Is your WordPress security at risk with its open-source software?

Ever wondered about who developed that WordPress theme or plugin you are using on your website? Are they for real? Could they have written malicious code into their software to compromise your sites' security, corrupt your database or steal information about your online users?

E RADAR's Will Roebuck discusses some of the security challenges facing organisations using open source software on their websites and suggests ways in which they can protect themselves from any dangerous threats. 

Open-source software is simply brilliant. It allows developers to showcase innovative ideas and push forward their creative boundaries by licence to study, change and distribute the software for any purpose. Open-source software also provides an effective business model for promoting both free and premium products and services. Such innovation can only bring bountiful opportunities for a growing, expanding digital economy.

Take, for example, WordPress, the world's most popular free and open source blogging tool and content management system (CMS). First released in 2003 WordPress's latest version was downloaded 20 million times in February 2014. With over 26,000 plugins in the repository, each of which offers custom functions and features enabling users to tailor their sites to their specific needs, WordPress is now a household name in website innovation. WordPress now boasts over 73 million websites built on its open-source platform.

But have you ever considered who developed that WordPress theme or plugin you are using on your website? Are they for real? Could they have written malicious code into their software to compromise your sites' security, corrupt your database or steal information about your online users?

Unfortunately, unscrupulous developers have laced free downloadable theme files and plugins with everything from undetectable spam links to malware files that infect a site once the theme is installed.

On a positive note however, many themes and plugins are developed by collaboration. If there was one rogue developer in that collaborative group chances are they'd be found out.

So, it's not all doom and gloom. And it's often the case with all online risk issues that a balance must be struck between the interests of risk takers (the entrepreneurs) and those of risk managers (the lawyers, compliance officers and process managers).



Locking down your WordPress security


To help you remove the vulnerabilities in your WordPress install, here are E RADAR's top security tips. Remember that similar issues arise when you use other open-source software platforms for your website, for example, Joomla.

  • Download latest official WordPress version: Always make sure you are using the latest official version of WordPress. This is the version containing all the latest updates including security patches.
  • Purchase a premium template: Consider purchasing a premium or responsive theme from a reputable template designer. Have a good look around their website. Do they offer robust and immediate support for their themes? Are they members of a reputable affiliate programme? Are their themes rated by users/customers?

If you want free themes, you can scan them for malware before uploading them to detect any attacks that may have already occurred using the anti-virus program installed on your computer. You just need to consider your risks more carefully.

  • Use well-rated plugins: Only use plugins that are popular and well-rated. Always check what users are saying about the plugin before downloading. Conduct a generic web search on a particular plugin for extra due diligence. Only download the plugin from a legitimate source. Is it the latest version of the plugin? Read any accompanying text file or instructions which may mention vulnerabilities. Ensure that you install the plugin correctly and that you set it up correctly as per installation instructions
  • Change default admin name: Attackers will try and hack into the backend of your WordPress installation using the installation's default settings. Change your default administration log in name from 'admin' to a username more unpredictable and challenging for hackers.
  • Change your password regularly: Change your password every 3 months. Make it unique from any other passwords you are using online. People tend to use the same password regularly. If stolen it's likely that hackers will be able to access several of your online accounts in one go.
  • Hard code your .htaccess file: WordPress is a database-backed platform that executes server-side scripts in PHP. Both of these characteristic can make WordPress vulnerable to malicious URL insertion attacks.

Add the following code to your .htaccess file to prevent these attacks from happening.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>

A standard WordPress install often contains several files which you want to keep private and certainly don’t want outsiders to access. These files, such as the WordPress configuration file, install script, and even the “readme” file should all be kept private. Add the following code to your .htaccess file to block access to private files.

Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all
</files>
  • Change default table prefix: Make sure you change the 'wp_' default prefix for all your WordPress tables in MySql. You can do this when setting up your new installation or by using a plugin. Some security experts argue that this will not stop a savvy hacker who can use other means to determine the table names in your installation. True or not, what you are doing is changing predictability and making it harder for hackers to gain control of your website.
  • Install good quality security plugins: Check out the growing selection of good security plugins in the WordPress repository. These include

- Wordfence

- BulletProof Security

Better WP Security (most highly-rated)


Will Roebuck is a guest lecturer on IT governance at Manchester University's School of Computer Science.

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz