Securing WordPress websites can feel intimidating. However, you can find plenty of resources to help you get started and even go beyond the basics if you wish. One such resource is the OWASP Top 10 list. This list provides administrators with a clear-cut way to cover a good portion of WordPress security.
In this article, we’ll go through what the OWASP Top 10 list is and how WordPress site administrators can achieve OWASP Top 10 compliance on their websites.
Table of contents
- What is the OWASP Top 10 List?
- Applying OWASP Top 10 Security on your WordPress
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failures
- A10: Server-Side Request Forgery (SSRF)
- Building an OWASP “Compliant” WordPress Website with OWASP Top 10
What is the OWASP Top 10 List?
The OWASP Top 10 lists the ten most critical web application security risks. While it is billed as a standard awareness document, it is not a compliance standard per se. However, many security professionals and organizations use it as a guideline to protect their websites.
Remember that the OWASP Top Ten list applies to any web application, not just WordPress.
The Open Web Application Security Project (OWASP) organization maintains this list. It published the first list in 2003. The lists are updated every few years, with the last update in 2021, which is the basis for this article.
Note: If you are going to use the OWASP Top 10 list as a standard against which to test WordPress, you’ll need to make a few concessions. Keep in mind that the list mainly focuses on risks rather than specific security vulnerabilities. As such, you’ll need to develop your own testing methodologies. In doing so, you’ll develop your own OWASP WordPress tests. This article will definitely help you in this regard.
What are the OWASP Top 10 vulnerabilities and security risks?
OWASP published the most recent OWASP Top 10 list in 2021. It lists the following security risks:
A01: Broken Access Control
A02: Cryptographic Failures
A03: Injection
A04: insecure Design
A05: Security Misconfiguration
A06: Vulnerable and Oudated Components
A07: Identification and Authentication Failures
A08: Software and Data Integrity Failures
A09:Security Logging and Monitoring Failures
A10: Server-Side Request Forgery
As you go through the list, you might notice some overlap. For example, 2FA and updates are mentioned as solutions to a number of risks. This is inevitable since one solution can (and does) cover multiple risks. We will also be looking at each risk in the list from a WordPress perspective, so we might not cover every aspect of each risk.
Applying OWASP Top 10 Security on your WordPress
This section explains each risk of the OWASP Top 10 and what measures you need to take to ensure your WordPress website is not vulnerable to any vulnerabilities and security flaws.
A01: Broken Access Control
Coming in first, we have Broken Access Control, which moved up from 5th position back in 2017. In a nutshell, broken access control allows users to act outside their designated permissions. This can happen for various reasons, including misconfiguration and software vulnerabilities.
We’ll tackle each one separately.
Software vulnerabilities
These types of security flaws are also known as technical vulnerabilities. They are typically the result of a broken design or lack of planning and can lead to exploits such as privilege escalation. Attackers can exploit broken access control issues to access sensitive data.
For example, back in 2021, a plugin for setting up redirections exhibited a broken access control vulnerability. This allowed any authenticated user, regardless of their role, to view, edit, and even create redirections. This happened because the plugin failed to check for user capability, making it a textbook access control issue. It’s important to note that the vulnerability has since been fixed.
Misconfigurations
It is also possible to inadvertently break access control due to a misconfiguration. For example, if you assign a user role that offers access beyond what the user needs to do, this goes against the principle of least privilege.
How to minimize Broken Access Control risks
Developers need to address issues stemming from a software vulnerability. However, as an administrator, you need to ensure you’re always running the latest version of WordPress core and plugins. This drastically reduces the risk of your website being prone to such vulnerabilities.
To this end, make sure you have a solid WordPress updates policy, whether you want to test updates in staging or install them immediately. Stick to theme and plugin developers with a good track record of update releases, and do not hesitate to get in touch should you discover a vulnerability related to their plugin or theme.
When assigning roles to users, keep the principle of least privilege in mind. This means assigning users enough rights to carry out their tasks – but not more. The same applies to any custom user roles you might have set up on your website.
A02: Cryptographic Failures
Previously listed as Sensitive Data Exposure, Cryptographic Failures takes the second position. It focuses on the root cause rather than the general issue. This distinction enables us to address a wider range of vulnerabilities. To this end, we can look at two different data states to determine cryptographic requirements – data in transit and data at rest.
Data in transit refers to data as it is moving, for example, from the WordPress web server to the user and vice-versa. On the other hand, data at rest refers to data in the database where it is not being sent or received and is thus, at rest.
Cryptographic failures often lead to data breaches, which feature almost on a daily basis in web security news. In fact, GDPR and other regulatory compliance requirements are placing a big emphasis on the need to properly handle and store sensitive and personal data.
How to minimize cryptographic failure risks
To protect data in transit, we need to make sure we’re using protocols and policies such as TLS and HSTS. This ensures data is encrypted and safe as it is sent between the browser to your server while minimizing risks of attacks such as man-in-the-middle attacks.
On the other hand, when it comes to data at rest, different considerations need to be taken into account.
WordPress does not offer database encryption and this is not something that is easily implemented. As such, we need to turn our attention to the infrastructure instead. One question that often comes up is whether sensitive data should be stored in the WordPress database at all.
What is sensitive data?
According to GDPR, sensitive and personal data is any data related to an identifiable user. It could be the name of your customers, their billing details, and cardholder data in the case of an eCommerce website. In the case of financial services, it could also be the bank account details, or in healthcare, it could be their medical history.
Should you store sensitive data in the WordPress database?
In short: There is no definitive answer. It all depends on the setup and resources. However, small businesses would typically be better off storing data with a third-party provider.
For example, an e-commerce store will find it much easier to use payment systems such as Stripe or PayPal to handle and store cardholder data. Refer to our guide on e-commerce security for WordPress administrators for more information on how to keep and run a secure e-commerce site.
The same applies to data such as customers’ email addresses and newsletter lists. Ideally, you should not store such data in WordPress. Instead, use a third-party service, such as Mailchimp, to store the data on a more secure and reliable infrastructure.
A03: Injection
In the third position, we have Injection, which was previously placed first. While SQL injection is a vulnerability that often first comes to mind, injection vulnerabilities also include Cross Site Scripting (XSS), External Control of File Name or Path, Remote File Inclusion, and Local File Inclusion.
Injection vulnerabilities are technical application vulnerabilities, typically caused by a lack of user input sanitization. By exploiting such vulnerabilities, malicious hackers can gain unauthorized access to data in the WordPress database and user sessions.
The WordPress core team typically fixes injection vulnerabilities within a few days. The same applies to most good WordPress plugin developers. Hence, it is important to always use well-maintained plugins developed by responsive developers.
How to minimize injection risks
The only way you can ensure your WordPress core, plugins, and themes are not vulnerable to this type of vulnerability is by keeping all your software up to date. Always install all the security patches the developers release as soon as possible. In doing so, you will avoid prolonged exposure to any injection risks that might have slipped through the developers’ nets.
A04: Insecure design
Insecure design is a new entry to the 2021 list. It concerns fundamental flaws at the architectural level that might make a WordPress website vulnerable. While WordPress core updates are well-tested before release, the environment in which they are installed can introduce such risks. Plugins and themes can also introduce such risks to WordPress environments. Insecure design risks can include poor session management, lack of input validation, and inadequate protection against brute-force attacks.
How to minimize insecure design risks
To minimize insecure design risks, ensure WordPress security best practices are followed at all times. Session policies, two-factor authentication, and spam prevention mechanisms such as CAPTCHA mitigate some of the risks associated with insecure design. As developers address known insecure design flaws through updates, it remains equally important to keep WordPress itself, as well as any installed plugins and themes, updated at all times.
A05: Security Misconfiguration
Security Misconfiguration climbs one position up to 5th place. It now also includes XML External Entities (XXE), which previously occupied the fourth position. This entry relates to risks that stem from misconfiguration, such as default settings and passwords, lax permissions, and exposed files. Security misconfigurations are very common in WordPress websites. Unpatched software and exploitation of defaults are two of the most common successful attacks on WordPress websites.
XXE is a technical software vulnerability. This happens when the application incorrectly handles XML files and data. While an out-of-the-box WordPress installation does not deal much with remote XML files, you might be using plugins that do.
How to minimize security misconfiguration risks
To ensure your WordPress website does not have any security misconfigurations, change all the defaults. This applies to WordPress, plugins, and any other software and devices you use. For example, if a plugin has a default set of credentials, does not password protect sensitive data, or stores it in a default location, configure strong authentication and change default paths. This applies to any other software and device you use, including your internet home router, which typically has default credentials.
Because security misconfiguration can take different shapes and forms, a comprehensive WordPress hardening exercise is always going to be your best bet. While WordPress hardening is a good place to start, keep the infrastructure WordPress relies on, such as MySQL, in mind.
Generally speaking, aside from WordPress, you’ll also want to harden MySQL, PHP, and the webserver. While it might seem overwhelming at first, the effort will improve your security posture. Think of security hardening as an ongoing process, and some hardening is always better than no hardening at all. Get started by following our how-to guides for:
A06: Vulnerable and Outdated Components
In sixth place, we find vulnerable and outdated components. Not using software and web applications with known vulnerabilities might sound obvious, but unfortunately, it isn’t. The WordPress foundation has been doing a lot in this regard. They have included auto-updates for WordPress core. The WordPress plugins review team also tags the plugins on the repository that have not been updated for a while as unsafe. However, it is not always easy for businesses to use the latest and most secure software version. Many use legacy software and web applications that are not compatible with the latest version of WordPress or other plugins. So, they have to use old and vulnerable versions of WordPress and plugins.
How to minimize vulnerable and outdated components risks
Keeping all software updated protects you from risks associated with vulnerable and outdated components. If you are running legacy software for which no updates are released, consider replacing it with something that is actively supported. This will ensure you receive regular updates.
In fact, our 2024 WordPress security survey showed that 32% of all respondents listed legacy plugins as one og their primary security concerns, making it the third-highest.
If a replacement is not possible, ensure you run regular security checks to identify any issues or vulnerabilities and mitigate associated risks.
A07: Identification and Authentication Failures
In the 7th place of the list, we find Identification and Authentication Failures. Previously listed as Broken Authentication, where it held 2nd place, this entry represents risks in authentication and authorization. In WordPress environments, these risks manifest themselves as weak passwords, lack of two-factor authentication, and unlimited login attempts. Such risks offer malicious actors less resistance when attempting to gain unauthorized access.
How to minimize identification and authentication failure risks
Tackling the risks that fall within this umbrella largely falls within WordPress login security. As such, implementing 2FA, setting up password strength policies, changing the login URL, and limiting login attempts drastically lower the risk of bad actors taking advantage.
A08: Software and Data Integrity Failures
Software and data integrity failures are a new entry for the 2021 list. Such failures occur whenever unauthorized changes are made to the software, including changes to the WordPress core, plugins, and themes. Since changes are unauthorized, they can include malicious code, such as backdoors. Bad actors will then use this to gain access to your website and data.
How to minimize software and data integrity failure risks
Monitor WordPress files for changes using a file monitoring solution. At Melapress, we developed and maintained a plugin called Melapress File Monitor, which automates file monitoring scans and alerts you whenever it detects changes. Using this plugin, you’ll be able to spot malicious code changes and leftover files, enabling you to take remedial action quickly.
A09: Security Logging and Monitoring Failures
Moving from 10th place to 9th, Security Logging and Monitoring Failures has been expanded to include additional types of failures not previously accounted for.
Logging and monitoring are vital for the security of your WordPress website and multisite network. WordPress activity logs also help you better manage your website, identify suspicious behavior before it becomes a problem, ensure user productivity, and much more.
How to minimize security logging and monitoring failure risks
To ensure your WordPress website is protected, install an activity log plugin. This will ensure user and system activity is logged, enabling you to spot suspicious behavior, improve security processes, and much more. As the proud developers of WP Activity Log, we recommend installing this plugin. It will keep a record of everything that happens on your WordPress website and multisite network in an activity log.
A10: Server-Side Request Forgery (SSRF)
In 10th place, we find SSRF, which makes its way to the OWASP Top 10 from the community survey. Since it’s a well-known vulnerability, developers tend to cover it in their testing. Because of this, it has a low incidence rate.
SSRF vulnerabilities allow bad actors to send malicious requests from a WordPress server that does not validate and sanitize inputs.
How to minimize SSRF risks
While SSRF is usually heavily tested for, vulnerabilities can still slip through the net. As this is a software issue, your best defense against this risk is to keep all software up to date at all times. If you’re so inclined, you can test for SSRF vulnerabilities yourself using software such as BurpSuite, which is often used in WordPress penetration testing.
Building an OWASP “Compliant” WordPress Website with OWASP Top 10
WordPress security can be complex, especially when dealing with large setups. However, getting started and covering the basics is not that difficult, as this article highlights. You can have an OWASP Top 10 compliant WordPress website by taking care of these basics:
- Use the latest version of the WordPress core, plugins, and themes
- Ensure you change all of the defaults in your WordPress core and plugins
- Enforce strong password policies
- Enable 2FA with a two-factor authentication WordPress plugin
- Use WordPress users and roles appropriately
- Keep a record of everything that happens on your website in a WordPress activity log
Using this OWASP Top 10 list as a guide can boost the security of your WordPress website. For more detailed information, refer to the official OWASP Top 10 page.
WordPress checks for proper authorization and permissions for any function level access requests prior to the action being executed. Access or visualization of administrative URLs, menus, and pages without proper authentication is tightly integrated with the authentication system to prevent access from unauthorized users.
Correct, WordPress addresses A5 very well.
Thanks for the information I didn’t know about OWASP. I always found your post with new information. Thanks for sharing.
Thanks for sharing the links @Voja. You are right, it is indeed a big issue but for non developers and WordPress site admins there isn’t much they can do, as in as long as they keep their software up to date they should be covered if the developer fixes all reported issues.
Although seems obscure, A8 is a big issue in WP. There was a great workshop on the subject in WCEU ’18 by https://2018.europe.wordcamp.org/speaker/robert-rowley/ . Basicly, it’s a PHP issue http://php.net/manual/en/function.unserialize.php that is usually overlooked by plugin developers.