As the popularity of WordPress sites grows so does the risk of data breaches and malicious spam affecting your site. From spam advertising to the direct access of private client information, WordPress websites are constantly becoming under attack. That being said I still feel that WordPress is one of, if not the most secure CMS available. The WordPress core is a solid framework and the team of developers that contribute to WordPress updates take security very seriously. Security patches are released in realtime as major threats become known. But WordPress security doesn’t end there. As website developers and site administrators we all need to do our part to make WordPress security a critical part of our daily workflow.
If you are an active reader of tech blogs or just follow general news headlines you have probably heard of the Panama Papers. It is the largest data breach in journalists history, reaching close to 2.6 terabytes of data and over 11 million documents. The data breach has exposed high profile figures such as the Prime Minister of Iceland, Russian President Putin and British Prime Minister David Cameron with controversy. The law firm Mossack Fonseca is at the center of the controversy. Their website, which runs on WordPress used an outdated version of the Revolution Slider plugin. This version of the plugin was vulnerable to attacks with the ability to grant a hacker command line access to the web server. What escalated the hack so quickly was that Mossack Fonseca was running WordPress on the same network as their email server when the breach occurred, exposing over 4.8 emails to hackers. A plugin called SMTP was also used on the website to send email directly through WordPress. Once an attacker had access to the WordPress backend, the wp-config.php file which contains the database credentials and then the WordPress database, they can see the mail server address and a username and password to sign-in and begin to send email.
To protect your WordPress installation it is very important that you update your plugins, themes and core when an update becomes available. You should also monitor updates for security fixes and give those the highest priority. You can find out if a WordPress plugin includes a security update by viewing the changes in the changelog. In this case the site owners did not update for quite some time. This inattention resulted in world leaders being toppled and the largest data breach to journalists in history.
Of equal or greater importance, is your hosting provider. While hosts offer security to a certain level, it’s important to understand where their responsibility ends and yours begins. Discuss security protocols, firewall protection and back-up services with your hosting provider before making any decision on services.