david wolfpaw

digital citizen

WordPress is Secure

The following is a slightly altered response that I gave to a potential client about the perceived security differences between WordPress and other CMS’ such as Drupal and Joomla. I’ve added a few links and a bit of my personal snark here to ward off a few comments.

Not just a show of security like this CC image courtesy of Alexandre Dulaunoy on Flickr
Not just a show of security like this.
CC image courtesy of Alexandre Dulaunoy on Flickr
WordPress is a stable and secure CMS, blogging tool and application framework. There are a few reasons why people might say that it is insecure, mainly due to attacks that have occurred on WordPress sites in the past, as well as noteworthy attempts to attack multiple WordPress sites at once. One of the main reasons for this is the popularity of the platform, which powers about a quarter of all sites being built now. Just as there are far more viruses and attacks on Windows computers than there are viruses made to attack Mac computers (yes, mac viruses do exist people), more people will focus on the more popular system to attack. It’s not that it is easier or harder one way or the other, simply that most hackers work randomly, with no focus on the actual owners of the sites/machines, but looking to exploit as many as they can.

WordPress is secure because of the popularity. It is an open source framework that is constantly being updated and checked by tens of thousands of developers, all of whom can play a hand in updating the software. This means that chances are, if a security flaw is found in WordPress core or a popular plugin, it will be announced and patched quickly. Compared to closed source systems with a small development pool, this is much more stable and able to withstand attacks.

The main reason that WordPress might seem insecure to some is the fact that any code can be run on a WordPress site. Specifically, I’m referring to themes and plugins, which can be developed by anyone, with a variety of skill levels and levels of security in mind. This is why it is very important to keep all of your themes, plugins and especially the WordPress core install up to date. Whenever you see a new update, you should apply it.

For a bit more information, WPEngine (my wonderful web host) has been doing a series recently concerning a large (and ultimately unsuccessful) attack against a variety of WordPress sites:

http://wpengine.com/2013/04/were-doing-a-series-on-wordpress-security/
http://wpengine.com/2013/04/security-series-users-can-stay-secure-with-strong-passwords/
http://wpengine.com/2013/04/how-tony-perez-of-sucuri-sets-up-his-own-security/
http://wpengine.com/2013/05/wordpress-core-is-secure-stop-telling-people-otherwise/

Posted

in

david wolfpaw

WordPress Maintenance @fixupfox. On the Internet, everyone knows I’m a dog. they/them/woof πŸ’¬ β˜• πŸ• ⌨ πŸŽ™πŸ’»πŸ³οΈβ€πŸŒˆ πŸ³οΈβ€βš§οΈπŸ΄β€β˜ οΈ 🐾

REPUBLISHING TERMS

You may republish this article online or in print under our Creative Commons license. You may not edit or shorten the text, you must attribute the article to david wolfpaw and you must include the author’s name in your republication.

If you have any questions, please email david@david.garden

License

Creative Commons License AttributionCreative Commons Attribution
WordPress is Secure