However, the team behind WordPress also has some responsibility in all of this. After all, there is nothing you can do to protect WordPress core yourself.
If the question of WordPress security is bothering you as much as anyone trying to do business online, keep reading the following.
I'm going to talk about part of the story about WordPress security issues and what the WordPress project is doing about it.
A brief history of WordPress security issues
The problem isn't necessarily that WordPress is a weak content management system, prone to hacking attempts and security holes. It's more likely a visibility issue. WordPress is the most popular CMS across the world, so of course it's going to be an easy target for hackers.
WordPress is commonly criticized online (in blogs, forums, podcasts, etc..). Therefore, the weaknesses of the platform are well known. It would make sense then that hackers would primarily target WordPress websites, wouldn't it?
Safety is a major talking point for everyone WordPress blog or web development. According to the WordPress project (the team responsible for managing the security of the platform), they release security patches all the time. You know those auto-update notifications you get when you log into the dashboard? "WordPress has been updated to 4.7.2" or something like that? Well, usually when you see these minor releases coming out, it's because the team had to fix a security issue.
And these often happen:
La violation of Panama Papers data to from 2016 was, in part, attributed to a vulnerability in a Revolution Slider WordPress plugin.
That said, it's reassuring to see how WordPress handled a very recent and high-profile security breach stemming from the REST API.
Here's how things went:
- In January 2017, WordPress released update 4.7.2. Nowhere in the list of updates or fixes was the security patch mentioned.
- About a week later, WordPress informed users that there was indeed a security flaw detected and corrected in this update.
- The reason they gave for the delay in notifying users? Because they wanted to give them time to update the kernel before the hackers knew WordPress knew about it and fixed the issue.
Of course, that hasn't stopped hackers from disfiguring 1,5 million WordPress sites in the meantime. There are also those WordPress users who never updated the CMS (or did so too late) who remained vulnerable to the attack.
So even though a patch was eventually released by WordPress and they handled the announcement with much needed tact, over a million sites were injured in the process. And, worse, many website owners continued to ignore this degradation even after it had happened.
Security patches seem to come out more frequently, with the highest rate of abuse in 2015. As more and more of these occur, it is important for you to know who is responsible for securing WordPress and what you can do on your end, to make sure you are protected.
What you need to know about the WordPress project (and its security)
Here's what you need to know about the WordPress project and what they are doing for maintain kernel security .
The WordPress security team
First, let's talk about the WordPress project. This security team is made up of around 25 people, all experts in the development or security of WordPress. Currently, half of the people on the WordPress project work for Automattic.
This team of experts is responsible for identifying security risks in the kernel. They are also responsible for examining potential issues with themes or plugins submitted by third parties and for making recommendations on how they can harden their tools or correct known violations.
Although they usually work alone to identify and resolve these issues, they occasionally consult other experts in the field, particularly those from security and software companies.accommodation.
How WordPress identifies security risks
As you might expect, the WordPress project team is running like a well-oiled machine. Here's how the process of identifying and resolving security risks works:
- A problem is identified by someone from the security team or from outside the team. Members who are not members of the project can communicate these detected issues by sending an email to [email protected].
- A report is recorded and the security team acknowledges receipt.
- Team members then work together on a private server privately to verify that the threat is valid.
- This is where they track, test and repair detected security vulnerabilities.
- The security patch is then added to the next version of WordPress Minor.
- For less serious repairs, WordPress simply notifies WordPress dashboard users when an automatic post occurs.
- For more urgent matters, the post will go out immediately and WordPress.org will announce it on the site's News page.
Of course, as we saw with 4.7.2., WordPress doesn't always announce these security fixes (for valid reasons), although they always take immediate action to resolve them.
Note on automatic updates
Since version 3.7, WordPress has the ability to automatically send minor updates to all websites. This ensures that the WordPress security team can get urgent fixes in a timely manner and not have to wait for users to agree and update on each of their websites.
However, it is possible for WordPress users to turn off these automatic updates. If this is the case for you, be aware that it can put your site at risk, especially if you don't have the time to diligently monitor all of your sites for the latest and greatest update.
Security of plugins and themes
Just as it is your responsibility to provide visitors with a better web experience, developers of plugins and WordPress themes are responsible for the safety of their users (i.e. you). While WordPress can't handle the tens of thousands of plugins and themes, they can at least keep a close eye on them to make sure nothing serious might slip through the cracks.
The WordPress project is the team responsible for working with developers when a security issue is detected. Prior to that, however, there is a team of volunteers assigned to review each theme or plugin submitted to WordPress. This team will work with developers to ensure best practices are followed.
However, security vulnerabilities can still arise and this is when the WordPress security team should step in to:
- Provide documentation for WordPress developers on the development of plugins and themes as well as on best practices in security.
- Monitor plugins and themes for possible security holes. Any problem detected will then be brought to the attention of the developer.
- Remove harmful plugins or themes from the directory if developers do not respond or cooperate.
WordPress will then notify its users through the WordPress administrator when these security fixes (or the removal of bad plugins and themes) are available.
WordPress security requires your vigilance
After going through all of this, it makes me a little more comfortable knowing that there is a dedicated team working to keep the WordPress core secure at all times. However, that doesn't mean I (or you) should be lulled into that feeling of complacency.
As we have seen, even this past January, with the 1,5 million websites damaged, no matter how good the WordPress project is to monitor and secure the platform, hackers will find a solution.
That's why it's important to play your part in all of this and keep your sites secure from all angles.
