How We Keep Our WordPress Site Safe from Vulnerabilities That Have No Fix or are Undisclosed

The WordPress platform powers approximately 30 percent of the world’s websites, including those belonging to big names like TechCrunch, Bloomberg, BBC America, Disney, and more. This is an impressive feat for the company, but a common vulnerability and exposure (CVE) that was revealed in 2018 once again emphasized how easily manipulated the platform is. A researcher identified CVE-2018-6389, which enables individuals to conduct Denial of Service (DOS) attacks on vulnerable websites.

Because WordPress is open source, it’s very easy to perform code review and explore various features that could be open to attack, including the load[] parameter that enabled this infamous CVE. And there are plenty more disclosed vulnerabilities that site owners need to look out for and take steps to protect their data against. This shows that the WordPress platform itself and any companies that may be utilizing it are very easy targets for malicious actors.

When investigating the WordPress vulnerability above, for which there was no official fix, I tested WhiteHat Security’s WordPress site and was surprised to find we are not at risk.

This led me to ask the question–how could the team running our website be so forward thinking to protect against these vulnerabilities that were a) just disclosed and b) have no official fix, especially when the site managers are not security researchers?

 After some investigation, it turns out that WhiteHat’s production WordPress site is not actually WordPress. What we have is a site that runs WordPress in development. When changes are ready to deploy to production, they are run through a static generator first, and the static pages are pushed to production.

Because our website is not actually WordPress but a “copy” of the pages, this makes us safe against almost every attack out there – WordPress specific or not. Imagine that WhiteHat’s live website is not actually a WordPress site, but a collection of screenshots – and you can’t hack a screenshot.

We are proud of our team’s ongoing, innovative efforts to ensure our company and customer data remain secure, including this unique approach to running websites via WordPress. We hope that this idea can inspire and help other companies struggling to keep up with the constant barrage of new vulnerabilities and exposures on popular, widely-used platforms like this and can’t wait to see what our team does next.