Security of Basic Website vs. WordPress: Is It Worth the Time and Effort?
Whether you are a seasoned security professional looking to expand your skills or a busy web developer looking to implement a safety net to aid in the creation of your projects, you may have considered whether to use open-source software for your website’s backend or to roll your own from scratch.
There are a wide variety of factors to consider when choosing which route to pursue. In this article, we’ll examine the security differences between WordPress and a basic website built using HTML and CSS, as well as discuss how to best secure each type of platform.
The Downsides Of WordPress
WordPress is a widely-used content management system (CMS) and popular choice among web developers and bloggers for its ease of use and accessible template library. However, that popularity comes with a cost. When choosing WordPress, you’re choosing to use a third-party product, which means you’re giving up some control over how your content is handled. In return, you get a safe and stable platform to host your content on.
The good thing about WordPress is that it’s very secure by default. WordPress doesn’t come with any unnecessary modules or plugins enabled, which means that your website won’t be tempted to suffer from any unnecessary attacks. Because it’s a well-established platform with a large community backing it, you’re also getting the advantage of millions of others who have worked to improve it and keep it secure.
That’s not to say there aren’t any downsides to using WordPress, though. Here are a few of the main security risks associated with the platform:
Malicious Plugins
As we’ve established, WordPress doesn’t come with any extra modules or plugins enabled by default. That means that, if you’re planning on using WordPress for a new project, you’ll have to explicitly enable the ones you need. One of the risks associated with this is the possibility of installing a malicious plugin. A plugin is a piece of software that extends the functionality of WordPress.
Because WordPress doesn’t come with any pre-built-in plugins, you have access to a large library of third-party plugins that can be downloaded from the WordPress repository. That repository is like a giant library of free plugins, which means you could potentially install a malicious plugin that does anything from stealing your data to serving up ads. Your site could even be subject to a drive-by exploit.
Weak Password Security
One of the biggest mistakes that even security-conscious website operators make is to use weak, shared passwords for their accounts. By putting your trust in someone else’s hands (i.e., a plugin or a theme developer), you’re putting yourself at risk of having your site hacked. Again, this is just because there are a lot of plugins and themes available online that can be used to gain access to any account.
The best practice when it comes to passwords is to use a combination of characters (e.g., letters and numbers) and to change it regularly. Also, make sure that you use unique and strong passwords for every account, especially the ones that you use frequently. In terms of shared passwords, you should not use the same password for multiple accounts — even if they’re related. Doing so makes it easier for hackers to gain access to your personal information.
User Tracking Cookies
Another important consideration when choosing a platform for your website is that you need to make sure that your visitors’ personal information is protected. One way that websites can do this is by placing small pieces of code called cookies on their visitors’ computers — and it’s one of the main reasons behind the explosion of cookie-enabled websites over the past few years.
The problem with user tracking cookies is that they’re not all created equal. Some websites use cookies to track your movements around their site while others use cookies to provide you with tailored content. Because they’re so easy to install — and because they can be used for both of these purposes — user tracking cookies make it easier for hackers to gain access to your personal information. Additionally, some websites (especially larger ones) may place a few cookies on your computer without your awareness or consent.
The good news is that you have a couple of options for protecting yourself from cookie-enabled websites. You can use a browser plugin that blocks cookies or, alternatively, you can use the NoScript Firefox add-on, which does the same thing. In both cases, your privacy is protected because:
- Your movements around a website aren’t tracked.
- Content is tailored to your interests.
In some instances, however, user tracking cookies can be used to access your personal information, like your email address or phone number. In those cases, it’s best to consider whether or not you want to allow those kinds of cookies.
The Downsides Of A Basic Website
Despite the fact that WordPress is a popular choice among web developers and bloggers, it’s not suitable for everyone. If you’re a security professional looking to expand your skills, you may want to consider other platforms. A basic website, even one that’s been built using the WordPress platform, is still vulnerable to a number of attacks. Here are just a few of the security risks associated with the most basic form of a website:
Insecure Sockets Layer (SSL)
Another important thing to consider when choosing a platform for your website is whether or not you need an SSL certificate to secure your visitors’ personal information. An SSL certificate is a type of digital certificate that provides a secure connection between your visitors’ browsers and your website’s server. Without an SSL certificate, your website’s information (including your visitors’ personal information) is vulnerable to being hacked. Because it’s such a popular technique among hackers and a simple way to ensure your visitors’ information is secure, many website operators choose to use it even for a simple blog.
When it comes to securing an SSL connection, the best practice is to use a 2048 bit RSA key and to avoid using pre-built SSL certificates. There are, however, a number of free and easy-to-use certificates that can be used to secure a basic website.
Denial Of Service (DoS) Attacks
A denial of service attack occurs when a hacker or malicious individual attacks your website by flooding it with requests. These attacks can be designed to either slow down your website or to make it unavailable to legitimate users. The most common type of a DoS attack is a distributed denial of service attack (DDoS), where multiple hackers participate and attack a website at the same time.
The only real way to prevent a denial of service attack is to have a very good understanding of how the operation works and to be able to recognize the telltale signs of a DDoS attack. Luckily, there are a few things that you can do to help prevent these types of attacks.
Man In The Middle (MITM) Attacks
A man in the middle attack occurs when a hacker or malicious individual attacks your website by pretending to be one of the nodes in your SSL/TLS connection. In other words, a MITM attack occurs when an attacker trickery gets in the way of the secure exchange of information between a client and a server. One of the easiest ways for an attacker to perform a MITM attack is to simply ask the user for their username and password.
In a typical scenario, the user will enter their information, the attacker will save it to a database, and then the attacker will use that information to log into the user’s account. Because this is such a dangerous technique, it’s best to avoid using passwords as user IDs and to use different passwords for every website you have administrative access to. In addition, if you’re not one person handling all the administration for your site, then make sure that all the passwords are stored in a safe and secure place.
SQL Injection Attacks
SQL injection is a type of attack where a hacker or a malicious individual uses SQL code (structured query language) to manipulate data on a database. In other words, a SQL injection attack occurs when a hacker tricks a database into performing instructions that aren’t supposed to be there. Because SQL code can be embedded in websites and applications, even basic websites are at risk of being hacked through a SQL injection attack. The best way to prevent SQL injection attacks is from ensuring that all of the database’s entries are properly filtered and cleansed before being used.
Also, never store a user’s password in plaintext. Even if you never expose the password, it still counts as a security risk. Instead, use a hashed password algorithm like bcrypt to ensure that even if a hacker gets access to your database, they won’t be able to use it to log into your accounts.