Is WordPress Secure?

[GordonJ]

Hey guys,

I have around 8 blogs and two of them were inserted strange files .xml into root folder with thousands of links, and Google crawled and indexed these links. I doubted the vulnerability from paid themes that I bought from themeforest or Wordpress is not secure. I only use 4 plugins on each sites and I don't think the problem came from plugins.

Here's the list of plugins I am using
Contact Form 7
Contact Form 7 Datepicker
Really Simple CAPTCHA
WordPress SEO

The rest of sites is not using the theme I am using for 2 these sites.

My question is, WordPress is Secure or sites were hacked often by plugins or themes?

 

[Ron Killian]

OF course nothing is 100% secure. Some of the biggest sites get hacked.

Bad thing, Wordpress is so popular these days, it's like windows, since it's so popular it's often a good target to figure out how to hack.

There are so many ways they can get in. Hard to say without some one checking everything for you.

Wordfence is one thing that can help.

But I am no security expert. I am sure some one else with chime in with better info.

 

[Rob Whisonant]

Wordpress is always updating the core code when it finds vulnerabilities. The problem is you usually get hacked before you update the core code. Also plug-in can be extremely insecure. You have to remember that many of these plug-ins are written by hobby programmers that don't have a clue how to write secure code.

Keep on top of updates the best you can. And ALWAYS backup your site and keep several weeks of updates.

 

[Ron Killian]

One other thing too, Wordfence usually tells you if there are odd files uploaded. It's caught some for me. Plus it has a scanner, firewall, ect.

 

[virtubox]

WordPress is not the more secured CMS, but when a site is "hacked", the cause is most of the time a server bad configuration or an incorrect security practice.
To make WordPress secure, no need to install a plugin. For example, don't think you are protected with the WordFence "firewall" because it's a php based firewall and it could not make anything else than displaying a blank page for a blocked IP. Against DDoS, it will not change anything.

The best way to make wordpress secure is to follow some good practices :

- Use Smart Usernames and Passwords : admin & azerty123 are not a good choice. MyWebsite_Admin & BVHv!zebn247eqdbhbh are already better
- Keep WordPress and Plugins Up to Date : Almost all WordPress plugins have security issues. So if that doesn't make your website "unsecured" because that require a lot of work to attack your website, keep them update because there are sometime huge security issues. And when you want to install a new plugin, check the last update date, if it's 3 years old, try to find another one.
- Check File Permissions : All your folder should use 0755 permission and all the files 0644.
- Secure wp-config.php : permission should be :600 - and .htaccess settings, should be like :

<files wp-config.php>
order allow,deny
deny from all
</files>

- Change database table prefix : instead of using wp_ use another prefix to prevent SQL injection

 

[The Ebook Giant]

Well you're never fully secure with whatever platform you're using but you can take certain security measures that will harden your WP installation.

- https://codex.wordpress.org/Hardening_WordPress
- Install WordFence or a similar plugin that will help protect from Bruteforce Attacks, and other malicious attempts.
- Use 2-Factor Auth to help prevent your Administrator accounts from being hacked.
- Keep your WP installation (plugins, themes etc) always up to date.

 

[Localnode]

The short answer is yes, but if you dont use the latest version of WordPress you will always be vulnerable. While I do say vulnerable, nothing is infallible. Hacks are the result of poor security practices the majority of the time.
From a WSJ.com article headline - “What’s a company’s biggest security risk? You.”

 

[vishwa]

Nothing is secure in this World. WordPress indeed a great CMS. But sometimes it is also vulnerable to hacking. So, You have to use a security plugins like Wordfence to strengthen your WordPress Security. Security threats does not relate to paid themes or WordPress core files. It depends on how you take precautions to make your WordPress site more secure.

 

[virtubox]

So, You have to use a security plugins like Wordfence to strengthen your WordPress Security.

Please, keep in mind a wordpress website could not be secure with a simple php plugin. And WordFence is a company, there are selling a premium version of their plugins and that's why you can read in their TOS:

Our research team verifies the vulnerability.
We develop a firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering.

Wordfence community (free) customers receive the firewall rule 30 days after the initial release to Premium customers.

For more info, you can read about it.

 

[Ron Killian]

I am no security expert, not even close.

But I believe plug-ins like Wordfence are just helpers. They can not stop or see everything. It sure is not something to hinge all your security on.

Think too many people rely too much one it. Or plug-ins like it.

 

[vishwa]

Please, keep in mind a wordpress website could not be secure with a simple php plugin. And WordFence is a company, there are selling a premium version of their plugins and that's why you can read in their TOS:

I didn't say in post that WordPress can be secure by using a single plugin. I request you to read my post thoroughly before commenting.

For more info, you can read about it.

I am completely aware of WordFence Plugin. I am using it from past 3 years.

 

[virtubox]

I am no security expert, not even close.

But I believe plug-ins like Wordfence are just helpers. They can not stop or see everything. It sure is not something to hinge all your security on.

Think too many people rely too much one it. Or plug-ins like it.

No, that's sure they can't and that's not the main problem for me. Because they are not trying to do the best to secure your website, they are asking $99/year to have the premium, and if you don't buy they will wait during 30 days before applying the firewall rules.

And when WordFence have a security issue reported, it seems they are not really working hard to fix it :
[URLnofo]https://www.cvedetails.com/cve/CVE-2014-4664/[/URLnofo]

I didn't say in post that WordPress can be secure by using a single plugin. I request you to read my post thoroughly before commenting.
I am completely aware of WordFence Plugin. I am using it from past 3 years.

I never said the opposite, but against hacking WordFence will not be able to do anything. The only recommendation is to read and to follow all the rules
From the [URLnf="https://codex.wordpress.org/Hardening_WordPress"]WordPress security guide[/URLnf] and it should already make your wordpress secure.
Because a security plugins have to be free or premium but providing a "fake" security service is not correct

 

[Ron Killian]

I never saw the need to pay for the upgrade. Unless I missed something. Only thing I noticed was the blocking of countries, which I don't want to do anyways. Though I did not know about the firewall being inactive for 30 days.

Course you can't blame them for wanting to make some cash, they do/did put some work into it.

 

[SenseiSteve]

I have WordFence on all of my WordPress sites, and knock on wood, I haven't had any issues since I started using them. Of course, I take other security precautions as well.

 

[GordonJ]

Wordpress is always updating the core code when it finds vulnerabilities. The problem is you usually get hacked before you update the core code. Also plug-in can be extremely insecure. You have to remember that many of these plug-ins are written by hobby programmers that don't have a clue how to write secure code.

Keep on top of updates the best you can. And ALWAYS backup your site and keep several weeks of updates.

I think so but I am searching for ways to find out how it is hacked and where it came from.

One other thing too, Wordfence usually tells you if there are odd files uploaded. It's caught some for me. Plus it has a scanner, firewall, ect.

I have WordFence on all of my WordPress sites, and knock on wood, I haven't had any issues since I started using them. Of course, I take other security precautions as well.

I have to try WordFence to see how it works, really curious about this plugin

- Use Smart Usernames and Passwords : admin & azerty123 are not a good choice. MyWebsite_Admin & BVHv!zebn247eqdbhbh are already better

Why should I change admin name to MyWebsite_Admin and a strong password.

- Change database table prefix : instead of using wp_ use another prefix to prevent SQL injection

I used to use default prefix from Wordpress, why changing prefix then it can protect Wordpress from SQL injection?

 

[Ron Killian]

Ron Killian

Because "admin" is the default username for wordpress and what most every hacker will try first. And obviously a stronger password means it will be harder for hackers to figure it out.

Again, on the database, the default is wp_, since hackers know this, it's the first thing they will try.

Not that it will stop them, but it will slow them down.

 

[Rob Whisonant]

Rob Whisonant

Here is an example of how a wordpress site gets hacked. I'm not giving specific details for security reasons.

1. Hacker finds you are running a plug-in that does not protect queries from SQL injection.
2. Hacker injects a union query and retrieves the admin email address. Does not matter what the admin username is.
3. Now that he has the admin email address he can initiate a forgot password routine.
4. He can then inject another union query and retrieve the reset activation key that was emailed. He does not need access to the email account to do this.
5. Use the key to change the admin password.
6. BOOM! he is in and has total control over your wordpress site.
7. He now changes the admin email address so you can't easily reset the password.

A lot more way that wordpress is hacked but the above method is one of the common ones.

 

[virtubox]

I think so but I am searching for ways to find out how it is hacked and where it came from.

80% bruteforce, by testing each login/password. That's why using admin as username isn't good.

I have to try WordFence to see how it works, really curious about this plugin

Even to test if your password is secured you have to pay, so don't loose your time with that.

Why should I change admin name to MyWebsite_Admin and a strong password.

Because making login attempt until find you username/password will take longer with MyWebsite_Admin & BGbhezb41qzenkmjl then trying admin & passwor

I used to use default prefix from Wordpress, why changing prefix then it can protect Wordpress from SQL injection?

Because SQL injection is an attack where you try to inject your data to replace the existant in a database. But that require to know where you want to inject them.
So if you don't change the prefix, I already know you administrator user is in the table wp_users and with the id 1.

 

[mellisas]

Hey guys,

I have around 8 blogs and two of them were inserted strange files .xml into root folder with thousands of links, and Google crawled and indexed these links. I doubted the vulnerability from paid themes that I bought from themeforest or Wordpress is not secure. I only use 4 plugins on each sites and I don't think the problem came from plugins.

Here's the list of plugins I am using
Contact Form 7
Contact Form 7 Datepicker
Really Simple CAPTCHA
WordPress SEO

The rest of sites is not using the theme I am using for 2 these sites.

My question is, WordPress is Secure or sites were hacked often by plugins or themes?

Wordpress is secure , if you are updating wordpres, themes and plugins to latest secure version and don't assign insecure permission and ownership to wordpress files/directories. If you are server owner then make sure that you are using latest mod security rules on your server to stop hack attempts.