OWASP & WordPress – Improving WordPress Security With OWASP Top 10

WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. The good news is that compliance and standards such as the OWASP Top 10 list can help businesses get started with WordPress security.

OWASP and WordPress security

This article explains what is the OWASP Top 10 list and how WordPress website owners and administrators can have an Owasp Top 10 compliant WordPress website.

What is the OWASP Top 10 List?

The OWASP Top 10 is a list of the 10 most critical web application security risks. As such it is not a compliance standard per se, but many organizations use it as a guideline. The first list was published in 2003 by the Open Web Application Security Project (OWASP) organization. An updated version of the list is published every three years.

Which are the OWASP Top 10 vulnerabilities and security risks?

The most recent OWASP Top 10 list was published in 2017. Following is the list of security risks in it:

A1: Injection
A2: Broken Authentication
A3: Sensitive Data Exposure
A4: XML External Entities
A5: Broken Access Control
A6: Security Misconfiguration
A7: Cross-site Scripting (XSS)
A8: Insecure Deserialization
A9: Using components with known vulnerabilities
A10: Insufficient logging & monitoring

Applying OWASP Top 10 Security on your WordPress

This section explains what you need to do to ensure your WordPress website is not vulnerable to any of the OWASP Top 10 vulnerabilities and security flaws.

Addressing A1: Injection in WordPress

SQL Injection is a technical application vulnerability that is typically caused by lack of sanitization of user input. By exploiting it malicious hackers can gain access to data in the WordPress database.

When an injection vulnerability is identified in WordPress core typically a fix is available within a few days. The same applies for WordPress plugins, hence why it is important to always use well maintained plugins that are developed by responsive developers.

The only way you can ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability is by keeping all your software up to date and installing all the security patches.

Addressing A2: Broken Authentication in WordPress

Similar to the above, these type of security flaws are technical vulnerabilities that are caused by weak and broken design of the web application. Attackers can exploit broken authentication issues to access sensitive data.

These type of issues can only be addressed by developers. Therefore as long as you use the latest version of WordPress core and plugins, your WordPress website not be prone to such vulnerabilities, assuming the plugins are maintained.

Though since we are talking about authentication, it is worth reminding you to implement two-factor authentication on your WordPress website. If you are not sure which plugin to use, here is a list of some of the best two-factor authentication WordPress plugins.

Addressing A3: Sensitive Data Exposure in WordPress

Sensitive data and the EUSensitive data exposure have become quite an issue. Data breaches are featured almost on a daily basis in web security news. In fact GDPR and other regulatory compliance requirements are making a big emphasis on the need to properly handle and store sensitive and personal data.

According to GDPR, sensitive and personal data is any data related to an identifiable user. It could be the name of your customers, their billing details and cardholder data in case of an ecommerce website. In case of financial services it could also be the bank account details, or in healthcare it could be their medical history. Note that even though an IP address can be classified as sensitive data you can still keep a WordPress activity log, which allows you to keep track of everything that is happening on your websites.

To ensure your WordPress website is compliant, if you store sensitive data on your WordPress website you need to ensure that only users who need to use the data have access to it. Always use the WordPress users and roles to better manage users’ privileges and access to sensitive data.

Should you store sensitive data on your WordPress website?

There is no definitive answer for this and it depends on the setup. Though when possible use a third party provider to store data on your WordPress website.

For example in case of an eCommerce store, it is much easier to use Stripe, PayPal or another third party service to handle and store cardholder data. They have the infrastructure in place already. Most probably it will cost you much more if you want to build your own system, especially if you are a small business.

The same applies for email addresses for newsletters. Use a service such as Mailchimp or something similar so all sensitive data is stored on a third party service and not on your WordPress website.

Addressing A4: XML External Entities (XXE) in WordPress

This is a technical software vulnerability that is caused by unsafe and incorrect treatment of XML files and data. An out of the box WordPress install does not deal much with remote XML files, though you might use plugins that do.

To ensure your WordPress website is not vulnerable to such type of vulnerability use the latest version of WordPress core, plugin and other software. Always use plugins that are maintained. Consider changing any plugin that you use that has not been updated in more than one year.

Addressing A5: Broken Access Control in WordPress

This is a technical application vulnerability. This issue is caused when the software does not enforce necessary restrictions on authenticated users. Therefore when attackers exploit such vulnerabilities they can access unauthorised data.

Since this is a technical vulnerability it can only be addressed by the software developers. Therefore as long as you keep your WordPress core, plugins and other software you use on your website up to date your website should not be vulnerable to broken access control issues.

Addressing A6: Security Misconfiguration in WordPress Websites

Security misconfigurations are very common in WordPress websites. Most WordPress websites are hacked because they are either unpatched or are using some sort of default. In the last few years the WordPress core team has done a lot to help users address such issues. For example WordPress no longer has a default admin username, which was the culprit of many WordPress hacks.

To ensure your WordPress website does not have any security misconfigurations do not use any defaults. This applies to WordPress, plugins and any other software & device you use. For example if a plugin is shipped with a default set of credentials, does not password protect sensitive data, or stores it in a default location, configure strong authentication and change default paths. This applies to any other software and device you use including your internet home routers, which typically has default credentials.

Addressing A7: Cross-site Scripting (XSS) in WordPress

Cross-site Scripting, also known as XSS is a technical application vulnerability. It is caused by not validating and escaping untrusted data. When a malicious attacker exploits a cross-site scripting vulnerability they can steal logged in users’ cookie and impersonate them. They can also hijack their session and take it over.

When a cross-site scripting vulnerability is identified in WordPress core or a plugin, typically a fix is available within a few days. So to ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability always use the latest version of the software. Also, always use maintained plugins.

Addressing A8: Insecure Deserialization in WordPress

Insecure Deserialization is a technical application vulnerability. It is typically caused when the application uses serialized objects from untrusted sources and no integrity checks are implemented.

When such a vulnerability is identified in WordPress core or a plugin, typically a fix is available within a few days. So to ensure your WordPress website core, plugins and themes are not vulnerable to this type of vulnerability always use the latest version of the software. Also, always use maintained plugins.

Addressing A9: Using Components with Known Vulnerabilities on a WordPress Website

Not using software and web applications that have known vulnerabilities might sound like common sense to many. Though unfortunately it is not. The good news is that the WordPress foundation has been doing a lot in this regards. They have enabled auto updates for WordPress core. On the plugins repository they also tag plugins that have not been updated for a while.

Having said that it is not always easy for businesses to use the latest and most secure version of a software. Many businesses use legacy software and web applications that do not work well with the latest version of WordPress or other plugins. So they are forced to use old and vulnerable version of WordPress and plugins not to break things. In such cases, if possible contact the developers to upgrade the software.

The rule of thumb to ensure you do not use components with known vulnerabilities on your WordPress website, is to always use the latest version of WordPress core and the plugins you use. Also, deactivate and uninstall any unused plugins, scripts and themes from your website.

This applies to new software as well: when looking for a new plugin always research it. Read our guide on how to choose a WordPress plugin for more information on what you should do when looking for a new WordPress plugin.

Addressing A10: Insufficient Logging & Monitoring on WordPress

Logging and monitoring is vital for the security of your WordPress website and multisite network. A WordPress activity logs also helps you better manage your website. Learn more about the benefits of keeping a WordPress activity log (audit log).

The WordPress Activity Log

 

To ensure your WordPress website is compliant with this install the WP Security Audit log, the most comprehensive WordPress activity log plugin. WP Security Audit Log will keep a record of everything that happens on your WordPress website and multisite network. Refer to addressing insufficient logging with a WordPress activity log plugin for more detailed information on how to address this part of the OWASP Top 10 list.

Building an OWASP Compliant WordPress Website with OWASP Top 10

WordPress security can be complex, especially when dealing with large setups. Though getting started and covering the basics is not that difficult as this article highlights. You can have an OWASP Top 10 compliant WordPress website by taking care of just these basics:

Boost the security of your WordPress website by using this OWASP Top 10 list as a guide. Refer to the official OWASP Top 10 page for more detailed information.

The post OWASP & WordPress – Improving WordPress Security With OWASP Top 10 appeared first on WP White Security.



*** This is a Security Bloggers Network syndicated blog from WP White Security authored by Robert Abela. Read the original post at: https://www.wpwhitesecurity.com/wordpress-tutorial/owasp-wordpress-security-owasp-top-10/