A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.
The research, carried out by vulnerability researchers EnableSecurity and reported by WordPress security outfit WP WhiteSecurity, was conducted between Sept 12 and Sept 15 shortly after the release of the WordPress 3.6.1 Maintenance and Security Release.
WordPress is the most popular blogging and Content Management System (CMS) in the world and, according to WordPress founder Matt Mullenweg, it powers one in five of all the world's websites.
As with any research of this kind we should apply a big pinch of salt.
In fact in this case we don't need to supply our own salt because the research actually comes self-salted thanks to this hilarious rider at the bottom of the article:
The tools used for this research are still being developed therefore some statistics might not be accurate.
You have been warned.
So if the numbers might be wrong why am I bothering to reproduce them here? Because (in my opinion) they are probably true (well true-ish) and even if they aren't they still highlight an important security issue which isn't diminished one iota by their sketchiness.
As long as we go into this with our eyes open we'll be fine.
The research did no more than set out to discover what versions of the popular CMS are in use by the top 1 million websites.
This singular focus is with good reason: the first rule of WordPress security is always run the latest version of WordPress.
If you aren't running the very latest version of WordPress then the chances are you are running a version with multiple known vulnerabilities - bugs that criminals can use to gain a foothold on your system.
EnableSecurity's scan of Alexa's Top 1,000,000 discovered that 41,106 websites were running WordPress, a little over 4%.
They then determined that of those websites at least 30,823 were running versions of WordPress that have known vulnerabilities. From this they concluded that
73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools.
Add your salt now.
Even if we take it as read that 73% of the sites are running vulnerable versions of WordPress we still can't conclude that 73% are in fact vulnerable. There are common security strategies that the researchers didn't test for, not least using a Web Application Firewall (WAF) that can put up a protective shield in front of vulnerable websites.
By the way, the first rule of WordPress security, always run the latest version of WordPress, holds true even for sites running behind a WAF. They are not mutually exclusive and should be considered as separate parts of a strategy of defence in depth.
In addition to skipping over reasons why the 73% might be a little on the high side the study also leaps acrobatically past a totally different set of reasons why it might be a bit on the low side.
As diaphanous as the study's precision might be, the broad thrust is correct and it contains a useful message; users of WordPress need to be diligent about security because they are using software that is popular enough to be of interest to criminals who conduct large-scale automated attacks.
10 ways to keep your WordPress site secure
If you are running a website that uses WordPress here are 10 suggestions to help you avoid ending up in the 70% (or whatever large number it is) of vulnerable sites.
- Always run the very latest version of WordPress
- Always run the very latest versions of your plugins and themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Enable two factor authentication for all your users
- Force both logins and admin access to use HTTPS
- Generate complex secret keys for your wp-config.php file
- Consider hosting with a dedicated WordPress hosting company
- Put a Web Application Firewall in front of your website
For more on the subject of patching WordPress have a listen to Sophos Security Chet Chat 117, the latest 15 minute installment in our regular podcast series.