Abstract image representing online security

WordPress Insecurities

Once again, I find myself up against a client’s preconceived opinion that “WordPress is [inherently] insecure.

It’s a common refrain, and one that I’ve heard over, and over, and over again since I began specializing in WordPress. But let’s set the record straight.

What Is It You’re Really Afraid of?

Is it WordPress you’re concerned about, or open source software (OSS) in general? Despite powering software for most of the planet, OSS still has a reputation of being developed by “amateurs,” and being unstable because it lacks the backing of Big Corporations.

While I won’t argue that OSS has its fair share of abandoned projects, it’s simply wrong that all OSS is written by hackers in their basements at 2 o’clock in the morning. Most major for-profit technology companies—the likes of Microsoft, Apple, Amazon, and Google—are often large backers of OSS, contributing time, money, and resources to its development. They know that their own businesses rely on OSS.

The Myth of “Closed Source Is More Secure”

The only correlation between closed-source software and security is that fewer white-hats (people with good intentions examining software for possible security vulnerabilities) are able to pore over closed-sourced code than open-sourced. (You still have plenty of black-hats examining both, looking for opportunities to exploit vulnerabilities for their own personal gain.)

OSS has the eyes of the world scrutinizing code every single day. Closed-source software only has the company’s own team of developers, who’ve seen the same code day after day after day (and hence, has become jaded and/or blind to its faults). And what if The Security Person is on vacation the day a major exploit is revealed?

When Was the Last Time WordPress Security Hacks Made the Evening News?

Think about the security breaches that make the headlines. I think I can recall a WordPress one back in the 2.* days (WordPress is currently at version 5.2.3). But I can pretty much guarantee that the Capital One, Starwood, and Equifax data breaches did not involve WordPress.

To say that WordPress is inherently insecure is to say that the Internet itself is inherently insecure. I’m not saying that that statement is wrong, but the only conceivable solution to that issue is to stop using the Internet altogether. Does that seem very practical?

Anything Can Be Insecure; Anything Can Be Made Secure

If you throw software out onto the Internet, be that in the form of a website running WordPress or any other platform, and fail to maintain it, then yes, it will, over time, cease to be secure. New vulnerabilities are discovered on a daily basis, not necessarily in WordPress, but in everything that touches the Internet.

The key is to make sure your web properties are properly maintained, with security patches and other updates made when they become available.

Most WordPress Compromises Have Nothing To Do With Software

By far the most common way of breaking into a WordPress site is not through the software itself, but by something called a “brute force attack,” whereby automated attack bots literally try to force their way into a privileged account on the site by guessing usernames and passwords. If you use weak passwords, or (worse yet) reuse the same password across different Internet services, you’re increasing your risk of compromise. Often, data breaches on one service serve as jumping points for attacks on different systems because exploiters know that people often use the same usernames and passwords across accounts.

There are plenty of password security best-practices you can do to reduce your security exposure, including:

  • Using strong, nonsensical, and unique passwords along with a strong password management system such as 1Password or LastPass.
  • Don’t use “common” usernames for your accounts (like “admin”; never create a user account in WordPress called “admin”).
  • Make as few user accounts on your WordPress site as possible, and don’t give users any higher level of access than absolutely necessary.
  • Don’t transmit passwords over email.

Don’t Go It Alone

Chances are, WordPress is not your core business. But it is mine. If you don’t feel like you have the time/energy/resources/interest to maintain your WordPress site properly, get in touch, and we can discuss outsourcing that responsibility for peace of mind.

Why Individual Accounts Are Almost Always a Better Idea than Shared Logins

Often when working with clients I need access to legacy websites or services such as DNS providers and web hosting dashboards. Usually when this happens, I’m given the same credentials that circulate amongst the clients’ own staffs, using the same shared logins as they do. Now, I’m a trustworthy individual, but there are many reasons that have nothing to do with my trustworthiness that make this a bad idea.

The Problems with Shared Logins

Insecure password sharing practices and other security risks can plague your infrastructure when account credentials are shared amongst team members.

Default Usernames

While it’s no longer the case, WordPress historically would automatically create the initial account with the username “admin”. Even though WordPress now explicitly asks for the desired username, many organizations that intend to share logins will still use some variation of “admin” or “administrator” for the master account. This makes the site a prime target for brute force attacks, which often use “admin”, “administrator”, or a variant of the site’s own name in their attempts to break into the site because of the frequency of this pattern.

Insecure Passwords

When multiple people are using a common account, by necessity the common password needs to be shared too. This can lead to insecure practices such as sharing via Post-It Note, plain text email, distributed spreadsheets, or other easily compromised methods. Additionally, the passwords themselves are likely to be short and easily-memorizable, which goes against modern password best-practices.

Lack of Two-Factor Authentication

Two-Factor authentication—the practice of using a secondary, one-time password from a cell phone, for example—is possible when sharing common account credentials, but it’s extremely cumbersome, and unlikely that an organization using shared logins would be taking that extra security step.

Bad Actors

Every time your account credentials are shared among a team, you’re increasing the possibility that one of the trusted members might do something harmful—intentionally or through an honest mistake. And if you need to change credentials quickly because of a bad team member (or a team member that inadvertently compromised the security of those credentials), you’ll need to quickly change the credentials to the account and then distribute the new information, often by similar insecure means. Not to mention damage to the account in question that might need repairing.

Possible Solutions

There are a number of steps your organization can take in order to lessen the risks that come from shared logins.

Delegation of Roles

In systems that allow for multiple accounts to control the same information—content management systems, for example, and some of your more sophisticated managed web hosting providers—you can create individual accounts for every member of your team, complete with their own unique password, and delegate the required authority to them. This makes everyone in your organization responsible for their own online security and no one else’s, and also allows you to quickly shut out a compromised account without affecting the other members of your team.

Rule of Least Required Privilege

Not everyone on your WordPress site needs to be an administrator. Set the proper roles to go along with each team member’s role in your organization. Similarly, on your service provider’s site, only the account owner probably needs to be able to see all the billing information; the rest of the team can be assigned various levels of functional access without being able to see (and change!) things they shouldn’t.

Use a Password Manager

Insist that your team members use a password manager, or better yet, invest in an enterprise-level password manager for your organization. Not only do these systems store passwords in a more secure format than written paper or your computer’s sticky notes, they also let your team member generate long, nonsensical, and difficult-to-crack passwords that are unique for every service they have access to. Also, if you really must share account credentials among team members, doing so through a password manager is the most secure method to do so.

Sometimes, you just can’t avoid the shared login scenario. Not every service is up to speed on the need for individual accounts and role delegation. If you really must use shared logins, keep those account credentials as secure as possible and limit their distribution to as few people as possible. And petition your vendors to upgrade their own security practices.

What to Know About WannaCry

You’ve probably heard news reports about “WannaCry,” the near-global ransomware attack on computer systems that holds your data hostage until you pay the attacker $300 in bitcoins. And you’re probably wondering if you should be concerned about your digital life.

Everyone should be concerned about computer safety all the time. Bad actors from criminals to anarchists and even rogue governments are always out there, looking for new ways to exploit technology for financial or political gain. The latest reports have linked WannaCry to a shadowy operation run by North Korean agents.

How Did the WannaCry Attack Happen?

WannaCry uses an exploit in older versions of Microsoft Windows that was discovered by the National Security Agency but about which the NSA did nothing to notify Microsoft. When exploits are discovered by non-governmental organizations, it’s customary for the discoverers to notify the software developer and give them time to address the issue before it goes public. In those situations, a financial “reward” may or may not be offered.

However, it’s become clear that when governments discover serious exploits that could potentially make backdoors into encrypted computers available, they would rather hold onto that information than take any steps that could remediate the situation. But governments aren’t invulnerable to their own leaks and hacks, and this information ended up on WikiLeaks for all the world to see. The fact that the NSA knew about this vulnerability, did nothing to publicize or fix it, and it still found its way to the public only serves to validate Tim Cook’s opinion that “a backdoor for the good guys is a backdoor for the bad guys.”

Is My Website At Risk?

Potentially, but not likely. This particular exploit affects older versions of Microsoft Windows only. While there are still hundreds of thousands (if not millions) of such computer systems out there around the world (including the U.S.), they are not the typical configuration for webservers, which more likely run a variation of the Unix operating system. However, a Windows system does have the capacity to run a WordPress site, and PHP files are just one of the targets of WannaCry’s encryption scheme.

If My Website Isn’t At Risk, Then Why Should I Care?

This incident is one of the most high-profile reminders yet of why it’s important to keep your software—all of it—up-to-date. I’ve written here already about the importance of keeping your WordPress core and plugins up-to-date, but I implore you to not neglect your everyday computers—including your smart phone. Previous attacks have targeted software that powers websites, and the next major website attack is undoubtedly lurking out there, ready to strike at any time.

Should You Go HTTPS?


That was easy. But maybe I should elaborate a little…

Stories from the Real World

Two clients in as many months have come to me in a panic. Visitors to their sites were getting all kinds of scary warnings about malware infecting their computers transmitted from their sites. These warnings were actually bogus, meant to scare visitors coming to the sites into downloading something that was nefarious.

What was really going on? A “man-in-the-middle” attack, where malicious traffic was being “injected” into the connection between the visitor and the site, or more probably, between an unencrypted connection between a commonly-used library such as Google Analytics and the visitor. The solution in both cases was fairly simple: force the connections to Google Analytics and other third-party Internet libraries being used on the site to use the secure HTTPS protocol, instead of the insecure HTTP protocol.

I’ve Said It Before…

I written elsewhere in the past about how it’s a good idea for marketers from all corners to go HTTPS-only, and I’m going to beat that drum again here. In both of the above cases, my clients (whose problems affected their legacy sites) could have avoided trouble to begin with by ensuring that their sites were being served over HTTPS. How does that help?

HTTPS does a number of things, but the pertinent one here is that it ensures that the server you’re talking to is verified and not a bad player impersonating a legitimate server. This is why it’s so crucial for banks and other entities where valuable information is being transmitted use HTTPS. But think of your website. Not only could a non-HTTPS server open itself to these kinds of malicious activity, but it can leave your website vulnerable to other hacks.

In my Zen and the Art of Website Maintenance post concerning security a few weeks ago, I mentioned that hackers can monitor traffic that transmits plainly across the Internet, hunting for usernames and passwords. I’m going to reiterate my recommendation here: any system that requires a login, even your WordPress site, should be served over HTTPS in order to encrypt your login information.

Need More Reasons?

If protecting your website and its visitors isn’t motivation enough to go HTTPS, how about performance? HTTPS is a requirement to support the latest, fastest versions of the protocol that makes up the World Wide Web. Without it, your site’s performance will suffer, and so will your conversions.

Search rankings are another reason to go HTTPS, as Google uses sites served over a secure protocol as a factor in its website rankings. It’s only a small percentage of the formula, but why let possible Google juice go to waste?

You’ve Convinced Me, but Now What?

It used to be that going HTTPS was a costly, uber-technical process. While it still requires technical know-how to take advantage of the performance benefits HTTPS can provide, the monetary cost has dropped down to zero. Let’s Encrypt, an initiative by the Internet Security Research Group makes HTTPS free and readily available for everybody, large and small, profit and non-profit. There’s even a WordPress plugin to make the process as painless as possible.

Hopefully I’ve persuaded you that the time to go HTTPS is now, no matter what the nature of your website. Are you ready to make the switch, but need some guidance to get you there? We can help.

Zen and the Art of Website Maintenance, Part 2: Security

Last week, we looked at why a solid backup strategy is so important to the health and well-being of your website. Just like a good homeowner’s insurance policy will restore your belongings and help you rebuild your house in case of theft or fire, backups will allow you to get up and running again as quickly as possible in case something catastrophic happens to your website.

Aside from a good insurance policy, you likely have an alarm system and smoke detectors to prevent problems from becoming severe in the first place. The same holds true for your website. There are a multitude of threats out there, and while it’s impossible to go through and present an exhaustive, comprehensive list of potential security vulnerabilities, this article will show you some of the most common risks and how to mitigate them.

Is WordPress Insecure?

Let’s take on one myth up front: the conception that WordPress is inherently less secure than other website platforms out there. This is simply not true. While admittedly, WordPress has suffered some high-profile security vulnerabilities over its nearly fourteen year existence, so have many systems. It’s the nature of computing. Any popular platform, from Windows to WordPress, is going to attract its fair share of hackers, crackers, and ne’er-do-wells. But there are steps you can take to keep those rogue players from mucking up your little corner of the interwebs.

Brute Force Attacks

Probably the number one type of attack I deal with in managing WordPress sites (and this is true for all administration-based content management systems), is that of brute force attacks. This is an attack in which a hacker attempts to break into your system by trying a number of username and password combinations, attempting to gain access. Often times these are not the efforts of a single individual, banging away at potential access credentials on his or her own, but rather a scripted attack that will automate the attempt from a number of other compromised systems around the globe. Here are some steps to take to prevent them from succeeding:

  • Always use a strong, gibberish password that you don’t use anywhere else. In recent releases, WordPress has helped with this by offering a strong password generator and displaying warnings against overly simplistic and commonly-guessed ones.
  • Never use the username “admin”. Once upon a time, “admin” was WordPress’ default suggestion for the first username that would go into the system. Hackers know this, and know that there are many, many systems out there that still use this username as their all-powerful administrator account, figuring that their chances of success have improved by 50%.
  • Use two-factor authentication. By requiring an extra step, often using an app installed on your smartphone, it becomes impossible to log into your websites admin by username and password alone. Google Authenticator has become the de facto standard for 2FA on a number of online services, and there is a plugin for WordPress that uses it as well. (I’ll have more to say about 2FA and WordPress in an upcoming post.)
  • Always put your admin behind HTTPS. I’ll get deep into HTTPS and its benefits another day, but trust me when I say you should definitely do this. While not strictly a brute force attack strategy, any data that is sent over a non-HTTPS connection is easily readable by anybody who happens to be listening to that traffic. In other words, if you log into your WordPress site over a non-secure HTTP URL, those keys to your administration are going over publicly-accessible wires in plain text. Not good.

Attacks Through Compromised Code

Software is only as secure as its code. Vulnerabilities lurk in poorly-coded themes and plugins, and sometimes even in core itself. Most of the time, these problems aren’t intended to allow hackers in; quite the contrary. But when they’re discovered, word immediately spreads of the vulnerabilities that were found, and the bad guys get to work. Hence the term zero-day exploit.

This is where vigilance is especially important. There are a number of WordPress security services out there that send out newsletters when important vulnerabilities are discovered. Sucuri is one of my favorites, but some other popular ones include iThemes and WordFence. Subscribe to their blogs or follow them on Twitter to be kept up-to-date on the latest happenings in WordPress security. We’ll dive deeper into keeping your software updated in a later post in this series, but monitoring when your plugins and core need to be updated should be part of any comprehensive security monitoring program.

Install a Good Security Monitoring Plugin (or Two, or Three…)

I already talked about Sucuri, iTheme, and WordFence; all three of those services offer free plugins on the WordPress plugin repository that let you monitor the security of your site without requiring a monthly subscription fee. These plugins will offer recommendations on how to “harden” your website; that is, easy steps you can take to make your WordPress a less vulnerable target. They will also log login attempts, and notify you if they suspect a brute force attack is in the works. All three of those services also offer paid services that include firewalls and other advanced security features. Compare their plans and find the one that matches your needs with your price point, but keep in mind: A good security service is worth its price in terms of saving your website after a hack.

Screenshot of Sucuri Scanner administration.
Sucuri Scanner comes with site hardening recommendations, activity notifications, and other features to help keep your WordPress site secure.

There are a number of other plugins you can install that will help you monitor what’s going on with your site when you’re not looking. Limit Login Attempts is an extremely popular plugin that will block out login access to your website after three failed attempts from a particular URL in a short time frame. Such patterns of failed attempts are classic signs that your site is under a brute force attack. (The WordPress plugin repository warns that this plugin hasn’t been updated in over two years, but it’s okay to go ahead and install it anyway.)

Security in an Insecure World

Forewarned is forearmed, and the recommendations in this post are just the tip of the iceberg in securing your WordPress website. In my next post, we’ll look at the best way to manage core, plugin, and theme updates: a vital step in keeping your WordPress site secure and healthy.

Need Help?

Just like most people call in an expert to install their home security system, you don’t have to maintain your WordPress website all on your own. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.