WordPress is the world's most popular software solution to running a website. Over 25% of the websites on the Internet now use WordPress as a way to publish and manage their content. The simplest blog to the largest newspaper sites to huge online shops now use WordPress.
But popularity seems to breed contempt, and just like the venerable Windows XP in the the early 2000s, WordPress is now facing a serious challenge which has mostly gone unnoticed — keeping WordPress sites secure and free of malware, viruses and other nasties.
Windows XP was designed just as the Internet was getting up to speed in 2001. A networked PC was a breeding ground for various attacks and viruses. And because more than 90% of PCs used some form of Windows, virus writers focused on Windows, and specifically Windows XP as a target. The story goes that if you want to get an infection, just install Windows XP and put it on the Internet — your PC will get some sort of virus or malware in just a few hours of operation, providing you had no anti-virus installed. Windows XP is a relic.
So here we are in 2015, the cloud is all the rage and now many applications are actually websites in disguise. They operate much more smoothly, some run inside smartphone apps, and many use WordPress, the 21st century operating system for websites and many web applications. And sure enough, as WordPress gets popular, it is now also a large target of online attacks. These attacks happen pretty much right away when you put up a WordPress website. And although it may not necessarily infect your PC or smartphone, a successful attack on WordPress can do something much worse — it can deface, mutilate or even bring your website down so it is inoperational. Your work, and maybe even livelihood can be curtailed if your WordPress-powered website goes down.
WordFence, a popular security plug-in to detect and block attacks records over 25,000 attacks per minute running just their plugin. An interactive map on the WordFence websites shows an animated attack maps, taken directly from the 1980s movie, WarGames. Except these attacks, many of them which are blocked, can be very destructive.
An attack surface can be simply described as a potential weakness in the code or infrastructure of a piece of software. The best analogy is a structural weakness in a building or bridge — if the weakness is taken advantage of, the whole structure can become vulnerable and even come crashing down. As recently as March 2014, an attack on over 160,000 WordPress-powered websites was used to crash a large website.
I believe it is time we started to look at WordPress much more carefully from a security perspective. Many companies are doing their best to prevent these attacks, but WordPress administrators and users should be aware of the multiple areas of vulnerabilities. Some of these have nothing to do with WordPress but rather the server or host that the software runs on.
Let's enumerate these "attack surfaces" and see if we can learn some precautions that can be taken.