Adds Leo Pate, application security consultant at nVisium: “Any plug-ins or templates used within WordPress should be from reputable sources and be kept up to date.”

What to Keep In Mind
The factors teams should take into account regarding those plug-ins and templates include when the plug-in was last updated, comments and reviews of the plug-in from developers and users, and how many times the plug-in has been downloaded, Pate says.

Another factor many WordPress administrators say should be considered is how large the support group for the plug-in happens to be. Because WordPress is written in four very popular languages — HTML, CSS, PHP, and Javascript — many plug-ins are the work of individual developers. While these are not inherently dangerous, some administrators caution that vulnerabilities can take longer to discover and remediate when a single developer is maintaining the codebase.

It’s critical for organizations to look at their WordPress environments holistically and apply rigorous security measures at every level, Pate adds.

In addition to keeping software up to date, “don’t run the WordPress server’s services as administrative users, default user credentials should be changed on the WordPress instance as well as the database credentials, and make sure the server only allows connections over TLSv1.2 or TLSv1.3,” he advises. “The ciphers used for those connections should provide perfect forward secrecy, and the domain should participate in certificate transparency.”

Read entire article here