How safe is WordPress?
Critical security gaps are now being used within hours by hackers. In such cases, the fast and automatic updates are really significant. As is known today, there was a critical security vulnerability in the content management system, Wordpress. However, that doesn’t change the fact that by far WordPress is the most secure content management system available although there are some opinions arguing the otherwise ( as always ).
The most recent wordpress gap was avoidable
Security gaps and bugs are always annoying. And yes, with the now found WordPress gap, one can rightly argue that it falls into the rather embarrassing category and it presumably could have been prevented by a more defensive programming or by better reviewing processes.
But so far, at least, there is practically no possibility to develop software that is free of bugs and security gaps. Security gaps are regularly discovered in all major web applications – and these are also very critical. It is therefore important, above all the things, how quickly the security updates are given to the users.
By the way, whoever thinks his small website is not the target of attacks, he is wrong. Most of the attacks are not taking place to harm the operator of the site but to use them as an infrastructure for further attacks. Not infrequently, operators of small websites find out that their sites are used as a spam or malware hosting platform for malware and phishing – but often only when the site is subsequently blocked by the web host.
Attacks within hours
It is worth taking a look back at a gap in the Drupal, which became known in the October 2014 under the name Drupalgeddon. It allows you to run or upload any code without having an authorization. A week after its release, the Drupal developers sent another warning: the attacks using this vulnerability started a few hours after it became known. Anyone who had not updated their Drupal website within six hours were therefore in danger.
It can be assumed that the same applies to all serious security gaps in known content management systems. In the recent years, there have been similar critical gaps in Joomla. Typo3 has also been spared from the critical gaps in recent times.
Here is a very obvious dilemma: If such security gaps are exploited within hours, one can only operate these systems responsibly if someone is ready to install a corresponding update within a very short time. But these free content management systems are often used by small companies, associations or private individuals – and not infrequently also advertised for them. But the fewest companies or clubs are likely to employ an administrator who, in case of doubt, will be left with all the information needed to make a web page update.
Automatic updates ensure security
WordPress has recognized the problem and introduced an automatic update function some years ago. Since the version 3.7, the system automatically updates in the background when an update is available.
Some do not like this mechanism. The solution is not elegant as it is only a PHP script that describes its own files. And yes, the update process itself already had security gaps. However, in view of the way in which private web applications are usually operated, it is a good and pragmatic solution. It works amazingly well. Problems with the update process are not entirely excluded, but rare.
The automatic update means that if a critical vulnerability is discovered in WordPress, most users will be already protected when the first attack waves start. When there are gaps in the WordPress core, there are actually only two scenarios in which an attack can be successful: On the one hand, the attack will be successful if the vulnerability is already known to an attacker before an update is available, ie a classic zero-day. But such attacks are extremely rare. On the other hand, it will be extremely easy to attack to the users who turned off the update. This is, to put it plainly, a stupid idea.
WordPress is not perfect though
WordPress is not perfect in terms of security and there are some justified criticisms. WordPress has a questionable XMLRPC API, which is abused again and again for amplification and brute force attacks. WordPress has not responded so far. Furthermore, WordPress does not use numerous modern security mechanisms, especially Content Security Policy, a very powerful tool against cross-site scripting attacks.
The biggest remaining security problem with WordPress, however, are plugins and third-party themes. Because they are – except in some cases – not automatically updated and are often comes with very questionable quality. Apart from security problems, plugins are also often responsible when a website is unusually slow or has bugs. Anyone who creates a web page with WordPress and can not or does not want to take care of updates regularly should be limited to the core functionality or at least few and well-managed plugins. Sure, much is not possible without plugins, but for a simple website for the presentation of a company or a club, a standard WordPress is enough.
The competition should follow
With the automatic update, WordPress is many times safer than its competitors. Countless WordPress users are regularly protected against many vulnerabilities. It is time for its competitors to follow suit. As long as updates need to be installed manually, Joomla, Drupal or Typo3 are not recommended for most users.