At the start of this report into WordPress security, we listed three main objectives, which were:

  • To provide an explanation of how WordPress sites are often compromised and why. This will be based on real data gathered from the Defiant Threat Intelligence database.
  • To highlight the importance of responsible disclosure of vulnerabilities, highlighting the real damage that is done by not following proper procedures when making such disclosures.
  • To give insight to Information Security professionals on what they can do to help keep websites secure.

We have provided a detailed explanation of what WordPress is and why it is a popular choice with hackers. This included a discussion of alternative Content Management Systems showing how WordPress is by far the most popular system globally, powering over one third of all websites.

We analysed the OWASP Top 10 vulnerabilities and demonstrated how WordPress sites were impacted by each of these vulnerabilities. We also indicated some of the reasons that WordPress sites might be targeted by hackers.

The principle idea behind this report was to underline the importance of disclosing any vulnerabilities in a responsible way. In chapter 6 we were able to use data from the Defiant Threat Intelligence database to demonstrate how serious the impact of an irresponsible disclosure can be. We were able to see the millions of attacks that were attempted in the minutes, hours, days and months following an irresponsible disclosure and compare that to the number of attacks attempted against vulnerabilities that were disclosed responsibly. 

Throughout the report, and in particular in chapter 7, we provided information to help advise website administrators, owners and Information Security professionals on how best to keep WordPress websites secure.  This included a discussion on how to best choose plugins and themes, as well as best practices that should be followed. This has therefore resulted in a document that is not purely theoretical but of practical benefit to users and technology professionals.

Back to Part 7 – Hardening and keeping WordPress Sites Secure

Part 8 – WordPress Security – Conclusions