There’s no such thing as kicking back and relaxing when it comes to managing a WordPress site. Even after you’ve put in all that hard work to build it, there’s much more that has to be done in order to maintain it. The rules around SEO are always changing, so those elements have to be reconfigured regularly. Performance is something that always has the potential to falter, so you have to keep a close eye on it.
There’s also the WordPress security patch piece.
Security… transcends the WordPress application. It’s as much about securing and hardening your local environment, online behaviors and internal processes, as it is physically tuning and configuring your installation. Security is comprised of three domains: People, Process, and Technology.
That’s something you can’t afford to forget about. Because, when all is said and done, hardening the WordPress content management system isn’t enough. Nor is it enough to focus solely on the fortification aspect of security. WordPress security patches, for example, are something every developer should be prepared to handle, but can quickly become an afterthought in the hubbub of everything else happening around security.
To secure your WordPress site and keep tabs on WordPress security patches, you have to look at it from every angle. So, in the following guide, we’re going to expand on the following:
- Every type of security threat you should be prepared for
- Is WordPress safe enough to use? The facts…
- Secure your WordPress site with prevention, detection, review, and action
- How to handle WordPress security patches
From general WordPress security concerns to full-fledged vulnerabilities and issues to understanding WordPress security patches, this guide will help you prepare your clients’ websites for anything.
Every Type of Security Threat You Should Be Prepared For
Sometimes websites contain highly valuable data that hackers want to get their hands on. There are other times when websites are simply appealing because they can be used as a vessel through which hackers can harm other websites and users.
That’s why you and your clients should never feel like a smaller or newer website is any less likely to fall victim to an attack than the Equifaxes of the world. It can happen to anyone and at any time. And knowing what WordPress security patches actually do will come in handy here. But more on that later.
Who Is Responsible for Your WordPress Security Concerns?
As I write this at 7:52 p.m. on a Tuesday, Internet Live Stats reports the following number of websites have been attacked today:
But who is carrying out these attacks? It’s not like there are tens of thousands of hackers who are capable of executing these attacks on the tens or maybe even thousands of websites hit every single day. Right?
In some cases, there are actual humans behind these threats. And, if that’s the case, they likely have a specific mission they’re on. To steal your customers’ information. To gain access to your company’s financials. To launch ransomware and actively pursue payment from you in exchange for the stolen website.
But just as web developers can automate many of their tasks in order to get more done in a shorter amount of time and with less effort, so too can hackers.
As such, hackers power bots to troll the web. It’s their job to look for vulnerabilities to break through or to launch a seemingly endless supply of repeated attacks until they do finally make their way inside through sheer brute force. Either way, these are automated programs that hackers send to do their bidding and to maximize the return on their efforts.
Sadly, it’s not really the “who” of the matter that you should concern yourselves with. WordPress security issues happen as a result of faulty code that enables anyone–hackers or bots–to break into a website. And that’s why WordPress security patches are so important.
What you do need to be concerned with right now, however, is the “how” of it.
How Can Hackers Get into Your WordPress Site?
To the layperson, “spam” and “malware” may be the easiest ways to describe a WordPress security breach. As a developer, you understand that hackers get much more creative than that.
Because of the variety of ways in which they attack or infect a website and the location through which they’re able to get inside, there are over a dozen types of WordPress threats you should be aware of.
Your MySQL database is one of the server technologies that enables a WordPress site to process data efficiently. However, if certain input elements (like on a contact or search form) aren’t coded correctly or protected, a hacker could easily enter a malicious SQL query and retrieve, edit, or delete data stored in the database.
Similar to a SQL injection, cross-site scripting takes place when a hacker enters malicious code into the frontend of a WordPress site. The goal here instead is to execute a command that forces incoming visitors to encounter malicious content. That could be a defaced web page, a redirect to a phishing page, and so on.
Hackers can remotely take control of entire websites (known as a cross-site request forgery) as well as web servers (known as a server-side request forgery). When this happens, visitors that come in contact with the “forgery” are tricked into sharing private information through a legitimate website but with a malicious entity.
Call this a copycat infection, if you will. In phishing, hackers leverage the trust consumers have in either a website or another well-known company to steal information from them. Essentially, they inject a page onto a website (or replace a site entirely) with something that looks both familiar and reputable. It also happens to contain a form of some sorts to collect login information, credit card data, and so on.
Remote File Inclusion
Every WordPress website you come into contact with will have at least one theme and one plugin connected to it. And the chances that other external scripts run on the site are pretty good too (think of social media feeds, Google Analytics scripts, etc.). All hackers need is access to a vulnerable script to gain backdoor entry and upload malware to the website.
In the case of a file upload vulnerability, this could be as simple as soliciting visitors to upload their content (e.g. photos, articles, etc.) through a contact form on your site. Allow this form and its submissions to go unchecked, and you could unwittingly allow a file containing malicious code to infect your server.
There is a lot of information saved behind the scenes of a WordPress website, which is why hackers love to get their hands on the site directory. ℹ️ A path or directory, traversal is one in which a hacker manipulates “../” sequences to get access to a WordPress site’s directory outside the root. #WordPress Click To Tweet
Malware is a blanket term that is used to describe a number of infections. Defacements. Spam SEO. Backdoor. Ransomware. The goal here is simple: inject malicious script and wait for it to harm the website’s reputation.
Brute Force Attack
This is exactly what it sounds like. Hackers or, more likely, bots, attempt to log into a website using a variety of username and password combinations. Attempts are repeated until the winning combo is unlocked or until a security measure blocks the repeated attempts to log in with the wrong credentials.
Distributed Denial of Service
The purpose of a DDoS attack is to take a website offline. Bots will do this through a coordinated “attack”. Typically, bots will use previously hijacked computers to send excessive volumes of traffic to the targeted website. The goal, then, isn’t to infect a website or redirect traffic to a phishing page. It’s to stop all traffic from going in and out of that website.
Is WordPress Safe Enough to Use? The Facts
As you can see, the end goal isn’t always to steal millions of dollars worth of transaction data or a slew of login credentials. Sometimes hackers (and the bots they use to execute the attacks) just want to wreak havoc for the sake of doing so. So, don’t let your guard down.
This is especially important when it comes to WordPress. It’s not that the content management system is highly vulnerable to infiltration. It’s just that it receives the brunt of abuse because, proportionally, it has more websites to take advantage of than any other CMS.
Should you worry about this and start researching other options to build your clients’ websites from? Absolutely not. Educating yourself on the kinds of threats your clients’ sites might encounter is a good starting point. Understanding how security vulnerabilities affect WordPress is your next step. Then, you can take action.
But, first, before we dive into WordPress security patches, let’s talk about WordPress security.
How Do Hackers Get Into WordPress?
WPScan’s Vulnerability Database tracks ongoing security issues with the WordPress core as well as in plugins and themes. As a result, WPScan has a pretty good idea of the more common causes for attack or infection on a WordPress website.
As you can see, there are three components which are particularly susceptible to hackers.
As of writing this, WPScan has detected 11,631 vulnerabilities inside of WordPress software. No wonder there are so many WordPress security patches, right? Here is the breakdown of where they’ve occurred:
- Core: 8,639
- Plugins: 2,639
- Themes: 353
This is the number of vulnerabilities detected in the latest core updates:
And these are the plugins that have frequently been afflicted with security vulnerabilities:
WooCommerce, Wordfence, Ninja Forms… These are well-known and well-trusted names according to the WordPress repository. And, yet, they’ve had enough vulnerabilities discovered within their code to warrant them to sit atop the list of affected plugins.
What do Hackers do to WordPress Sites?
It’s a shame that the software we rely on to power our clients’ sites may ultimately be their downfall too (though, hopefully, only temporarily). That said, anything containing code and various entry points will draw the attention of hackers. WordPress is, by no means, the only piece of software that is prone to attack.
Of course, it’s important to be mindful of those common areas of entry as you prepare a security strategy for your WordPress clients — which should include installing WordPress security patches as they become available. If you know where hackers will focus their attack, you can actively work to prevent that from happening.
It’s also good to know what the most common forms of attack are. In the list above, I explained what many of these are. But can you guess which forms of attack are the most popular when it comes to WordPress?
WPScan has data on this too:
Cross-site scripting (XSS) is significantly higher than all other types, though SQL injections (SQLi) and file uploads also make up a good chunk of the pie.
Understand what these attacks do so you can make sure you’ve fully fortified your website at each of the points of weakness. This, of course, doesn’t mean you can go easy on the rest. But if there’s something you have to prioritize and put extra weight behind, go after those tactics you know hackers love to use.
What does WordPress do for Security?
If this seems like an overwhelming responsibility and you’re unsure of where to start, don’t fret. WordPress helps with securing the content management system, too. It’s nothing that should lull you into a sense of complacency, but it’s important to recognize that WordPress does its part to contribute to a safer web with things like:
A Security Team
There are roughly 50 security experts that comprise the WordPress Security Team. When major WordPress security issues arise, they consult with external security experts as well.
A Theme Review Team
There is a dedicated Theme Review Team that carefully looks through each new theme submission and advises developers on amending their code if it’s not up to WordPress’s standards (security or otherwise).
Automated Security Updates
In addition to regularly updating the core code, WordPress automated minor releases containing WordPress security patches. This enabled them to ensure that the most critical security updates were made.
Theme and Plugin Security Tips
As for that original question about whether or not WordPress is safe enough, the answer to that is “Yes, but… you have to take good care of your website, too.”
Secure Your WordPress Site with Prevention, Detection, Review, and Action
Hackers will exploit your website’s weaknesses the second they are found. If you’d like to reduce the chances of this happening, your security strategy has to cover the website from every angle. This will require a multi-pronged approach to prevention, detection, review, and action.
Now that you understand what those WordPress security threats are and where they’re coming from, you can effectively do this.
Now, the WP Buffs Security Blog and 21-Step Checklist will have already covered most of this. However, for the purposes of presenting you with a comprehensive WordPress security vulnerabilities guide, we do need to cover these points once more.
It’s also important to understand the context in which you find yourself when WordPress security patches spring up. If your website isn’t fully secured when this happens, you’re going to have a lot more work on your plate than the short list of action steps we’ll give you at the end of this post. So, before we go any further, let’s review once more how to secure your WordPress site with the following:
1. Web Hosting
The kind of web hosting your client uses–be it cloud, VPS, or managed–doesn’t matter so long as they’re using one with the right requirements. This means there are sufficient resources to handle the demands of their website and that the web host has placed a huge emphasis on security.
While the host cannot secure your client’s WordPress site, they most certainly can create a safe server environment with:
- On-site security protocols at the data center
- Server-side protection like firewalls and anti-malware software
- Including SSL certificates with each plan
2. SSH and SFTP
The control panel should come equipped with tools that enable you to securely upload and alter files on the backend of your client’s WordPress website. SSH access and SFTP are two that you absolutely need and matter first before WordPress security patches ever come into play.
3. SSL Certificate
If the web host has not provided your client with an SSL certificate, and they haven’t had the foresight to get one on their own, here is how you can get a free, valid HTTPS certificate for their website.
While the main goal of a content delivery network (CDN) is to greatly improve the delivery of content to visitors in even the most far-flung locales, they’re built to keep your website and their network extra secure, too. When researching your options for a CDN (if it doesn’t come with your client’s hosting plan, that is), keep in mind that it might not just be a CDN that you need. You may also want to use a WordPress CDN plugin.
5. Server Technology Updates
While you won’t have control over the server technology yourself, you can at least ensure that your client’s website uses the latest and greatest versions of PHP and MySQL. Just as you will keep your software up-to-date by installing WordPress security patches, so too will you need to do this for your database and programming language.
6. File Protection
The Sucuri Hacked Report from 2017 says there are three files most commonly hacked by malware:
As such, you want to do everything you can to lock down not just these files, but everything that exists within the core of the website.
Here are some tips for doing that:
The wp-config.php file contains a lot of valuable information about a site. The first way to protect it from harm is to move the file out of the core and up an extra level where it’s harder to reach.
Deny Access to wp-config.php
You can also deny all access to wp-config.php altogether.
To do this, you will need to add the following to your .htaccess file:
deny from all
Deny Access to .htaccess
It’s probably a good idea to prevent access to all your .htaccess files as well. You can do this by inserting the following code into .htaccess:
<files ~ "^.*.([Hh][Tt][Aa])">
deny from all
Disable Directory Browsing
To keep hackers from sniffing around your file directory, you can disable browsing by inserting the following into your .htaccess file:
# Disable directory browsing
Options All -Indexes
The XML-RPC interface is automatically installed with each new WordPress installation. However, if you’ve experienced issues with too many themes and plugins introducing security vulnerabilities into your client’s website, you may want to disable this altogether.
Do this by adding the following to the .htaccess:
deny from all
Just keep in mind that this could harm the performance of your themes and plugins if they make use of XML-RPC. If this happens and you don’t want to code that functionality into the site on your own, you’ll need to keep this enabled.
Prevent Backdoor Intrusions
If hackers should find a way into your database, you can prevent these backdoor intrusions from doing any serious harm by preventing PHP executions in directories where it doesn’t belong.
Add this code into the directories you want to protect:
deny from all
Eliminate PHP Error Reporting
As a WordPress developer, PHP error reporting is helpful in troubleshooting problems with a client’s website. That said, if an error should occur as users move around the website, you do not want them to encounter this error on the frontend–especially if they’re hackers looking for an iota of information about your directory structure.
To disable this frontend reporting, add this to your wp-config.php file:
Disable File Editing
One last protection you can put in place pertains to the editing of files within WordPress. If you don’t want your users (and, consequently, hackers) to even see the file Editors in WordPress, disable this through your wp-config.php with the following:
It should be placed with the other DISALLOW directives.
7. Security Keys and Salts
When a website is built, WordPress security keys and salts should be configured. These help in the fight against brute force attacks by hiding your users’ login information. If you can, get yourself a WordPress security plugin that includes security keys and salts controls, so you can easily reset these when WordPress security patches require swift action.
8. WordPress Security Plugin
There are a plethora of WordPress security plugins that all promise to protect websites with plenty of user reviews to back it up. However, the one that WP Buffs uses in its own security service, and one that I personally recommend as well, is iThemes Security*.
The premium plugin comes with a robust portfolio of security measures* that are a must for keeping your clients’ sites safe.
These modules protect against WordPress security vulnerabilities with:
- Forced login with email addresses and not usernames
- Stronger password requirements
- Limited login attempts
- WordPress secret keys
- File editor disabling
- Disable XML-RPC
- Disable directory browsing
- Disable login error messages
- Spam reduction
- Prevent suspicious query strings
- Disable PHP where it shouldn’t occur (like in Uploads)
- Block banned IP addresses
As you can see, a lot of the file protections you’d put in place manually can also be done through this plugin.
iThemes also comes with file and login monitoring systems*, so you can stay abreast of changes or issues related to security in real time.
9. WordPress Spam Plugin
Akismet is the go-to anti-spam plugin for WordPress.
It’s really simple to configure and, once set up, it’ll take care of blocking spam from your website without you ever having to see or hear about it.
10. WordPress Firewall
Although your client’s hosting will have a server-side firewall in place (if they don’t, then it’s time to change!), their WordPress site needs one, too. With a WordPress firewall, you can filter out and block any bad traffic before it hits the website.
To put one in place, you have a few options available. You can look for a security plugin that includes a WordPress firewall. You can purchase a third-party firewall solution. Or you can check with the web host or WordPress maintenance provider to see if they offer one. Regardless, a firewall serves as an excellent accompaniment to WordPress security patches.
There is a reason why the developers behind the WordPress core, plugins, and themes send out regular updates and WordPress security patches. With performance and security so critical to the success of websites, and software often the reason why both are compromised, ongoing maintenance is required.
And while WordPress has automated minor updates as well as critical security updates, it’s probably a smarter choice to disable automatic updates and handle each of them on your own. This way, if anything should go wrong when you update your WordPress site, you’ll have a better idea of who the offender was (which will make for easier cleanup and recovery).
12. Plugin and Theme Best Practices
You’ve already seen how much trouble poorly coded plugins and themes can be for WordPress sites. If you’d like them not to be the source of your WordPress security vulnerabilities, then you should adhere to best practices when using them:
- Properly vet each theme and plugin before installing on your website. This means that they’re well-reviewed, top-rated, and come from developers that are known and trusted in the community.
- When issuing updates, make sure to do them in a safe staging environment so as not to introduce any vulnerabilities or conflicts to the live site if they exist.
- Delete plugins and themes when you stop using them.
- Regularly audit your plugins and themes. Check to make sure the developer still supports them, that no security issues have been reported, and that they aren’t abandoned.
13. Hardware, Software, and Network Security
It’s not just WordPress that needs to be fortified against malicious threats with current WordPress security patches. The hardware, software, and network you access the website through should all be protected as well.
Here are some tips:
- Use antivirus and anti-malware software on your computer, mobile device, and router.
- Keep all software on your computer updated.
- Install updates on your mobile device as soon as they become available.
- Always work through a VPN when you don’t have access to a secure wifi connection.
A lot of these steps for securing a WordPress site revolve around the prevention of security breaches by ensuring your site has the latest WordPress security patches and updates. But what about detection and auditing? It’s just as important to have your eye on what’s going on.
Your WordPress security plugin will help with this by monitoring for malware, reviewing file logs, watching for banned IP addresses, and so on. However, you should also have a way to scan and clean your database (WP-Optimize is best for this) if any unwarranted file detections occur.
It’s also important to have a way to monitor for uptime. A website that’s gone down doesn’t always signal a security threat. It could just be that the server was overloaded by traffic or by a conflict between plugins or something of that nature. However, to have a system whereby you are notified the second the website goes down is crucial for handling WordPress security issues when they do occur.
Finally, the backup-and-restore plugin is an essential piece of any WordPress security plan. Before you execute any major change, a backup should be made. Before you allow software to update, a backup should be made. Heck, requiring your plugin to store a backup off-site every day (or week) is just a good idea, in general.
If someone does mean your site harm and has been able to carry through on their actions, a backup plugin can save your hide. With it, you can quickly bring a site online even if it’s been defaced, hijacked, or harmed in some other seemingly irreparable fashion.
How to Handle WordPress Security Patches
One last thing we need to talk about today is WordPress security patches. Here’s why:
Proactive security is a must in WordPress. There are just too many threats targeting too many areas of a WordPress site to leave it to chance.
That said, WordPress security issues are a different story.
According to the WordPress Handbook, a security issue doesn’t have anything to do with a hacked site:
Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have.
There are a number of WordPress watchdogs that look out for these sorts of issues so you don’t have to. That said, it doesn’t mean they’re going to catch every single one of them or do so in a timely fashion. Assuming a hacker hasn’t discovered them either, it’s important to keep a watchful eye over anything odd you may spot in your own website’s code.
While developers will eventually issue their own WordPress security patches through the updates you receive in the dashboard, you should formulate your own process for handling WordPress security patches:
Step 1: Scan Your WordPress Site Often
There are a number of free security scanner tools that will sweep your site and detect potential or real vulnerabilities.
The WPScans Vulnerability report will tell you, first, whether or not your website is safe. To get a full report, you will have to create an account. You can then scan your WordPress site as frequently as you’d like from your dashboard. To use this for all your client sites, you can upgrade to premium.
Once you get your report, it will tell you if you’re running on outdated software, if any of your plugins or themes have known issues, and will also comb through your files and tell you if there’s any information leakage present.
Sucuri is another one with a free online security scanner. Run your client’s website through it to see how at-risk it is for a security breach.
Specifically, it will look for:
- Detected malware
- Detected blacklist status
- Issues with your security protocols and monitoring
If you’d rather manage this scanner through WordPress, there is a Sucuri scanner plugin counterpart you can use instead.
Step 2: Notify the Developer That WordPress Security Patches Are Needed🔒 If you have identified a WordPress security issue, or have evidence of an actual attack through a detected vulnerability, you must report it. #WordPress Click To TweetThe developers behind it need to amend the code and issue WordPress security patches through updates. The sooner you can tip them off to it, the more people they can save from a potential attack. In fact, if you detect it early enough, you can help the developer issue WordPress security patches before hackers even become aware of it.
If the bug exists in the WordPress core of a theme, create a ticket through the WordPress support forum.
If the bug exists in a plugin, do not post it to any public forums. WordPress asks that you email the plugin support team directly at firstname.lastname@example.org so they can keep their work on any necessary WordPress security patches under wraps.
Step 3: Watch for the Security Update in WordPress
Depending on the size and complexity of the bug, the developers should have whatever required WordPress security patches ready to go in a relatively short time. Be sure to watch for the update in your client’s WordPress installation and take care to implement it as soon as you can.
Step 4: Reset All Passwords
Even if the detected issue didn’t lead to a breach (yet), and you’ve received WordPress security patches, it’s still a good idea to follow the rest of this protocol. You can never be too safe!
To force users to reset their passwords upon logging in again, use the Expire Passwords plugin to do so. Simply change the “Require password reset every __ days” field to “0”. (Don’t forget to change it back to the normal expiration period once you’ve forced everyone to make the update today.)
Step 5: Update Security Keys and Salts
To provide extra protection at the login and revoke unwarranted access, you must update your security keys and salts as well. With the iThemes Security plugin, this is easy to do.
In the WordPress Salts module, click the checkbox and save your settings. This will force a new set of security keys to generate.
Step 6: Update SFTP Password
If you or anyone else on your team uses SFTP to upload files, you’ll need to change this password as well. You can do that through the control panel.
Step 7: Review Your Security Checklist
For the most part, WordPress security patches are out of your hands as it’s the developers that have to fix the vulnerability in the software. However, by updating your passwords and secret keys, you can do your part to kick out anyone who may have exploited the vulnerability without you knowing it.
Once you’ve handled that and the update has been issued and installed, re-review your WordPress security checklist once more. If you missed anything in the first go-around, now is the time to put it into place. That way, if you or someone else should detect a WordPress security issue or a full-blown threat in the future, you can rest a bit easier knowing that your clients’ websites are fully fortified with WordPress security patches soon.
And, as always, if you want help in this matter (as I do realize how much work is involved in preventing, detecting, and taking action against security threats), don’t forget about WP Buffs white-label outsourced support. Through this partnership, you can still provide clients with all the security measures they need, but without you having to do much to manage or maintain it. And if you want to read more security tips, you can get them over at WPblog.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.