Website Security
Website Security: a reader asks…
Hi I have a WordPress-powered website for my small business and, following your recommendation am using the iThemes Security Pro plugin. I’ve got the site all secure, and even turned on the auto-update feature so WordPress, my theme and all my plugins stay up-to-date. My question is, I recently received an email from iThemes that warned me about a vulnerability. It sounds like WordPress itself is vulnerable (I’m on version 6.1.1). What should I do?
First off, congratulations on using a good security plugin to secure your website. There are plenty of plugin developers working on security, I consider iThemes Security Pro to be one of the best.
That said, in my opinion this is a case of iThemes security being very cautious, possibly overly cautious. The iThemes Security Team wrote a blog post that explains all the details of this situation. The short version of that is:
- The WordPress.org Security Team considers this a low-priority vulnerability, noting that it would require other vulnerabilities in 3rd party software (e.g., themes or plugins) in order to be exploited. The WordPress team is still discussing whether this issue should be fixed soon, or put on the back burner for now.
- The vulnerability deals with pingbacks and XML-RPC. Your site may or may not depend on these features, which would affect your decision on what to do.
- iThemes’ security team says that for best security you should turn off pingbacks/XML-RPC (you may be using this capability). The blog post lays out how to turn these off.
Now, as to what you should or shouldn’t do, I suggest you read the blog post carefully, find out what your website uses, and take action accordingly. This issue notwithstanding, your site is protected best by following these three recommendations:
- Make sure to keep your site, the themes and plugins updated and only use good quality themes and plugins on a good quality website hosting platform.
- Use a good security plugin (like iThemes Security Pro) and follow the plugin’s recommended settings (including 2-factor authentication login security, reCAPTCHA, and Brute Force Protection), and
- Limit access to your WordPress Control Panel, especially admin access.
I don’t know what type of website you have, but you should probably be the only person with administrative access to your WordPress Control Panel, and it should be secured with both a strong password and 2-factor authentication. iThemes recently introduced passwordless login, which I’m still testing out. Once that goes mainstream, it will be even safer than strong passwords and 2FA.
If you are running a membership website, you probably have a lot of people with user accounts on your website. iThemes Security lets you assign permissions to groups which will save you lots of time not having to manage each user account individually. Using the User Groups section, make sure to restrict access to all the roles besides Administrator. Even if you don’t have Editors, Authors or Contributors, you should review those group settings and set restrictions on access, just like you should do for the Subscribers group. In this same area, there’s also a user group “everybody else”. Be sure to review this as well and restrict access at least as strong as you set for subscribers.
As background, pingbacks are one of the four types of linkback methods for website authors to get notified when someone else links to one of their website pages or posts. Pingbacks can be quite useful if you’re tracking your audience engagement, which is why the capability is built into WordPress. A pingback is an XML-RPC request – XML stands for extensible markup language and RPC stands for remote call procedure. This is a communications protocol that allows computers to communicate with each other in a specific way.
My hope is that the WordPress Security Team will patch this vulnerability sooner rather than later, but I believe this is more an issue for webmasters who have old, unpatched websites and lax security measures.
This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:
or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!