The State of WordPress Security in 2015

Security should always be a concern for any responsible site owner, but – as evidenced by recent showstoppers such as Heartbleed, Winshock and the Apple Xara revelations – WordPress is no more at risk than any other high-profile software project.

2015 has been fairly hectic for the WordPress Security Team with the 4.2.4 release being the fifth security release this year alone – a significant uptick in activity compared to 2013 and 2014’s totals of three per year.

For those new to the WordPress release cycle, minor versions (or point releases) are reserved for addressing security vulnerabilities and fixing critical bugs. Basically, if you a see a release with three numbers in it, it’s definitely time to update.

The specific vulnerabilities addressed in 4.2.4 were uncovered by a combination of members of the WordPress Security Team (hat-tip to Helen Hou-Sandí) and third-party developers.

Issues addressed included three cross-site scripting (XSS) vulnerabilities, a potential SQL injection point, and a side-channel attack source.

You can find a breakdown of the XSS vulnerability over at the Sucuri blog, and the SQL injection issue has been discussed in some detail online by its discoverer Netanel Rubin.

Keep a keen eye out for these!

The developers also managed to squeeze in fixes to shortcode bugs introduced in WordPress 4.2.3 which had previously caused some significant headaches for plugin developers.

There’s an excellent interview with Gary Pendergast of the WordPress Security Team over at WP Tavern where he and Jeff Chandler discuss many of the issues raised by previous security releases this year as well.

Far from implying that there is a fundamental problem with the platform, this year’s run of security updates merely demonstrate how well the systems in place for core are working.

Nikolay Bachiyski: WordPress’ first official Security Czar

As one of the highest profile online targets for over a decade, WordPress has had solid security processes in place for years, along with a dedicated Security Team of 25 members composed of Automattic employees and third-party web security experts.

The recent appointment of Nikolay Bachiyski as WordPress’ first official Security Czar shows that efforts to harden the platform and improve communication around the topic of security are active and ongoing.

There’s a good interview with Nikolay over at VaultPress where he goes into more detail about aspects of his new role and his recent presentation on security principles at WordCamp Europe is also worth a look.

At its heart, WordPress is a fundamentally secure platform but site owners still need to follow the basics in hardening WordPress and pay particular attention to plugin and theme selection. Robert Abela has a great overview of the main current vulnerabilities in those departments over at WP White Security.

Best WordPress Security Plugins

Plugins are famously a fairly significant attack vector in their own right, and even high profile providers such as Yoast have run into difficulties over the years.

There are, however, a number of excellent security-related plugins available you can use to take some of the hard work out of hardening your site.

Sucuri have a superb, detailed examination of the security plugin landscape broken out into the categories of prevention, detection, auditing and utility that’s well worth some of your reading time. It’s a great starting point for getting your head around the many issues involved.

The following two plugins in particular are highly recommended:

Find out More about Security

Online security is a huge and ever-shifting domain of knowledge, but there are a number of introductory resources we recommend to help keep you up to speed and sharpen your security skills:

  • WP Engine’s Security Best Practices: As one of the leading managed hosting solutions for WordPress, WP Engine know more than most about what it takes to run a tight ship. Their security white paper is an excellent introduction to current best practices.
  • In addition to making one of the best WordPress security plugins around, Sucuri also provide an absolute treasure trove of information on both their main site and blog. Posts such as How Did My WordPress Website Get Hacked? and 10 Tips to Improve Your Website Security are great jumping off points.
  • Security blogs: Online security is a subject that can quickly get baffling for the non-technically minded, but Bruce Schneier and Brian Krebs both cover serious topics in an accessible and engaging manner.
  • Online courses: offers a range of web security courses targeting all levels of expertise. For those looking to take things to the next level, the Coursera Computer Security course has you covered.


Although the recent spate of security updates has set some users’ nerves on edge, the thing is that WordPress has never been safer than it is today and is happily used by Fortune 500 companies and major news organizations.

That said, it is still your responsibility as a site owner to make sure you’re covering the basics:

  • Always update to the latest version.
  • Make sure you’ve reviewed the standard WordPress hardening advice.
  • Carefully review any third-party plugins or themes you use on your site.
  • Review your hosting provider’s security track record before signing up.
  • Use a security plugin to add an extra layer of protection to your site.

We’re curious to hear your thoughts on the recent run of security updates and whether there is a particular aspect of WordPress security you’d like to see us cover in more detail.

Leave a Comment