Is WordPress/PHP Inherently Insecure?

I wanted to take the time to address something I hear all the time: WordPress is inherently insecure. Rather than bury the lead, I’m going to come right out and say that, no, WordPress is no more insecure than any other large-scale CMS in usage right now. There is a second question: Is PHP inherently more insecure than other web programming languages? Again, the answer is no. While PHP at one point spent no time considering security, many of the critiques of PHP security are no longer accurate.

Another, more honest answer to this question is: Yes, WordPress and PHP are both vulnerable to hacking. As is everything online. Make no assumptions about security. It is always possible to write bad code that leaves open a vulnerability. Instead of assuming security, understand how you can limit your exposure. And with WordPress and PHP, this is very possible.

So, let’s review, and deconstruct some common complaints about WordPress and PHP security:

#1 WordPress sites cannot be secured

I installed WordPress in a very large environment. The very first thing I did after switching the website to WordPress was review the logs. It may surprise some people that almost immediately I noticed automated attacks against the website. Of these attempts, any guesses to the percentage that were done against WordPress core? Bonus points, if you guess how many were done against plugins and themes that I had installed on my website.

The answer? 0. These vulnerabilities are all well documented and against themes and plugins that are no longer on the WordPress theme and plugin marketplace, or have been updated to address the underlying issue. The folks who contribute to WordPress put a lot of effort into making it easy to report vulnerabilities. In fact, when a vulnerability is discovered in WordPress Core, most websites receive a security update automatically. WordPress is so good at this that they backport updates to versions as old as 3.7 (as of writing this, 4.7 is being developed, and 3.7 is 3 years old. This is a more generous security support policy than PHP).

That’s not to say you’re secure! There are a lot more ways to make a WordPress site insecure than to keep it secure. Because most vulnerabilities are against plugins and themes, make sure you keep your plugins and themes updated. For many, it might be easier to enable automatic updates for plugins. The downside is that if a plugin introduces a new bug, it could cause an issue with your website. WordFence is a security plugin that warns you when your plugins are out of date, and is my favored approach. That way, you can test your plugin updates first.

#2 But if WordPress can be secure, why are WordPress sites hacked so often?

That’s simple: Because a plurality of websites online run on WordPress. I’m not going to get into numbers, because there are a lot out there. Suffice it to say that it’s the most popular CMS out there. Because it’s so easy that a user can set it up, there are many WordPress installs that are poorly set up. There are also a lot of cut-rate web hosts that offer WordPress because it’s free and popular, but they make no steps to update vulnerabilities. That means there are a lot of very, very old WordPress installs with very, very outdated plugins. This percentage may be higher than, say Drupal, or Django, but I am not convinced. Rather, the sheer number of outdated installs are higher.

The argument that other CMS’s are more secure reminds me of the old concept that Apple computers can’t be hacked. This was disproven as soon as Mac became widely used enough for it to be economically beneficial to discover exploits and take advantage of them. Meanwhile, Windows has recently had far fewer vulnerabilities than Mac or Linux. That is partially because of a long-fought struggle to become more secure after some very insecure releases, but partially because most websites run on Linux, and a lot more users are on Mac these days, including yours truly. In any case, I digress. The point is that WordPress exploits are created so often because it’s the biggest target. It also means that there’s a lot of white hat security reviewers out there who are constantly trying to stay ahead of the black hats.

#3 PHP is Inherently Insecure

I want to start by saying I’m not claiming PHP is the best web language. I am only addressing the core question of whether PHP is fundamentally more insecure than other languages.

This next two paragraphs are going to get technical. If you don’t understand it, that’s OK. Just let your eyes glaze over or skip them.

There was a time that PHP was primarily a webforms language run off of CGI. Its claim to fame was that it ran with very little special configuration, and could do web scripting very easily. It was a security nightmare. What’s worse, it was so easy to program that idiot hackers, like myself at the time, could write the worst code imaginable. What’s worst, is that it was difficult to write good code, because there was no object oriented programming. When PHP finally offered object oriented programming and eliminated some of the worst global variable threats (that made it possible to view and manipulate server variables), it still wasn’t great. The syntax was often ugly, scoping was brutal, etc. Want a MySQL query to run? Well, you’re asking for a great deal of trouble. SQL injection attacks were a constant concern, because there were no prepared statements.

PHP5 addressed many of these and other issues (while still leaving some unworked right now). And what PHP5 started, PHP7 is continuing.

How can you be hacked with PHP? Quite easily. Poorly written code and old code can still leave huge vulnerabilities. Just because you can write good code doesn’t mean you have to. Still, it is becoming harder to write bad code. Which is a good thing.

So… What can I do?

Ultimately, what you can do depends on your specific situation. Security should never be an afterthought, so read on and implement what you can. This could save you from an embarrassing, expensive, or business-destroying hack.

If you are on a hosted server:

  • Make sure you’re not going cut-rate. These days, you can find good hosting that keep their infrastructure updated and provide backups, GoDaddy ($8/mo with SSD storage) and InterServer ($8/mo with unlimited bandwidth/visitors).
  • For a little more money, WPEngine ($29/mo) offers excellent service, daily backups, and more. You still need to update your own plugins, and if you want more regular backups, you can use a plugin like Updraft Plus.

If you are self-hosting:

  • Make sure you get on a regular update schedule. Linux has received some bad publicity recently for very serious vulnerabilities, such as Dirty COW and POODLE. If you are running an old version of linux that doesn’t receive updates, or if you aren’t regularly applying updates, then you are asking to be hacked, and no matter how secure your PHP code and WordPress install are, you are very vulnerable.
  • Do not set your permissions to 777, or grwxrwxrwx. This means anyone who gains access to your server – absolutely anyone – can go in and delete your website, or get your MySQL username and password, or replace all of your uploaded images with porn and your uploaded files with viruses. Yes, you should be scared.
    • Set your permissions to 771 at most for web folders, and 664 at most for web files. That allows a web site to run, without allowing a user to do whatever they want. Ideally, your wp-config.php file (or wherever you store your passwords) should not have read permissions. If your file is owned by the Apache webserver (ex. www-data) then that should not break anything. But, test this before making the change live on your server.
  • Ensure you have a program like “fail2ban” installed, and configure it to monitor both web and SSH settings.
  • Use an SSH key, and disable password access.
  • If you have a static IP address, block port 22 everywhere except from that IP address.
  • There’s a lot more you can do – this is just the bare minimum. If you’re not sure what any of this means, do not self-host. If you get most of it, keep studying, and never assume you’ve figured it all out.

For Everyone

  • I will reiterate that plugin and theme updates are very important.
  • Do not keep plugins installed and deactivated. People will still be able to access these plugin files, so if there’s a vulnerability then they will be able to exploit it as long as it is on your system.
  • Install WordFence and follow reminders to update your plugins or WordPress core. Do this regularly to avoid old code becoming a vulnerability. Additionally, WordFence comes with a great firewall that blocks suspicious IP address logins.
  • If you don’t have regular backups on your server or through your host, install Updraft Plus or another backup plugin. I like Updraft Plus because it’s easy to set up and backs up straight to your Dropbox.
  • Do not install plugins that are not widely used without understanding what they do.
  • Do not install plugins that are not on the WordPress marketplace unless you are confident in the company’s commitment to updating their code for security.
  • Do not install plugins that are not under active development. If something goes wrong, you are going to be on your own in figuring out a replacement.
  • DO prefer plugins that have a wide user base. These plugins have a higher likelihood of remaining supported.

I hope I’ve made a convincing case that it is very possible to write good code in PHP, and to keep your WordPress installation protected, while making clear the large caveat that there is a LOT of bad code out there, and that, no matter how secure you aim to be, you are not 100% safe from being hacked. Even if you try to do everything right, we are fallible, and so the best code with any level of complexity will inevitably have a bug in it.

If you always assume there’s an exploit in your website, but keep yourself updated and select your plugins and theme carefully, you are likely no less vulnerable on WordPress than on any other CMS.

Do you have any security plugins/packages you like? Let me know! I’m learning how to keep my server more secure, just like everyone else.

Leave a Reply