’s important to ensure you’re only enabling and using the plug-ins you really need for your site, while ensuring you have full security for your site, including edge security, runtime application security, and server security.”
Article resource: https://www.darkreading.com/cyber-risk/expert-tips-to-keep-wordpress-safe
Related Posts
Cybercrime Gang Abuses Microsoft Quick Assist to Deploy Black Basta Ransomware
Recently, multiple cybersecurity agencies have uncovered that a cybercrime gang known as Storm-1811 has been exploiting Microsoft’s Quick Assist application to carry out social engineering attacks, deploying the Black Basta ransomware. This malicious activity has been ongoing since mid-April, causing significant damage to numerous businesses and individual users. Attack Mechanism Revealed Storm-1811 primarily employs voice …
Blockchain Beyond Cryptocurrencies: Real-World Applications
Introduction When most people hear “blockchain,” they think of cryptocurrencies like Bitcoin and Ethereum. However, blockchain technology has potential far beyond being just a ledger for cryptocurrencies. This article explores the diverse and innovative real-world applications of blockchain technology that are shaping various industries. Supply Chain Transparency Example: Food Safety and Traceability Blockchain technology is …
OpenAI’s Voice Cloning AI Model Requires Just a 15-Second Sample to Operate
OpenAI is rolling out limited access to its text-to-voice generation platform called Voice Engine, as reported by The Verge. This innovative platform can synthesize a voice based on a 15-second audio clip, enabling the creation of realistic-sounding artificial voices. These AI-generated voices are capable of reading text prompts in multiple languages and have potential applications across …