Doing battle with the WP bad guys

Over the past two years  praxMatrix has been building a significant number of our client sites on the WordPress core. WordPress, originally a blogging tool, has, over the years, developed into an incredibly flexible core platform from which many sector-specific applications can be built – including e-learning applications. It has a huge and dedicated team of developers, issues timely updates, has a vast selection of contributed commercial and non-commercial plugins to extend the core and is transparent enough (being built on common open source structures itself) for our programmers to be able to modify at will. It saves time and money for both our clients and ourselves and allows us to deliver premium solutions at a fraction of the cost of fully bespoke solutions. So why wouldn’t we use it? Sounds like the perfect solution for everyone.

Well, in many ways, it is but being the most popular CMS in the world (it is estimated that WordPress now runs around 25% of the world’s websites) has its drawbacks – hackers love it and love finding new ways to exploit it. Much of the time-saving in the build and development phase is now re-applied to monitoring and security fixes for a WP based site.

This short article is about our own site, www.praxmatrix.com, and our recent experiences with hackers and just how difficult it is to sometimes detect them and eradicate them. It is a cautionary tale for all who use WordPress. While we remain firmly committed to the benefits of using WordPress unless you use it in conjunction with a sound backup, update and security strategy then you are really just asking for trouble.

To get this into perspective lets look at this from the popular Worpress security monitoring site, WordFence:

The current frequency of attacks we’re seeing across all WordPress sites running Wordfence is 30898 attacks per minute

That is 30,898 attacks per minute as I am writing this post – on their graph this a relatively low frequency and covers only sites they monitor. Let’s look at this graph below for a moment to see exactly what we are having to contend with:

 

wp-march-2015

 

Some of those terms may just be meaningless techno-babble for you but it’s enough to know that each one of them does something different but very nasty to your website and each one has to be detected using different investigative techniques. To break it down a little more:

 

wordpress-security

 

So, 41% of attacks come through hosting issues. These can be permission settings on files and databases, FTP and MYSQL attacks, and the very common Brute Force attacks (this is where your website is repeatedly attacked, sometimes hundreds of times per second, with password variations that try and ‘guess’ user passwords – especially admin passwords).

The second largest risk area is with WordPress themes. All WordPress installations are overlayed with a theme that adds both specific functionality and individual design and layout frameworks. These can be non commercial themes downloaded from the WordPress site, commercial themes or themes that are created specifically for you or modified extensively for you by your digital media agency. These themes must be kept up to date and a theme that does not provide reasonably frequent updates and responses to critical security issues as they arise, should be abandoned.

Similarly, plugins that extend the functionality of WordPress in literally hundreds of ways can be open to attack and should be kept up to date. If you have an old installation with old plugins it is highly advisable that you update your installation immediately and that all plugins are also updated or removed if they have not been updated by the developers. The latest versions of WordPress make this task virtually automatic.

The last area concerns password strength. You can enforce strong passwords so your users don’t user passwords like ‘1234’ or ‘password’ which will be cracked by the first nasty that passes by opening up your site potentially to a flood of unwanted posts, comments, user registrations, or worse.

Brute force attacks that try and ‘guess’ your users’ passwords will happen even if you have enforced strong passwords and your options then are to try and block the IP addresses that the attacks are originating from. Not easy as the hackers often spoof or disguise the point of origin with false IPs or use a hacked server to send out the attack.

For your clients, or for you if you run a WordPress based website (or in fact any website these days) this may all seem a bit overwhelming and depressing. The good news is that although it does require a significant investment in time and monitoring and you can, with a properly implemented security and backup strategy, control and counter most attacks and clear any infections rapidly when they do occur.

WordPress has so many benefits for the developer and the client that this additional attention to post-deployment security is still worth it and whether it is WordPress or any other installation, all websites these days are open to attack yet not all systems have the security support that WordPress core developers, plugin developers and specialist security organisations now provide for monitoring and resolving security issues.