Security is ongoing discussion for WordPress site owners of all levels of technical expertise, but it can be an especially hard area for newbies to get to grips with. While security insiders are fluent in the differences between common attack vectors, it can often appear as little more than a bewildering sea of hard to grasp threats for the average Joe.
In this piece, we’ll be looking to fill in some of those knowledge blanks by briefly breaking down what some of the more common threats out there are actually all about. Rather than blind you with acronyms and white papers, we’ll concentrate on getting the essentials across in layman’s terms, and we’ll also introduce some simple steps you can take to stay safe as a site owner.
However, before we start looking at specifics, let’s briefly remind ourselves of where the biggest threat of all to your site’s security is generally found.
Security Starts Close to Home
Though technical security systems are getting more sophisticated every day, it’s worth remembering that the main weaknesses of any system remains with the people who actually run them.
Before you get too involved in looking out for security flaws on the software level, make sure you’re already running a tight ship in terms of general site access and procedures within your own team. You want to be certain that password management is in place, and that roles and responsibilities are clear – particularly when it comes to who actually has rights to install software such as themes or plugins.
Finally, you’ll also want to make sure you’ve carefully reviewed the standard WordPress security guidelines, the WordPress security white paper, and that you’ve at least read a little on the historical background about WordPress security in general.
The Non-Techie’s Guide to Common Security Threats
With those introductory caveats out of the way, let’s move on to breaking down some of the more common security threats that plague the platform. We’ll be using the Open Web Application Security Project’s (OWASP) list of top ten application security threats as a general reference point, and highlighting three areas in particular.
Let’s get cracking!
1. Injection Attacks
As OWASP’s own definition of injection attacks shows, we’re dealing with a potentially wide field here: “Injection flaws allow attackers to relay malicious code through an application to another system.” The classic scenario, as emphasized in Padraic Brady’s excellent guide to PHP security, tends to be some form of SQL injection where an attacker is looking to compromise your database directly.
As WordFence’s recent breakdown of SQL injections shows, they’re both incredibly common, and relatively simple to set up for an attacker. There doesn’t even have to be malicious intent at play – simply failing to escape SQL queries in your theme or plugin is enough to leave the door open. Even security plugins have been affected over the years, along with 0ther high-profile providers.
2. Cross-Site Scripting (XSS) Attacks
Though technically a type of injection attack itself, cross-site scripting attacks (XSS) are worth considering in isolation. In comparison to our previous SQL injection example, the direction of attack is essentially reversed here. Padraic Brady sums up the situation nice and simply: “XSS occurs when an attacker is capable of injecting a script, often Javascript, into the output of a web application in such a way that it is executed in the client browser.”
So, rather than you trying to load something dodgy onto the site, the site itself here is trying to deliver something that’s capable of hijacking your input. As WordFence’s deep dive on the subject shows, XSS attacks are both incredibly easy to set up for the bad guys, and by far the most common security flaw discovered with most plugins. They’re also an issue that’s come up several times with WordPress’ core.
3. Cross-Site Request Forgery Attacks (CSRF)
The differences between XSS and Cross-Site Request Forgery attacks (CSRF) can get a little slippery, but the easiest way of thinking about them are as follows: XSS is about trying to steal your credentials, and CSRF is about trying to use them. Typically, a CSRF attack is going to try and get you to do something unwanted on a site where you’re already authenticated. Though WordPress uses nonces to mitigate against these attacks, they’ve still popped up in several plugins and the core of the platform itself over the years.
How to Stay Safe Generally
As the three examples above show, the burden of reducing these types of attacks lies largely with developers being more rigorous about their code, and handling areas such as escaping user input and using security tokens more carefully. However, there are a number of simple common sense steps you can employ as a site owner to do your bit as well:
- Always run the latest version of WordPress core, along with updated versions of your plugins and themes.
- Tick off the basics in terms of hardening WordPress, and check your site using the OWASP WordPress Vulnerability Scanning Project if possible.
- Use plugins such as Sucuri Security to lock down your site.
- Stay up to speed on the wider security threat landscape by following the Sucuri and Wordfence blogs, along with the topic here on Torque.
Those four steps won’t guarantee you won’t fall victim to the sort of threats we discussed above, but they’ll put you substantially ahead of most site owners’ efforts.
Conclusion
Site security is a potentially vast topic, and the range of acronyms and niche knowledge employed in discussing it can be off-putting to non-technical site owners. Our brief guide to three of the more common attack areas that arise in the wild should have made them a little easier to think about tackling.
Let’s recap the three main areas we’ve covered:
- Injection attacks: A potentially wide class of attack, where attempts to compromise your database in the form of SQL injection is the biggest concern.
- Cross-Site Scripting (XSS) attacks: These typically take the form of JavaScript payloads looking to access your personal data.
- Cross-Site Request Forgery (CSRF) attacks: These take place when bad guys are trying to trick you into making wrong decisions on sites where you’re already authenticated.
As a site owner, your best defense against these types of attacks lies in choosing a reliable hosting partner, and keeping all moving parts of your WordPress stack regularly updated. Do you have a particular area of security concern on your own sites? Get in touch via the comments section below and let us know!
Image credit: Unsplash.
No Comments