Strona przewinięta w 0 %

Security challenges in WordPress – how we tackle them at Develtio

Security challenges in WordPress - Develtio

In our recent article about WordPress security, we’ve discussed the most common threats and popular steps to counteract them. The safety of our products was always of paramount importance to us, and we intend to keep it this way. Now, we would like to give you a more detailed insight into what WordPress security means to us and how we strive to go above and beyond the industry standards to keep your website safe and your valuable data intact. Read on to learn about Develtio’s unique way of dealing with WordPress security threats.

WordPress Security and The Big Misconception

We can all agree that the numbers are staggering – with every passing minute, hackers carry out over 90k attack attempts on WordPress websites all over the world. Almost 30k WordPress vulnerabilities have been discovered to date, and 83% of CMS-based websites that got hacked, were built on WordPress. No wonder the security capabilities of WordPress are often criticized. And rightly so? Well… Not exactly.

The bigger they are…

First and foremost, we cannot ignore the scale effect. WordPress powers one out of every three websites on the global Internet and then some. Currently, there are over 455 million active websites using WordPress, and more than 500 new WordPress sites are created daily. Over 64% of websites known to use CMS are WordPress based. Therefore, it’s not much of a surprise that the hackers target the most popular technology – the probability of finding a poorly secured WordPress website is significantly higher than finding an equally easy prey created with Shopify, Wix, or Joomla. This means the efforts and resources put into finding WordPress vulnerabilities are much more likely to yield actual returns than any other case. In terms of prevalence, WordPress is in a league of its own.

…the harder they fall

WordPress is big because it is easy, but it also is easy because it is big. One of the tenets of immense WordPress popularity is its beginner-friendly nature. You don’t need to know Python from Monty Python to build a fully functional WordPress site within half an hour. You can slap on the first decent-looking theme you’ve found, add some free plugins, and that’s it; the work is done. In theory, at least.
Will such a website be secure? Not necessarily. Is WordPress at fault here? Not really either. Given its open-source nature, it’s only logical to assume that not only highly-skilled and good-natured people are involved in creating add-ons for the platform. Some lack the experience to create a safe piece of code, and others would release leaky software on purpose to secretly get access and wreak havoc on your server.
For many website owners, especially beginners, security is not something to be concerned with. Enough said, the most widespread passwords on the Internet are at the same time the easiest to guess. If that many people think “12345” is enough for a password, then no wonder other basic safety principles aren’t universally followed either. And a tool is only as good as the hands that wield it.

Critical core WordPress vulnerabilities – theory vs. life

When the topic of WordPress safety is discussed, many forget that only 3% of known WordPress vulnerabilities originate from WP core files. A staggering 91% comes from community-made plugins, and the remaining 6% from themes.
Of these 3% of core files vulnerabilities, only a tiny fraction is considered critical. Furthermore, the way they’re classified as “critical” says a lot about the scope of damage they can cause in theory but tells us nothing about their harming potential from a practical standpoint. And this can be misleading, as these vulnerabilities usually require attackers to obtain high-level access to the site. If your admin account is adequately secured with a strong password and 2-Factor Authentication, the cybercriminal won’t be able to get in and utilize the critical vulnerability anyway. On the other hand, if your admin password can be cracked by a six-year-old, then the critical vulnerability isn’t needed for the hacker to go medieval on your site.

WordPress has been around for almost two decades. It’s a matured platform looked after by a large team of renowned cybersecurity specialists. They provide regular updates and patch issues in an instant. No software is 100% secure, but when it comes to WordPress core, the level of effective risk reduction doesn’t leave much to be desired.

You know
that you can change
your business.
Let's start now

So, what’s the biggest problem then?

In short? Community-made add-ons. Anyone can create a plugin and release it outside of an official repository. Plugin authors often focus on providing functionality first, then the performance, and leave the security patching for later. Ensuring the safety of the software is usually the most challenging and time-consuming aspect of the process.

Sometimes creators don’t realize they can utilize established WordPress techniques used for, e.g., exchanging information with a database. They create their own methods instead. And that can work, but more often than not, these methods are not properly vetted for their safety, which results in backdoors opened wide for people with bad intentions. The open structure of WordPress is a beautiful thing, but 91% of vulnerabilities coming from community plugins speak volumes about the actual roots of the patchy security records for numerous WordPress websites.

How does Develtio tackle website security issues?

We realize that direct hacking attacks are not physically staged by some shady guy (sitting in his mum’s basement) poking for holes in your website’s code. 99% of hack attempts are performed by malicious bots crawling the internet and simultaneously scanning thousands of sites for vulnerabilities. Should they find one, they either steal the data, inject harmful code, or notify the hacker that the site is vulnerable. This is why at Develtio, we primarily make sure our products have nothing for crawlers to hold onto. This approach is based on the following elements:

  • We employ our own Security Starter Pack
  • We avoid using third-party plugins and themes
  • We routinely perform our custom, comprehensive Security Scans

Let’s take a closer look at them, shall we?

Develtio Security Starter Pack

Throughout the years of developing products with an increased focus on their security, we’ve come up with our own set of safety protocols and behavioral patterns strictly followed during the building and maintenance phase of the product’s lifecycle. We approach every new project in accordance with WordPress best practices, but first and foremost, we utilize our own set of advanced development procedures and tools fine-tuned over the years of practice. These procedures are not carved in stone, though – each project we work on is an opportunity to modify our methods, as, above all, we firmly believe in flexibility. Our clients’ testimonials can concur. Furthermore, our sites are regularly subjected to thorough audits by independent cybersecurity specialists and customers’ own security departments.

Third-party Plugins and Themes

It’s not like we don’t utilize pre-made add-ons at all. Sometimes there’s just no point in trying to reinvent the wheel. But whenever using a third-party plugin is considered, we carefully wage its pros and cons and use only proven solutions.

We do not believe in using external plugins as a viable method for developing websites. For us, plugins can serve as a base for our solutions to be built upon. We can make use of their certain functionalities, but we never offer them as an ultimate answer to our client’s needs.

The same goes for themes. The pre-made ones can sometimes be a source of inspiration, sure, but security-wise we firmly trust in our own designs.

Security Scans – the ace up our sleeve

Seasoned developers would say that your software always has one more vulnerability than you’re aware of. That’s why “hope for the best, prepare for the worst” became our default stance. In line with this, we’ve introduced comprehensive Security Scans as a part of our SLA care and support package.

The premise of this feature is simple – our clients’ websites are regularly inspected for vulnerabilities. The process is fully automated and can be performed in agreed time intervals – by default, it’s set to launch every two weeks. And our scanner utilizes the renowned WPScan database, ensuring no known vulnerabilities will be left undiscovered.

But the uniqueness of our solution lies elsewhere – we’ve enriched the scanning software with a custom-made set of rules explicitly aimed toward both common and occasional mistakes made by developers. Say a client’s developer performed debugging on a recently finished piece of code. The application left a debug.log file on the server, and it hasn’t been manually removed. Develtio’s security scanning engine automatically searches for debugging logs and notifies our SLA team when a file is found. An overlooked debugging log may sometimes contain information that can be used to gain unauthorized access to the site. Some hacker bots look specifically for these files.

expert comment

Autor

Mariusz Tarnaski
Chief Technical Officer at Develtio

Now and then, people make tiny, innocent mistakes that, under certain conditions, can lead to a website being compromised. Our Security Scanner counteracts precisely that. Not all human errors can be avoided, but thanks to our software, the potential consequences are eliminated before any harm is done.

When a problem is discovered, the scanner submits an instant notification to the SLA Team. The issue is picked up and dealt with as soon as possible.
Our Security Scanner will also send notifications whenever core WordPress, a plugin, or a theme requires updating. Keeping all modules up-to-date is crucial when the site’s security is at stake.

It’s worth noting that Security Scans and other measures mentioned above are always a part of our offer. We do not charge extra for any of this; it’s our golden standard.

Develtio – security done right

For many business owners, WordPress is an excellent website-building platform unmatched for its ease of use and flexibility. We fully share this sentiment at Develtio, but we also see how crucial it is to prioritize security on a platform of such popularity and scope. As long as it’s on the top, WordPress is and will be relentlessly targeted by cybercriminals seeking to exploit any vulnerabilities – and that is not going to change anytime soon.
We strongly believe WordPress is secure, but to ensure its safety, a sensible and cautious attitude is needed. We offer this approach to our clients because we know our customized solutions will always guarantee the highest security level available. If you care for the safety of your website as much as we do for our customers, why don’t you become one of them? Drop us a line, and let’s talk about the security of your business.

left arrow
left arrow

What can we do for you?

Talk to us about your project and let's start building it together!

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Błażej Dziuk
PROJECT ANALYST