Last week a Zero day vulnerability was reported for one of the most popular WordPress community plugin “Ultimate member“. The vulnerability was rated 9.8/10 as a privilege escalation which means any logged-in member can exploit it to become site administrator.
A zero-day vulnerability refers to a software security flaw or weakness that is unknown to the software vendor or developer. It is called “zero-day” because the vulnerability is exploited or attacked on the same day it becomes known to the public, giving no time for the software vendor to release a patch or fix.
While the patch is already live as we speak in their latest version released last week, it brings us to a very important discussion.
Why WordPress sites get hacked and what can you do about it ?
WordPress was originally developed as a Blogging platform which meant that only handful of users will log into the WordPress’s admin panel to control and manage the system. As WordPress crossed the boundaries of a Blogging platform and entered into the CMS territory, a lot of plugin developers started developing plugins considering WordPress as a CMS.
While there is no excuse for vulnerabilities reported for SQL Injection or improper sanitisation which can be attributed to developer. Vulnerabilities such as a Privilege escalation and an XSS are a whole different ball game altogether. A plugin A can cause a vulnerability in Plugin B. We’ve seen similar vulnerabilities in so many plugins from WooCommerce to Google Site kit etc.
A huge majority of WordPress users are frustrated by the constant updates and it is understandable, as updates more often than not, break sites. While a plugin developer has to focus only on his plugin’s code, vs a WordPress site developer has to deal with 100’s of plugins used in their sites.
This has unfortunately led to many users/developers opting out of WordPress and movig towards less customisation options like Webflow, SquareSpace etc.
Possible solution : HeadLess WordPress
The solution that we propose is to convert to a HeadLess WordPress architecture. A headless WordPress architecture can help enhance the security of your WordPress site in several ways:
Reduced attack surface
With a headless architecture, the front-end and back-end of your website are decoupled. This means that the front-end, which is responsible for rendering and displaying the website content, is separate from the back-end, which handles the core WordPress functionality. By isolating the back-end, you limit the potential attack surface, as the public-facing front-end does not have direct access to sensitive WordPress files or database.
Custom security implementations
In a headless setup, you have more control over implementing custom security measures. You can design and implement security protocols that are tailored to your specific needs and requirements. This flexibility allows you to choose security plugins, frameworks, or security measures that best align with your website’s unique security considerations.
Better control over API security
In a headless architecture, the front-end communicates with the back-end via APIs (Application Programming Interfaces). By leveraging secure APIs, you can establish stricter access controls, implement authentication mechanisms, and enforce secure communication protocols. This helps protect your data and restrict unauthorized access to your WordPress site.
Reduced plugin vulnerabilities
Plugins are a common source of vulnerabilities in WordPress. In a headless setup, you have more freedom to reduce reliance on third-party plugins on the front-end. By reducing the number of plugins used on the front-end and relying more on custom development or lightweight frameworks, you can minimize the potential attack vectors and decrease the likelihood of plugin-related vulnerabilities.
Flexibility in technology stack
In a headless WordPress architecture, you have the freedom to choose different technologies for the front-end. This allows you to select frameworks or languages that are known for their security features and have a strong track record of addressing vulnerabilities. You can leverage robust security features of modern front-end frameworks like React, Angular, or Vue.js to enhance the overall security of your website.
WordPress already has a robust API system which is very suitable for generating HeadLess apps. Once such App is the VibeBP which is a Social community HeadLess app for WordPress.