WordPress: Security vulnerabilities in corporate websites?

M.Sc. Chris Wojzechowski

WordPress: Security vulnerabilities in corporate websites?

WordPress is considered the most widely used content management system in the world. It’s free, quick, and easy to learn, and while it still doesn’t meet many professional needs, it’s still the first and best choice for many businesses. Mainly because it presents the administration and creation in a way that is understandable for the layman and yet offers a great many possibilities for extensions.

An own REST API, Full Site Editing (FSE), several themes and the most different plugins, for every imaginable purpose, are waiting to be used. Because with WordPress, it’s the extensibility that always gets people excited. WordPress makes it easy to manage a website yourself instead of having to hire external service providers to do it for you.

But as an enterprise, plugins, themes, and extensions to Functions.php should be taken with a grain of salt. The risk of creating vulnerabilities and provoking security holes is too great. More than once it was WordPress with its extensions that made the headlines in the security scene. So it’s time to take a closer look at the whole issue.

Why WordPress is so vulnerable to vulnerabilities

WordPress itself is written on the basis of the scripting language PHP. The CMS is usually self-hosted and managed, if not a WordPress hoster is used. What always applies here is that servers and the chosen settings should be appropriately secure. But firstly, this has nothing to do with WordPress, because a misconfigured server is always a potential vulnerability in your own IT systems.

Nevertheless, it can be said that the WordPress Core, i.e. the heart of the CMS, can definitely be described as secure. New versions are usually not released at short notice, the development plan is clearly recognizable and the large community also ensures that someone always uncovers even the smallest security vulnerabilities and reports them accordingly. In this way, it can already be said that the WordPress Core itself is relatively secure.

Thus, the vulnerability usually enters the content management system through third parties and the user himself. Through themes, for example, that rely on third-party services or also through the many plugins that were not all programmed cleanly and, above all, securely. Also, snippets that are widely used in WordPress and can be added via Functions.php often have the potential to expose vulnerabilities that would not exist in WordPress without them.

Where the most critical security gaps lie

Just already indicated, I would now like to go into more detail about the places that offer the potential for security vulnerabilities in WordPress. Namely, these are mainly themes and plugins. It does not matter how big or small the extension may be, countless themes and plugins have already attracted negative attention several times due to their vulnerabilities, and it happens again and again.

With plugins, it’s usually the case that no one knows exactly who develops them in the first place. WordPress is open source and theoretically anyone could program their own WordPress extension based on a tutorial and offer it accordingly. Logically, of course, the experience as a developer could be lacking or, in the worst case, the developer could integrate obvious vulnerabilities.

On the other hand, it has happened more often that plugins have changed developers. This is also dangerous. When an extension for WordPress that has been installed on thousands, tens of thousands, or even hundreds of thousands of blogs suddenly gets a new developer, no one knows if that developer is not intentionally injecting malicious code or if he is simply overwhelmed with the code base. Then there could be a lack of timely patches to security vulnerabilities.

With WordPress themes, it’s the features that fall on the developers’ toes. Due to more and more and as many features as possible, developers rarely use their own solutions, but resort to third-party or public scripts and libraries. Typically, such embeddings then become a vulnerability and, the more frequently they are used, the more popular they become as attack targets. This has also been the case with WordPress themes more than once.

What you can do about the WordPress security problem

A major problem with WordPress is that, in addition to third-party code, it also provides an attack surface itself. Because WordPress can be detected automatically, just like the plugins and themes used, they are also queried by bots over and over again. If a bot then encounters a vulnerable WordPress version or a corresponding plugin or theme, it tries to exploit it using brute force.

The attacks are completely automated and specifically look for security vulnerabilities that are known or not yet known. A web application firewall is therefore the first step to block such attacks and requests from the outset. Security plugins for WordPress are expensive, but also provide a first wall of protection when it comes to pure attack surfaces. However, WordPress is still far from being truly secure.

Rather, you should make sure that you always use the latest version. Both with WordPress, as well as with the themes and plugins. Critical security vulnerabilities must be closed, reported and neutralized immediately. Logs tell you who is accessing your website and when attacks are taking place. So, have your website monitored by an expert, because they should already know most of the vulnerabilities in WordPress, old or new, through their sources. What is not negligible is how many corporate sites are at risk.

How to run WordPress as a CMS securely

The problem with corporate websites is that they are created once and then often rarely updated. Those who use WordPress for such a deployment log in accordingly only once a year and miss important updates for the CMS or the extensions and themes used. At the same time, the automatic updates are not possible because they might cause problems.

In the end, all this ensures that WordPress is an easy choice, but not always the best one. Especially if you manage WordPress for your business website yourself, you need to know about the points mentioned here in advance. No website in this world can simply be created and henceforth exist on its own. Servers, websites, scripts and more require regular maintenance, bug fixes or adjustments should technical conditions ever change in the future.

Server software doesn’t stand still any more than the content management system itself, and databases also vary over the years. Therefore, please do not think that WordPress will do all the work for you in administration. It just makes it easier for you to create new content. But the security problems remain.

Photo of author

M.Sc. Chris Wojzechowski

My name is Chris Wojzechowski and I studied my Master in Internet Security in Gelsenkirchen a few years ago. I am one of two managing directors of AWARE7 GmbH and a trained IT Risk Manager, IT-Grundschutz practitioner (TÜV) and possess the test procedure competence for § 8a BSIG. Our bread and butter business is performing penetration testing. We are also committed to promoting a broad understanding of IT security in Europe, which is why we offer the majority of our products free of charge.