WordPress Security Reporting – Let’s Get Real

WordPress itself is secure. But, some of the elements it uses are not so secure these days. However, what’s really getting out of hand is the security reporting versus the thumps on the head by folks who don’t want to unduly scare folks out of using WordPress. And then there’s folks like me who are trying their best just to get site owners to do basic security by whatever means we think will get their attention prior to them getting hacked. Get the scoop on what’s really going on with all this, and what you need to know to properly vet the info you’re being fed from every direction about it.

WordFence and the Forbes Hack

Today, Mark Maunder of WordFence weighed in with his take on the Forbes hack back in Nov 2014.

He started the article talking about the rising tensions in the information security sectors about the type of attack this was and who perpetuated it.

The hack was a chain of zero-day type attacks, which they quoted Invincea as saying was so rare, it was termed “a Unicorn in cybersecurity.” It was possibly from a Chinese espionage group that was targeting defense and financial service firms.

Okay, no problem.

And then Maunder jumped from that to WordPress.

Wait! What?

Here’s his exact statement:

“Many of our readers work at banks and for defense contractors and other interesting targets. We are the prime target for watering hole attacks like this. All an attacker needs is a wide-spread zero day vulnerability in a plugin which would allow them to exploit your site and install malware which would infect your visitors. The attacker can then go after their true target which is the internal networks of your site visitors.”

One Step at a Time

“Many of our readers work at banks and for defense contractors.”

How in hell does where the reader works make them a threat to my website security?

“All an attacker needs is a wide-spread zero day vulnerability in a plugin.”

Vulnerabilities in plugins happen every single day already. We’re still here. Some vulnerabilities are worse than others. And some plugins are more popular than others.

Which leads me to the next type of reporting.

100,000 WordPress Sites Hacked

I have yet to see a report with that number used where they actually verified the number of sites hacked.

Here’s a recent such post from Authority Labs.

I know +Jeremy Rivera and he’s a great guy. And this is a good post about keeping your site safe. But, there are two images in it that are super misleading.

One image states that the popularity of WordPress makes it a big, easy target.

The other image states that over 100,000 WordPress sites were hacked due to a single plugin. He’s referencing the Rev Slider plugin. And nobody has any idea how many sites were actually hacked. They don’t even know how many folks actually have the plugin active on their sites. One of the reasons is because it came bundled with some themes and those site owners may never have gotten notification there was an update available.

Soak Soak Reports

Sucuri first reported that 100s of 1000s of sites had been infected by Soak Soak.

The most recent report has been downgraded to over 100,000 WordPress sites infected since the malware attack began on Sunday, the 14^th.

Yet, they have not provided the source of how they determined how many sites have been actually attacked.

In fact, one report stated that the folks at Sucuri could not confirm that number either, yet all posts running the story repeat it as if it’s real.

They have also reported that Google has slapped 11,000 sites with malware notices. Again, no source on where they are getting those numbers.

The Facts:

• There are 74.6 million WordPress sites that we know of. Half of them are on WordPress.com. The other half, 37.3 million are self-hosted, and those are the ones at highest risk. source
• There are 1.2 billion sites on the web. source
• Self-hosted WordPress sites make up 2.75% of all sites on the Web. (do the math from the numbers above)
• 100,00 is 0.083% of all sites on the Web, or 0.135% of all WordPress sites, or 0.27% of all WordPress self-hosted sites.
• 100,000 sites hit with anything is a drop in the bucket, unless of course your site is one of them, and then it’s everything.
• Put it this way, when 100,000 WordPress sites get hit with something, 745,900,000 do not.
• WordPress is not easy to hack. Poorly coded plugins are. Sites with no lock on the front door are. Any login on any portal with a weak password is.
• What your site is more likely to experience is a DDoS attack than an actual hack. A DDoS attack overwhelms sites and whole servers. Hosts are having their whole server farm hit with extortion DDoS attacks that bring the entire service to its knees.
• Any software that opens the door to a DDoS attack affects both security and performance. With some plugins, you are granting bots an open door policy to your site.

Thumping Me on the Head

I’ve taken some heat from the reports and articles I’ve posted too. Once was for reporting a list of plugins that had an XSS vulnerability. Two well-known WordPress developers said I was inferring that WordPress was not secure. It was the one and only time either of them have ever spoken to me.

Another time was for stating that I didn’t like the fact that WordPress leaks the username, which is half the login and puts all the pressure on the password. If my online banking portal made it so easy to find half my login, I’d be justified in screaming and jumping up and down about it. But somehow, with WordPress, it’s okay. That was two years ago and I have yet to find a core developer who gives a flying flip. I still stand stunned and amazed at that.

I’ve also been called out on writing post titles that get noticed and clicked. My headlines have been called sensationalism and even irresponsible.

And while I’m 100% positive that some folks are going to say I should get the log out of my own eye about this post, I say this:

I will continue to do whatever it takes to help more WordPress site owners to get serious about their site security.

I’m trying to reach 37.3 million self-hosted WordPress site owners. Of the fraction that will hear me, only some of them will take action to secure their site.

If that means sensational headlines, fine.

As long as what I’m reporting in the post is accurate and actionable, that’s where I draw the line, and the difference.

And, haters gonna hate no matter what I do.

What I See Everyday

Site Audits have become a big part of my business since the largest sustained bot attack in history started in late 2013.

Many folks heeded the warnings and got their sites secure before they got attacked.

Today, I stay booked with audit requests from folks finally feeling the pain from sluggish site performance or hosts shutting down their sites for overages.

I’ve expanded my team twice to help shoulder the workload and I expect to expand it twice again in 2015.

There’s that much work!!!

The reports I’ve seen say 85% of WordPress sites are unprotected. I’m not citing the source of where I read it because they never cited the source of how they came to that number.

Verified Stats

Here’s what I find during site audits and can personally verify:

• 26 security holes on average.
• 50% of sites hacked. That’s what I saw during my holiday special a couple of months ago.

Here’s what I can say about that last stat. I don’t know if more sites are actually being hacked, or if more hacked site owners are finding me and getting their sites audited. Or both. Either way, those sites are safer now.

Who Benefits from the Reports?

Wordfence has a free plugin as well as a paid service/products. Same for Sucuri.

And both of them, along with other security folks, are proactively looking for vulnerabilities to try to stay ahead of the curve. They have something to sell by scooping what plugins have issues.

The problem comes in the reporting, or rather, the timing of the reporting.

It’s called responsible disclosure.

Basically, it’s peer pressure in the info community. The hacker is encouraged to contact the developer of whatever has the security issue, and give them a few days to fix it before going public with the news.

Does it help these companies to scare folks and sensationalize the reporting? Yes.

I’ve been accused of the same thing, to one degree or another. And I benefit from doing security audits.

I don’t give folks a false sense of security, or a vague sense of fear.

So far, I have ZERO complaints from the folks who actually get those audits. In fact, they are relieved. We see the real problems together and fix all of the issues, including things no plugin scanner can catch or stop. And they know how to keep their sites safe from then on too.

The Bottom Line

Is WordPress safe to use?

Yes, for now, and as much as any other PHP based CMS is. Plugins and lack of basic security measures are the weak links in the chain, not WordPress itself.

Why do I say “for now?”

Because the foundation code, like PHP, may come under attack and that will affect way more than just WordPress or other CMSs like Joomla and Drupal. If you’ve ever purchased a pizza online, it’s likely that the pricing compilation of your toppings and such is PHP based. Has nothing to do with what CMS they may be running for their site.

My Advice

Vet the reports you hear. Don’t fear what you don’t understand. Get in the know and do your part to stay cyber safe with your site and your personal devices, including your email, passwords, and other elements that contribute to your whole security.

• Stop your site from being overrun by bots.
• Stop blaming your host for overages.
• Get a site audit and see what’s going on with your site for yourself and fix it.