X
Tech

Unmanaged WordPress not usually worth the risk or trouble

The main lesson I take from the WordPress RevSlider attacks is that, for self-hosters, vigilance is absolutely necessary, but perhaps not enough, to keep your WordPress site secure from attack.
Written by Larry Seltzer, Contributor

For some time WordPress, the popular blogging platform, has been one of the major attack target platforms on the web. A compromised site can deliver malware to users and be used to sell illicit goods, among other nefarious uses. Some users are better-protected against these attacks than others and I would argue that managed WordPress hosting is the only way to go, unless you plan to keep a close eye on the WordPress security scene and actively manage your own site.

This is yet another example of a general truism of security: You're better off, to the extent possible, to hire an expert to do your security work for you. Doing security is a major part of what managed WordPress hosting services do. The most famous of these is, of course, WordPress.com, but other large hosting services are in on the act, including GoDaddy and BlueHost.

Consider the incident a few days ago, in which Google blacklisted 11,000 WordPress sites because of a malware-spewing infection on those sites. The sites were running an old version of a popular plugin Slider Revolution.

Back in early September, web security company Sucuri wrote about a critical vulnerability in Slider Revolution. (They credited the find to Mika Ariela Epstein, a.k.a. Ipstenu, of Dreamhost.) Sucuri estimates that as many as 100,000 WordPress sites are affected by this vulnerability.

It appears that only older versions of the plugin were vulnerable, but it's hard to say for sure since the authors and many distributors of the plugin aren't all that systematic about version numbers. The current version (4.6) is definitely fixed. One credible source says that all versions below 4.2 are exploitable. The real problem is, many users and sites get this plugin packaged as part of a WordPress Theme, and so it becomes the responsibility of the theme author/distributor to keep the plugin up to date.

This Slider Revolution thing is the rule, not the exception, for WordPress security. In July we wrote about how, since May, Sucuri had "...found serious security holes in WordPress plugins WPTouch (5,670,626 downloads), Disqus (1,400,003 downloads), All In One SEO Pack (19,152,355 downloads), and MailPoet Newsletters (1,894,474 downloads)."

Incidentally, none of the 11,000 Google-blacklisted sites were on WordPress.com. This is not exactly because the site is actively managed, but because it has a list of allowed plugins and you can't use others. Many find this restrictive and it's not hard to see why. Not all managed WordPress hosts handle plugins this way; with GoDaddy you can use any plugin not on their blacklist. (Slider Revolution is not on the list.)

A few months ago my colleague David Gewirtz described how his sizable WordPress site gets hacked and then listed the various options for obtaining WordPress service. The biggest problem he has with WordPress.com is that you can't use whatever plugins you want. He's sophisticated enough to know that he takes a burden on himself to administer and secure his sites if he wants to run whatever he wants.

I asked Michael Adams, an engineer at Automattic, a major code contributor to the WordPress project and the operators of WordPress.com, about automatic updating issues for WordPress and plugins. He pointed out that "[S]ince version 3.7 (released over a year and 4 major versions ago), WordPress can automatically update itself for security releases. When a new security release is issued, the update rollout (millions of sites worldwide) is complete within a few hours. Our goal [i.e. the WordPress project's] is to reduce that time to less than one hour.

Large hosting services are pretty good about updating WordPress itself proactively and WordPress will email the site admin to notify of available updates.

Adams adds:

In addition to updating itself, WordPress also has the ability to automatically update installed plugins and themes for security releases as long as the plugin or theme in question is hosted on the official WordPress.org Plugin or Theme Directories. This ability is used only for the most critical plugin and theme updates and depends on the WordPress Security Team being made aware of the security issue, vetting the fix, evaluating the seriousness of the vulnerability, and evaluating the risk of shipping the new code.

The end result of this situation is that if you get careless or promiscuous with your WordPress plugins, it's not unlikely that a vulnerability will emerge in one of them. You may not know, but attackers will.

A managed service will be far more on top of these things than you are likely to. A really strict managed service like WordPress.com will prevent many, and probably close to all, such attacks by limiting the plugins and themes you can use and rapidly updating what they support.

I used to run my own web servers and host them manage every stupid little detail of them. I gave that up long ago just because I thought I was wasting my time, but security is an even bigger imperative. Many WordPress sites belong to people who don't know jack about computers, let along web site administration. These users are much better off with a WordPress environment in which their options are limited, but their safety protected.

Editorial standards