20% Off My Easy-Peasy Proposal with the Coupon Code 20OFF (Now - April 30th)

Security Weekly

Most Common WordPress Security Misconceptions

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 10

As we’ve covered the basics of WordPress security, it’s time to address some common myths and misconceptions. The internet is brimming with SEO content offering various security tips. While some advice is excellent, other suggestions are debatable, and some are outright misinformation.

Today, let’s explore some myths, misconceptions, and misinformation I’ve encountered across different blogs, communities, and groups. Although this list could be endless, I’ll focus on those I’ve seen most frequently and that could be most harmful if followed.

Hackers Don’t Care About Your Small Website

Nearly 10 years ago, I regularly conducted incident response for companies whose websites had been hacked. The most common question was, “Why would hackers target our company?” This question arose with every small company I spoke to.

The answer is simple. In most cases, hackers aren’t interested in your company but are interested in your website. The majority of attacks are opportunistic. Hackers target flaws in popular software to take over as many websites as possible, regardless of ownership.

Hiding That Your Website Runs on WordPress

If WordPress websites are targeted randomly, concealing your site’s WordPress foundation should make it invisible to attackers, right? Not exactly. This misconception is widespread, and there are even plugins designed to obscure a site’s WordPress base.

This misconception stems from a misunderstanding of how attacks are conducted. People tend to believe that all attacks are targeted, with hackers creating a “target list” of WordPress sites to hack in a highly organized attack.

In reality, the opposite is true. Attackers are racing against time, aiming to exploit vulnerabilities before websites are updated. Spending time creating a target list does not benefit them. Instead, they launch attacks against every public IP address, harvesting as many sites as possible.

Keep the Plugins Up to Date and You’re Safe

This piece of advice is commonly seen in various groups and communities. Discussions often arise where someone asks which security solutions to use, and a community member responds, “You don’t need security solutions; just keep your plugins up to date.”

While keeping plugins up to date is crucial, claiming that it is the panacea for WordPress security is misleading.

We’ve tracked every security vulnerability in the WordPress ecosystem. Over the past few years, the number of vulnerabilities left unfixed by developers remains at about 30%. This means that nearly one-third of vulnerabilities cannot be patched with an update. Stats here: https://patchstack.com/database/statistics/wordpress

Furthermore, do you update every plugin within a few hours of its release? Do you have auto-updates enabled for all plugins? If not, you’re already at a disadvantage.

Use Only Server-Side WordPress Security

This argument has gained traction in recent years, especially after a research article last year showed that WordPress malware scanning plugins are regularly tampered with and bypassed by hackers.

This conclusion is an oversimplification. In reality, security should be layered across the network, server, and application (WordPress site). Relying solely on server-side WordPress security is inadequate.

Some measures, such as two-factor authentication (2FA), session management, virtual patching, and WordPress-specific hardening, must be implemented within the WordPress application. These cannot be effectively managed at the server or network levels.

Conclusion

A wealth of advice circulates in various communities and websites. Much of it is AI-generated, which may sound convincing but can be technically inaccurate. There are many other minor myths within the WordPress ecosystem, so feel free to share the ones you’ve encountered in the comments!

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 16

Supply Chain Security Risks in WordPress Plugins

In March 2024, WordPress 6.5 introduced a feature called plugin dependencies. As you may know, there …

Week 15

Most Dangerous Vulnerabilities in WordPress Plugins

As we recently published the annual Patchstack report about WordPress security (and also covered it in …

Week 14

State of WordPress Security – 2024 Report

This week is a little different. In the beginning of each year, we take a look …