I deal with a lot of WordPress sites in my day-to-day proceedings. 'Dealing with WordPress sites' has, for me, come to mean 'cleaning up hacked WordPress sites', since that covers about 90% of the dealings I have with WordPress. Having experience with many compromised WordPress websites begs the question, does this mean that WordPress itself is an inherently-flawed CMS with gaping security holes and should be avoided at all costs? Despite my admittedly skewed experience with WordPress (I am the 'tech support guy' people call on to fix problems, after all, not the guy they come to when everything's working perfectly), I’ve found WordPress itself to be a solid CMS with a solid team of people backing it up and improving it constantly. That does not mean that your WordPress site has a good foundation, however. Let’s take a minute to go through some of the pros, cons, and other factors that make WordPress as secure (or insecure) as it is today.
Inherent WordPress Security Benefits
- WordPress has a team that works hard to stay one step ahead of any security vulnerabilities found. (vulnerabilities like these)
- According to WordPress stats there are currently (at the time of writing) 68,393,923 WordPress sites in the world. How is this a security benefit? It means that the system has had a massive amount of testing on countless server configurations... And that it does what it does very well.
Inherent WordPress Security Problems
- According to WordPress stats there are currently (at the time of writing) 68,393,923 WordPress sites in the world. How is this a security threat? It means that ‘hackers’ (people interested in breaching the security/compromising your site) have a very large knowledge base to draw from; it means that they have plenty of experience cracking WordPress sites.
So is WordPress secure or not? Before we answer that, there are a couple of other factors we need to consider:
- People don’t update. From WordPress itself to the plug-ins or themes they use, people tend to have a ‘set it and forget it’ mentality; they set up the site, and then they forget about the CMS in favour of writing blog posts. Normally, this is a good thing – it means that the user experience is simple, etc. It also results in outdated versions of WordPress getting hacked. Look at it this way: There is a team of people actively fixing the security vulnerabilities that are found in WordPress. They fix these vulnerabilities and then they incorporate those fixes into new updates for WordPress. By not installing those new updates, you’re intentionally leaving your site open to those vulnerabilities being exploited.
- WordPress relies on plug-ins. Well, okay, so WordPress itself doesn’t rely on plug-ins; it’s just the sites built using WordPress that do. Most WordPress plug-ins aren’t written by paid and experience software developers, they’re written and distributed for free by people trying to help out. That’s great, however it means that the plug-ins often have security vulnerabilities, unbeknownst to either the plug-in’s author or the people using it.
So... Is WordPress secure or not? It depends largely on the WordPress site in question. Certainly there are ways to decrease the risk of being compromised, but as with all sites, there’s always a possibility: there is no perfect security system. For more information on specific WordPress vulnerabilities, I recommend that you check this out. In fact, while you’re at it, you may as well check this out as well.