PHP security issues

In the early 1990’s web design was in its infancy and blogging was not as we know it today. Websites were developed and maintained by I.T. Specialists and also Graphic Designers. Blogs were sections of websites telling you of the latest updates and a few were online diaries. A lot has changed in the last 20 years, with more people creating websites, and more and more people including yours truly are blogging.

In 1994 PHP was developed. PHP is a computer programming language used in web development and later used to help create Drupal and WordPress which has made blogging and web design much easier to do. Anyone using Drupal and WordPress does not need to have any major I.T. skills as templates are provided to produce your blog or website. You can also add in plugins which add more functionality and enable users to tailor their sites to their specific needs. Plugins are the blog and website versions of apps.

WordPress is used in 22.0% of the top 10 million websites as of August 2013 and it is also the most popular blogging system used in 60 million websites. Drupal is used as a back-end framework for at least 2.1% of all Web sites worldwide from personal blogs to corporate, political, and government websites including WhiteHouse.gov and data.gov.uk.

As WordPress and Drupal are Open Source platform anyone can access their code and look for vulnerabilities. Since Drupal is used by political and government websites it is naturally more secure than WordPress and this is also because it has a lot less users than WordPress. As more than a fifth of the 10 million most popular websites are designed using WordPress they become viable targets. It is also worth noting that the majority of bloggers used WordPress too.

If you use WordPress you have two options, hosting your website or blog on WordPress.com or self hosting which is where you buy your blog/website address and host it with a webhosting company. WordPress also has over 30,000 plugins available which can be free or you have to pay for them. As I mentioned before plugins give you a lot of functionality but they can also give you major headaches. When it comes to installing plugins the majority of users use free ones which is where your problems can start. Free plugins have been known to secretly steal your data and also attack the PHP code which WordPress runs on.

Last month a critical vulnerability found recently in a popular newsletter plug-in for WordPress was actively targeted by hackers and was used to compromise an estimated 50,000 sites. The security flaw was located in MailPoet Newsletters, previously known as wysija-newsletters, and was fixed in version 2.6.7 of the plug-in released on July 1. It allowed attackers to upload arbitrary PHP files on the Web server and take control of the site if it was not updated.

Whenever there is an update for a plugin or WordPress it is normally a security update to patch any vulnerability that has been found. Some blogs and websites are protected by a Web Application Firewall (WAF) that can put up a protective shield in front of vulnerable websites which is a good start but it can lull you into a false sense of security, resulting in no updates been installed.

Here are 8 tips that will ensure your WordPress site is secure.

1 – Whenever an update for WordPress is available install it and in the next couple of weeks WordPress 4.0 will be available.

2 – Always have the latest versions of your plugins and themes installed.

3 – Choose carefully what plugins and themes you use. The wrong plugin or theme can help facilitate a security breach.

4 – Delete the admin user and always remove unused plugins, themes and users.

5 – Make sure every user has their own strong password which must include letters, numbers and symbols.

6 – Force both logins and admin access to use HTTPS.

7 – Consider hosting with a dedicated WordPress hosting company if you are hosting on WordPress.com. By doing this you have more control over your site and hackers are less likely to go near a self hosted site when they can access thousands of sites by attacking WordPress.com.

8 – Put a Web Application Firewall in front of your website.

You will never get a 100% secure WordPress blog or site but if you follow my tips you have greatly decreased the chances of it being compromised. Also never forget one of the biggest mistakes made is never installing updates  so please install it.

Leave a Reply

Your email address will not be published. Required fields are marked *

+ 57 = 63