Welcome to the Patchstack Weekly Security Update, Episode 55! This update is for week 3 of 2023.
This week’s knowledge share is another security new years resolution. I will talk about how you can check for some important security features your hosting provider may or may not be offering.
I will then cover the week’s vulnerability roundup which highlights two critical vulnerabilities, one that received a patch and one that did not.
Verifying your hosting provider’s security
Remember, WordPress is a web application that runs on a web server, typically managed by a web hosting provider. So, the security of your web hosting provider is just as important as the security of your WordPress website.
Here is a short checklist of a few items you should look for to be assured your hosting provider is secure. This is not a complete list, and the line between the managed hosting provider and managed WordPress provider can be blurred. So I will be focused on what a managed hosting provider should be providing, not a managed WordPress host.
Do they offer (free) HTTPS?
There was once a time when HTTPS or Secure HTTP was expensive and rare. Luckily, those days are gone. Most hosting providers offer free HTTPS for all websites. This is mostly thanks to the efforts of the LetsEncrypt project which provides free TLS certificates (a requirement for HTTPS) for over 300 million websites.
Your website should have HTTPS enabled, and you can test this easily. Just open a browser and go to httpS:// (your domain name). If your website comes up and there is a lock icon in your browser then you’re all good!
If not, then you may want to look into how to set up HTTPS with your web hosting provider. Remember, Let’s Encrypt can be used to set this up for free.
Do they offer backups?
Backups are for emergencies, and that is true. But you need to remember to test how they work and make sure they’re good too.
Check with your hosting provider to see how their backup and restoration process works. Give it a test run if you would like (but try not to overwrite your public website.)
Is their software up to date?
We all know the importance of regularly updating our WordPress website, as well as our laptop or PC’s operating system. But, web servers have operating systems too and they need updating too.
Luckily, WordPress allows you to confirm the versions of the software it relies on. Simply log in to your WordPress admin panel, open Tools, and Site Health.
From the Site Health page, you will get a wonderful list of details. Including server versions, if you click on the “Info” tab, then expand the “Server” section.
The server section has information about software versions of PHP, Web Server, and more. Alternatively, you can expand the “Database” section to find out the server and software version for your database server as well.
You will need to do a little manual verification to find out if these components are still supported by their respective software vendors, but it is worth the time and effort.
I have one more pro tip here too. If you find a software version is out of date or unsupported – do not panic. Simply reach out to the hosting provider’s support team asking them about it. You may be able to easily upgrade, or they may inform you the package is “backported” which means someone applied the security patches needed (but it still reports an old version number.)
Do they have Brute Force Blocking?
I talked about brute force attacks in Patchstack Weekly #32, and calculated that over 100 billion attempts to brute force WordPress happen each day. This is why it is important to throttle or block failed login attempts, and many hosting providers do this already.
Here is how you can test if your host providers brute force blocking/throttling technology. Simply attempt to log in to your site’s wp-login.php, and intentionally fail multiple times. If you entered an incorrect password 10 or more times you should get blocked. If not, then you may have reason to be concerned.
WARNING: Doing this likely means your IP will be blocked by the host. Don’t do this if you need to log in to the website to get any work done from that same location, try it at the end of your day or while you’re at a cafe.
Do they notify users of insecure site components?
I have time for one more recommendation which is uncommon but becoming more of an industry standard – you should check if your hosting provider identifies insecure components on your website.
The world has moved on to proactive security instead of reactive security. You may notice malware detection was not on this list, that’s because I don’t want to recommend you install malware on your websites to see what your host does (because what they do won’t be good.)
Instead, try installing a known insecure version of a component – you can find many in the Patchstack database. Be sure that the security bug in question requires a high-privilege logged-in user too. You do not want to install something that could result in your site being hacked.
Once an insecure version of a component is installed, and you have auto-updates turned off, all you need to do is wait. Count the days until you receive a notification from your hosting provider (if you receive a notification at all).
Proactive notification of insecure components is available at a few Patchstack hosting partners already. However, if you do not receive a notification then you can address this yourself by installing the Patchstack plugin.
As you go through this list, you may recognize that many of these security best practices have plugins that provide related services. If you find your hosting provider lacks in one of these items, then that’s OK! There may be a plugin that will meet your needs.
The only way to know if you need these extra plugins in the first place is to check yourself. This may also help you avoid paying for a plugin when your hosting plan already has you covered.
The wp-booklet plugin was recently closed for unofficial reasons, but it is likely because of this remote code execution bug. Luckily, it appears a valid user account (subscriber or higher) is required to exploit this vulnerability. Which may buy you some time to find an alternative.
The developers for hide_my_wp have released a patch to address an unauthenticated SQL injection security bug. Users should make sure they update their installed versions of hide_my_wp as soon as possible.
Please note this is the hide_my_wp premium plugin found in the Envato market.
Thanks and appreciation
This week’s thanks go out to the developers of hide_my_wp, wpWave. Great job patching that SQL injection bug.
This week’s special thanks go out to everyone taking responsibility for the website’s security. Hopefully, that means you.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!