WordPress is a popular content management system(CMS) that allows people to quickly launch a web property online without building one from scratch using HTML and CCS. I chose to use WordPress as the CMS for my CSC301 Computer Security blog.
My experience with WordPress has been positive. WordPress has a shallow learning curve and the platform is customizable with countless themes and plugins available. In short order, you can get your web property looking the way you want. But there is a downside to any CMS – security is an issue.
Since the WordPress CMS usage and community are so large, the primary vulnerability with WordPress is that there are literally tens of thousands of themes and plugins written by thousands (or more) developers that allow you to customize your site with the functionality you desire – there’s a plugin for it. Herein lies the problem. Thousands of developers of all skill levels are writing great plugins as well as complete garbage. In fairness, I see that most of the popular plugins have gone through many iterations and are reputable. New and untested plugins are a cause for alarm.
I decided to look into WordPress security further. How does someone secure their WordPress site? Searching ‘WordPress Security scan’ is an immediate quagmire of monthly services offering everything from malware scan, DDOS attack protection to personalized pen testing. It’s a rabbit hole. Searching WordPress Security plugins is also a rabbit hole – many offer free basic service but charge premiums for more encompassing services. You can take a hands-off approach and have a third party manage the hosting of your site at $29.99 a month. These hosts all say the same thing, if they anything at all about security – we scan for malware, SQL injections and have backend rules to ban offending IP addresses. Those companies rely on whatever service they subscribe to that protects their own network. Like I said, WordPress is a large platform with many people angling for financial success.
I decided that perhaps I should read the docs about security at WordPress.org to learn more about WordPress security, the security of the WordPress API or security best practices for a developer. Guess what I found? I was surprised to find nothing about security in the docs. I suspect there’s an internal process for managing security for the platform itself at the organizational level, but at the developer level, there is none. It’s the developer’s responsibility to write a secure theme or plugin and the communities responsibility to report bugs. I’m still disappointed at the lack of security discussion at WordPress.org. A constructive suggestion would be for them to create a security tab and at link some resources or create a simple best practices doc.
What’s my security solution for WordPress (Because I do appreciate it as a platform)? I’m using Amazon’s AWS Lambda. What is Lambda? It’s a Serverless instance configured by AWS. I simply click the application I’d like to initiate and I’m done. AWS offers a WordPress Application for Lambda that I was curious to try since leveraging the AWS backend seems to make sense, especially if I don’t have to configure a thing. When I decided to read the docs about security at AWS, I was presented with multiple resources and services. There’s enough to be confused about especially if you’re not familiar with their ever-evolving services.
I launched my blog in less than 30 minutes. It would have been faster, but I had to wait about 10 minutes for “attackworm.com” to clear through the AWS Route53 domain name system and I had to skim a couple articles about AWS Lambda applications and FAQ.
My WordPress security strategy is to host my blog for $5 a month at AWS with a Serverless instance. The other part of my strategy is to use the most popular, simple and vanilla theme with as few plugins as possible so to limit my exposure to vulnerabilities. It’s not difficult to do my part and keep a simple theme and one or two plugins up to date without breakage.
The rest of my strategy involves integrating and testing additional AWS security offerings and discussing my thoughts on this blog as an interesting security project and learning experience.
In my next article: A deeper discussion of AWS Lambda and my WordPress security adventure.