A Common-Sense WordPress Security Primer:
A Common-Sense WordPress Security Primer, by David Coveney of the Liverpool-based InterConnectit IT. An excerpt:
There’s been a big fuss lately over the latest WordPress hacks that have targetted older versions of WordPress.
And in my view, they show the less pretty side of WordPress and some people in the community… but not all of them. The attitude has been a straight “upgrade your blog and you’ll be secure.”
Well, I have news for you. They’re wrong.
You’re Never Secure
Even if you have the very latest version of everything there are, out there, what are known as zero day exploits. These are vulnerabilities which are kept secret by the hackers who have found them. They cease to be secret if they become widely used in a large scale attack. Like the current one against WordPress.
Now, if there are vulnerabilities out there that nobody knows about then your high profile WordPress site or blog could be targetted in a way that you, I, or the (great and lovely) WordPress developers out there don’t know about.
Not Everyone Can Upgrade Immediately
Quite frankly, I find the glib assertion that staying up to date is all you need to be secure to be… terrifying. It’s bad advice because it leaves people with the feeling that all they need to do is to stay up to date and all is well. Not only that, but it sidesteps the whole issue that WordPress should really consider running security updates on older versions of WordPress – not all sites can quickly change from one version to another. When WordPress 2.8 came out it broke multi-use widgets – you could recode them, but then settings could be lost. There are sites out there that run hundreds of widgets, and re-configuring them will be a big job. If a new vulnerability comes out in WordPress it may not even be relevant to some sites because they may be doing everything else correctly.
In fact, in a critical environment you absolutely do not update your software without running a full suite of tests to make sure the updates won’t bring down your site. This is a major problem for sites which, in some cases, are turning over tens of thousands of pounds a month. Yes, they can throw money at the problem, but it still takes time – and when there’s a vulnerability the one thing you don’t have is a lot of time. So a site needs to rely on more than just WordPress for security.
Mr. Coveney clearly understands something about the phenomenology of risk, and he’s got some good practical advice. Perhaps we can persuade him to write something for Popular Logistics, our primary blog, which is about risk assessment, mitigation and control.
A Common-Sense WordPress Security Primer. By David Coveney at InterConnectit – or perhaps it’s pronounced “InterConnect IT.”
Possibly related posts: (automatically generated)
- Related posts on WordPress Security
- Security And Anti-spam Plugins For WordPress | Saigon SEO dot Com
2 Responses to “A Common-Sense WordPress Security Primer:”
Comments
Read below or add a comment...
Leave A Comment...
The Mighty Mo Design Company
Thank you for this post! It is a breath of fresh air that you get it. You can’t always upgrade, and simple upgrading isn’t always enough. When I discover a serious WordPress security issue, I generally find a patch for my current version, or I make one myself.
Ironically, the advocates of upgrading early and often point to the automated web-based upgrade feature. But using that creates additional security holes that can’t be prevented. I know you need a sysadmin to do it, but the manual upgrade is so much safer.
Andy, you’re entirely right. Often the main upgrade comes with new vulnerabilities – which are patched later in the “smaller” upgrades. For a small operation – a lot to keep up with.