For as long as WordPress has been around, there have been musings the platform was a security nightmare and constantly vulnerable to attack. I have seen many articles addressing both sides of WordPress security, and after working across multiple server setups with various content management systems, I have come to believe that the short answer is that WordPress is as secure as any other CMS out there is. Addressing what fuels the rumors of its being an insecure platform is the long answer.
WordPress is currently the number one most used CMS in the world and, as of this writing, is powering just shy of 25 percent of websites. Let that sink in for a minute. One quarter of the Internet’s websites are powered by one CMS. That’s more than every other content management system, combined.
As you might figure, and as companies like Microsoft can attest to, being the big player in the room means you are the target. For a hacker, knowing that WordPress powers 25 percent of sites equates to wanting to determine how to expose any vulnerabilities it has to be able to target the largest number of websites possible. This can be bad and good, but it doesn’t mean that WordPress is not a secure CMS.
These days, security really lies within two aspects of a website: the community supporting the application running the site and the person(s) maintaining it.
The WordPress community is one of the best out there.
WordPress is an open source web software that is supported by hundreds of developers with a history of extremely fast responses to any vulnerability that has been discovered. The community is on top of problems quickly and will have a security patch released within 24 hours if not much, much sooner. Being the big player in the industry and constantly being tested also means by definition that any security breach or issue is quickly found and resolved by the community. It’s kind of like free security testing for the masses.
The person maintaining the site is always the unknown, and more often than not, the reason for an intrusion if one does ever occur. One good way to look at maintaining or being the admin of a website is that doing so is like taking care of your house. Extra precautions are taken to ensure the safety of you and your loved ones. Your site is no different.
Taking the trouble to have a state-of-the-art security system installed with all the bells and whistles is great. Having that same system constantly monitoring your home and sending you notifications is also a good thing. However, now bring in the human element. How good is that security system if you forget to activate it one day or, worse, leave your front door unlocked? All the security in the world won’t make a difference if everyone working with the site does not do his or her due diligence in helping maintain the website’s security.
There are a few crucial points that everyone who touches the admin area of the site should be aware of. First and foremost, don’t use admin as a username. Anything default is an easy target when it comes to username and password. As for the password, the WordPress codex has some good general guidelines. The most important thing is to avoid using a name of any kind—or even a single word. The more complex you make the password, the stronger it will be.
As for updates, it is a good to always keep your WordPress install and plugins up to date.
All that hard work the community does to ensure that a security patch is created and distributed quickly is negated if you don’t update with the patch they made.
Another critical point is plugins. These are bits of code that can add functionality but can occasionally cause issues. It is best to install only the plugins that are needed and from sources that are trusted. Back to the house reference: it would be like buying your security system from the back of a car on the corner—just not a good idea if you don’t trust or know the source.
When looking at the server or hosting side, the person(s) maintaining it also has options and actions he or she can take to help ensure the security of the WordPress install. Some of those would include moving the wp-config.php file up a folder so it isn’t publically accessible. The host can also disable file editing and put the install in a version control system such as a git or svn repo.
All these things can help ensure WordPress remains secure. A little housecleaning and making sure to always lock your front door and arm your security system goes a long way toward creating a safe environment in which to house your website.