WordPress security plugins have been in the hot seat for quite a while now. The critical WordPress security update released last November is not helping them stay away from it. WordPress users and administrators are more concerned than ever about the security of their WordPress, hence they are on a constant lookout for that perfect WordPress security plugin that they can install for free and forget all about.
Have a look at several WordPress groups on different social media channels and you can’t help but notice that WordPress users are frequently asking which WordPress security plugin they should install and use on their WordPress installation. At the same time security researchers are constantly questioning the capabilities and effectiveness of WordPress security plugins. You can find some well documented tests which highlight where these security plugins work and where they fail to protect your WordPress website from malicious attacks.
In this article I will not explain which WordPress security plugin works or not, or if all of them are doing a good job. In this article I will explain why WordPress security plugins alone are not enough to ensure the security of all your WordPress blogs and websites, and what you can do to ensure you cover all aspects of the security of your site on a very generic level.
Understanding WordPress Security Plugins
First of all myself and several other security researchers have been saying this over and over again; there is no do it all WordPress security plugin, application or service that can address all your WordPress security requirements. As explained in Understanding the WordPress Security Plugins Ecosystem there are several different WordPress security plugins which have different scopes and roles, so you must install more than one plugin to address the different WordPress security needs. Still, even when you install multiple plugins you are not addressing all your WordPress security requirements as I will explain in this article.
WordPress Security Plugins Have Vulnerabilities
WordPress security plugins are like all other plugins and WordPress components; they are written in PHP hence can be vulnerable to specific attacks and vulnerabilities. For example if you look at the WordPress vulnerability database statistics you will notice that so far there were nine vulnerabilities reported for Wordfence and another six for Better WP Security (now renamed to iThemes Security) which are two of the most popular WordPress security plugins. The below pie chart shows that so far there were more WordPress plugin vulnerabilities discovered than themes or WordPress core vulnerabilities.
Does this mean that these plugins are insecure? No, they are not, especially when the developer fixes all the vulnerabilities in a timely manner and frequently releases updates. But there is no guarantee that in the future researchers won’t find more vulnerabilities in these plugins, and in all other WordPress security plugins for that matter. But this means that WordPress security plugins, like all other plugins, WordPress themes and WordPress itself are not bulletproof, they can also be vulnerable to specific attacks and vulnerabilities.
WordPress Security Issues Plugins Do Not Protect You Against
The security of your WordPress blogs and websites should not solely rely on WordPress security plugins, but on much more. As we have just seen these plugins can have security issues and if you rely solely on them one day you might get caught up with your back against the wall. But apart from vulnerabilities in plugins there are several other issues that can jeopardize the security of your WordPress blogs and websites, and such issues can only be addressed by other WordPress plugins, automated security services, WordPress security professionals and yourself.
Are Your Custom WordPress Themes, Plugins and Customizations Secure?
Do you have a custom WordPress theme, plugins or other code snippets? Do you have some sort of integration between WordPress and an in-house web application or web service? If yes, do you know if any of these web components are vulnerable to malicious hacker attacks, of if they are vulnerable to a specific vulnerability? If they are vulnerable and an attacker exploits them the chances of your WordPress security plugin blocking such attacks are extremely low because most of them protect your WordPress from known WordPress attacks.
On the other hand WordPress security professionals can audit the code of these web components and customizations to identify any security flaws and vulnerabilities they might be vulnerable to. They can also work together with your developers and contractors to help them address any potential security flaws, thus ensuring all your customizations are built securely. Apart from security source code audits WordPress security experts can also do generic WordPress security audits to ensure that your WordPress installation is hardened and that every component you are using is secure and reliable.
Frequent WordPress Security Audits
Websites are hardly static; they evolve to meet business requirements that are always changing. Hence it is typical that from time to time new plugins are installed, existing settings of plugins and themes are modified and even new code customizations are applied. Each change you apply could also mean a new attack surface on your site that an attacker can take advantage of. Hence frequent professional WordPress security audits are also a must, even if you have installed WordPress security plugins. How often should you do such security audits? It all depends on how many changes you are applying on your website, but two security audits a year definitely won’t harm your business and pocket.
Non Specific WordPress Hack Attacks
Most WordPress security plugins will help you harden the security of your WordPress websites and blogs and will protect you from a good number of known WordPress attacks, but they won’t protect you in case of a non-specific WordPress hack attack. For example the attacker guesses the password of a WordPress user, which by the way is an extremely common attack. Some of the popular WordPress security plugins might block a brute force attack but sometimes it is too late, especially if users are not using strong passwords for their WordPress users.
If an attacker guesses a WordPress user’s password he can easily inject malware on the website by modifying some content the user has access to. Should the hijacked WordPress user have administrator role, or should the attacker be able to exploit a privilege escalation vulnerability things can get even more complicated and the scale of the damage can be much higher. For example the attacker can inject malware in widgets or in themes and plugins files by using WordPress’ built-in file editor. Typically in such WordPress hacks the attacker creates a new WordPress user to operate unnoticed.
Identify WordPress Attacks Before They Happen and When They Happen
Your WordPress security strategy should not just cater to keep attackers out of WordPress, but also to help you identify an attack as early as possible and give you enough time to contain it. Right now most probably you are wondering on why should you think of when your WordPress is hacked? After all you have the best WordPress security plugins installed and have worked with a WordPress security professional to secure every possible WordPress attack entry point. The truth is that there is no fail proof system, service or software, especially when it comes to such type of nonspecific WordPress attacks.
Keep an Audit Log of All Activity on WordPress
Malicious hackers are coming up with new attack vectors every day, hence you should prepare for the unexpected. And the best way to do so is to take every possible step that would allow you to be notified as soon as possible of any type of suspicious behaviour on your WordPress blogs and websites. There are several WordPress monitoring and auditing plugins that do allow you to be notified of such suspicious behaviour. These plugins are a different breed of WordPress security plugins and since they haven’t been around for too long, they are not so popular yet with the WordPress community and WorPress security enthusiasts.
A WordPress monitoring and auditing plugin should always have a place in your WordPress security strategy because it can help you identify attacks before they happen or thwart malicious WordPress hack attacks early once they happen, thus avoiding more damage. These plugins do not do any WordPress hardening, or actively protect your WordPress website from known hack attacks, but they keep track of everything that is happening on your site. The security audit log such plugins generate and keep allows you to keep an eye on all of the under the hood activity that is happening on your WordPress. This means that you can identify any suspicious behaviour and act before an actual WordPress hack takes place. The below screenshot of the Audit Log from WP Security Audit Log plugin shows how the plugin keeps track of every change a WordPress user is making on a website or blog.
For example as we have seen above in a typical WordPress hack attack, malicious hackers can hijack an existing WordPress user or create a new “hidden” WordPress user and operate with it. If on your WordPress you have ten or more users it is difficult to notice such activity. If you have a WordPress monitoring plugin you can identify such behaviour while it happens, hence allowing you to take action at an early stage and contain the attack before damage is done to your WordPress website.
WP Security Audit Log, one of the most popular WordPress security monitoring plugins also has WordPress security email alerts notifications, which do come in quite handy because in reality you cannot manually monitor the audit log all day long. With the WordPress security email alerts you can configure rules to monitor a specific activity and when such activity takes place you are instantly alerted via email. You can configure rules for example to monitor WordPress users that might login during odd hours or login from an unusual IP addresses and location. You can configure rules to receive an email when a plugin or theme is installed, activated, updated or a file is modified. It is up to you to what type of WordPress activity you want to monitor but the possibilities are endless.
Web Server and Network Servers Issues
If you use shared or managed WordPress hosting most probably web servers and network servers haven’t even crossed your mind. They could also be another point of entry for malicious hackers. WordPress is not a standalone application, it needs a web server to run on and uses MySQL server as a database backend, all of which need to run on an operating system. Apart from the web server and MySQL server typically a server also has some other network services running, such as an SMTP server to receive and send emails, maybe an IMAP / POP3 server for accessing the emails and an FTP server that allows you to connect to the server and access your WordPress files.
All of these services and the operating system itself are normal software and can also have their own vulnerabilities. They could also be configured insecurely, thus allowing an attacker to take advantage of them to penetrate into the server and your WordPress websites. A WordPress security plugin does not protect you against any of these type of attacks.
Keeping WordPress Secure
Take a look at WP Security Bloggers feed. Have you noticed that the number of reported WordPress plugins and themes vulnerabilities is on the increase? This clearly shows us that we cannot simply rely on a WordPress security plugin. We need to break away from the traditional WordPress security measures and take a more proactive approach. Gone are the days where you install one security plugin and forget about it, if there ever was. After all the functionality of WordPress is increasing and also its attack surface. To start off you need several WordPress security plugins to:
- Harden your WordPress
- Monitor activity on your site
- Alert you of any suspicious behaviour
- Protect from known attacks (a firewall is ideal)
- Scan your WordPress for known vulnerabilities and infections
Apart from WordPress security plugins there are many other security measures you should look into, such as ensuring that the WordPress core, all plugins and themes are up to date. It is also important to limit access to those who need it only, ensure all users are using strong passwords and audit any custom code you are using on your WordPress. And of course the list goes on but that is out of the scope of this article.
Single Scope VS Do It All WordPress Security Plugins
When comparing WordPress security plugins you will notice that some of them have a specific scope and function and some others have a bit of everything. Hence which type of plugin should you go for? It all depends on what you are looking for and what your requirements are. Typically, although not always, single scope plugins are better at what they do than the generic WordPress security plugins.
I will use a practical example to explain this. Nowadays all smartphones have cameras. Irrelevant of how good your smartphone camera is, it can never be as good as a specialized SLR high-end camera. It is the same with plugins. There are some which are all rounders and can scan your WordPress, harden it, protect it from attacks via a firewall and more, but when a specific functionality is compared to that of a single role plugin, the probability is that the single role plugin does its job much better. The reason behind it is that the plugin is specialized for a specific function. You might be thinking that having multiple plugins will slow down your WordPress. In this case the plugins won’t impact the site’s performance because rather than doing three tasks with a single plugin you are doing each task with a separate plugin, hence you are consuming the same amount of resources; provided all the plugins are developed properly.
Depending solely on WordPress security plugins for the security of your WordPress is wrong. There are many other things and factors that you should look into. Something I did not mention in this article are online services. They also have a good place in a WordPress security strategy since they can keep an eye on your WordPress. But the most important point of all, one that all of us should keep in mind is that the human factor can never be completely eliminated from your WordPress security strategy, and it is virtually impossible to automate everything when it comes to WordPress and web application security.