A recent zero-day vulnerability that affected hundreds of thousands of WordPress sites offers some insight into why a growing number of businesses are looking to managed WordPress hosting from companies like WP Engine for more than just fast-loading, highly-available websites.
What Went Wrong With File Manager Plugin 6.4?
The critical vulnerability was introduced back in May 2020, in version 6.4 of the popular File Manager plugin. The vulnerability was publicly disclosed a few months later, allowing unauthenticated users to access a file that was unintentionally included in the 6.4 release. Those users were then able to execute arbitrary commands to the library, which ultimately left hundreds of thousands of websites vulnerable to a complete takeover by a rogues’ gallery of bad actors.
With more than 600,000 active installations, File Manager is a popular alternative to the long-used File Transfer Protocol, and because the plugin was active on so many sites, the now-patched File Manager exploit ended up setting off a global hacking spree that sent countless site owners, and security and IT professionals, scrambling for cover.
While many sites were unfortunately breached, the exploit went more or less unnoticed by the majority of WP Engine customers, none of whom were affected by this critical vulnerability.
How Managed WordPress Hosts Offer Protection
Because every site on WP Engine’s platform—regardless of plan type—is protected by baseline security measures that automatically blocked this particular vulnerability from being exploited, our customers were able to continue operating their businesses without interruption.
In addition to mitigating this and other security vulnerabilities with regular, managed WordPress Core updates and security patching, all WP Engine customers benefit from additional security features such as:
- Traffic encryption through SFTP and SSL certificates with Let’s Encrypt
- Access control with user management, Single Sign-On, and Multi-Factor Authentication
- Best practices provided by a dedicated security team focused on security engineering, governance, risk, and compliance
Added Website Security with Global Edge Security
For an added layer of protection, WP Engine also offers Global Edge Security, an enterprise-grade solution designed specifically to secure WordPress sites, built together with internet performance and security leader Cloudflare.
Global Edge Security combines the intelligence and expertise WP Engine has gained from serving its global customers for more than a decade with Cloudflare’s web application firewall (WAF), distributed denial of service (DDoS) protection, content delivery network (CDN), and its global edge network, which spans across more than 100 countries.
The WP Engine Security Standard
WP Engine has also successfully completed a Service Organization Control (SOC 2®,) Type II examination for its customer environment and User Portal. The independent audit, conducted by Holtzman Partners, found that WP Engine meets the SOC 2 standards for Security and Availability Trust Services Categories.
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 requires companies to establish and adhere to strict information security policies and procedures, which can include the security, availability, confidentiality, processing integrity, and privacy of customer data. Independent audits against a common standard, such as SOC 2, ensure that WP Engine’s customers know it meets this rigorous, independent standard to securely manage and protect their data. They also have assurances regarding the availability or uptime of WP Engine’s platform.
Managed WordPress Hosting and Website Security
With all of these solutions in tow, businesses of all sizes, and agencies managing multiple websites, are increasingly leaning on WP Engine’s secure WordPress hosting platform for more than just uptime, speed, caching, and support.
Website security is a major priority for every website—not just those with critical data or compliance needs—and leaning on a managed WordPress host that can provide robust security solutions in addition to best-in-class hosting and support has become an increasingly attractive option for any business looking to ensure that every aspect of their digital presence is being taken care of.
As mentioned above, the protections provided by the WP Engine managed WordPress hosting platform automatically blocked the File Manager vulnerability from being exploited, and those protections have helped block numerous other exploits over the years. That said, attackers are constantly looking for new ways to target websites, and as new vulnerabilities are inevitably uncovered, staying ahead of the curve requires a hands-on, active approach.
An Added Layer of Protection Against Plugin Vulnerabilities
While many organizations have dedicated security teams in-house, keeping track of plugin updates and potential vulnerabilities may not be the best use of their time. For leaner teams that don’t have the budget for in-house security support, keeping up with the constantly-evolving threat landscape is a losing proposition.
In outsourcing much of your website maintenance to a managed provider like WP Engine, you not only benefit from websites that perform better, you gain a needed ear-to-the-ground when it comes to emerging security threats, keeping you well ahead of the next vulnerability.