Is WordPress really insecure?
So let’s talk about WordPress Security. First of all there is this widely stated myth that WordPress is insecure. Let’s just nip that in the bud right now.
WordPress is being constantly developed by people all around the world. These are very highly skilled people who have created a really powerful Content Management System (CMS) that is used by huge corporations and big enterprise companies around the globe.
For example check out the following brands that use WordPress online:
- The New Yorker
- Sony Music
- Beyonce… yep
- Time Inc
- And more
[Source: 40+ Brands – WP Beginner]
Think about this…. if WordPress was inherently insecure people would not be using it. Those large corporations would not be powering their online presence with an inferior solution.
Wait…. this is NOT my argument though, do read on!
Ways a site can be hacked
Now the reason a WordPress site can be hacked is essentially the same reason that a Drupal site, an Umbraco site or any website in the entire world for that matter can be.
Weaknesses in any setup can include:
- Over simplistic passwords
- User error
- Leaving the laptop on the train (some UK officials are good at that)
- The host server operating system has not been updated
- Insufficient firewall protection
- Poor code in add-ons
- Other scripts installed on the same server
- Shared hosting solutions where access through one site grants access in all sorts of places
- I could go on but then I’d be ranting… well it is a rant really, but a helpful one 😃
Put it this way, there are all sorts of ways into a website beyond just CMS code, whichever platform your business chooses to use.
Let’s unpack a couple of these:
The host server OS has not been updated
Many companies look to save money and opt for very low cost hosting packages. This likely means the servers they are using are poorly maintained, and essential updates and patches are not being applied regularly to ensure the integrity and security of the server. A would-be hacker could take advantage of that vulnerability, and it would not matter what content management system was running, if they can get into the server, they can do whatever they want.
Lesson? Don’t buy cheap hosting unless you are confident you are in good hands!
Poor code in add-ons
With many content management systems come modules (plugins/add-ons) that add features. Without due diligence, a site packed full of plugins that have not necessarily been vetted for quality can cause a risk to any CMS.
Lesson? Choose your plugins wisely and do your research.
OK I am biased, I love WordPress, and would recommend it in most cases. I bleeping love it. I also use it because it is SUPER easy to develop for, gorgeous to manage and also easy for users to get to grips with.
I also love the community. The beauty of the WordPress is it’s community and it’s stake in WordPress powering 27% share all websites… IF a vulnerability is discovered, the entire community jump into action to get that patched/resolved. With so many sites relying on WordPress it is in everyone’s interest to be on the ball. Now you don’t get that with an off the shelf product, or even a small unknown content management system! Yey WordPress! (ModX have a good track record mind)
Please know, in my humble opinion, WordPress is a really good robust system and is not inherently insecure… BUT that doesn’t mean that you just go ahead, install WordPress and forget about it…
Do it right, do it well, and maintain it and the infrastructure.
If you need help or support with your WordPress Security, then get in touch. Happy to point you in the right direction.