WordPress is probably as secure as any CMS. The latest version (4.7.3) was released March 6th and fixed six major security issues.
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
In addition, the latest WordPress version also contains 39 bug fixes.
WordPress is secure at its core, but only as secure as your security practices.
Think about what your authorized users can access (keeping in mind that their accounts could get hacked).
For example, authorized users have access to the WordPress built in Plugin and Theme Editor. Since you would only use this feature if you are used to coding, you probably already use an external editor anyway. It might make sense to disable this feature altogether. If any of your authorized users’ account gets hacked, someone could use the Plugin and Theme Editor to wipe out your entire site.
More obvious ways to keep your WordPress site safe
- Use secure passwords and change them often.
- Don’t to use the default ‘admin’ username.
- Use the latest version of not only the WordPress core, but also of your plugins and theme.
- Delete unused plugin files, especially if they are outdated.
- Only download plugins and themes from trusted sources and marketplaces.
- Install a ‘Limit Login Attempts’ plugin to prevent brute force attacks on your site.
- Check WPScan’s database for latest breaches. For example, the ‘Limit Login’ plugin by BestWebSoft is reportedly vulnerable to Cross-Site Scripting (XSS) attacks.
Recently, a vulnerability in the WordPress REST API allowed for unauthenticated privilege escalation on WordPress websites running versions 4.7 or 4.7.1 allowing attackers to modify content and delete posts and pages. Over a million websites may remain unprotected by not upgrading to the latest version of WordPress.
Seven new plugin vulnerabilities last week alone
There is no doubt, the WordPress team works diligently to quickly address any vulnerability that arises. In addition to security issues at the WordPress core, tens of thousands of third party WordPress plugins and themes, paid and free, can also be open to attacks.
On average, a new plugin vulnerability was discovered every day over the course of this past week (between April 7th and April 13). The latest reported security issue leaves over 50 BestWebSoft Plugins vulnerable to Cross-Site Scripting (XSS) attacks. This includes BestWebSoft’s Adsense, Captcha and Contact Form plugins. Those 3 plugins alone have over 500,000 active installs. Over all, over 700,000 websites might be effected by just this single vulnerability.
WPScan maintains a browsable online database of all reported vulnerabilities. If you maintain a WordPress site, you might want to sign up for their free email alerts.