Some of you might even be of the mind that WordPress is a poor choice for the security-conscious.
You’d be incorrect for a few reasons. First, as the most popular content management system on the web, it’s only natural that WordPress would be the platform most frequently targeted by hackers. It also stands to reason that, since it has a larger community than most other CMS’s, the likelihood that someone, somewhere discovers a vulnerability or exploit is that much higher. Finally, there’s WordPress’s development community, a rich, diverse selection of programmers who together have coded literally thousands of plugins for the platform.
Those plugins are WordPress’s greatest strength, but they’re also its most glaring weakness. See, WordPress core is actually quite secure on its own – or at the very least, no less secure than any other CMS. Where security vulnerabilities really start to surface is in the plugins; many of WordPress’s addons are coded by hobbyists with little to no oversight, making it far likelier that they’ll contain exploitable errors in the code.
WordPress does a pretty decent job of being secure out of the box. That is, when it’s used in a properly configured and up-to-date default installation without third-party code…WordPress itself is not insecure, but the plugins that you choose to use with it may be. Writes Davey Winder of IT Pro.
I want you to stop and think for a moment about all the recently-announced WordPress vulnerabilities. Then I want you to tally up which of them impacted the platform as a whole, and which were tied exclusively to specific plugins. What you’ll find, I think, is that while WordPress itself does contain security flaws (which are frequently patched out), the majority of the most publicized vulnerabilities aren’t directly connected to the platform.
There’s also the matter of user error. Remember this September, when it was revealed that brute force attacks against WordPress had reached an all-time high? Those few that succeeded only did so because the victims had weak passwords with no protection against the brute-force vector. Since 2013, it’s been relatively common knowledge that a startling number of blogs still use low-quality, easily-guessable passwords; and that too many still use ‘admin’ as their username.
The platform can hardly be blamed for such failings.
At the end of the day, it’s not WordPress that’s inherently insecure. It’s the people using it. If you want to keep your installation protected, there are a few simple steps you can take:
- Install a brute force protection plugin
- Run regular malware checks and backup your website on a frequent basis
- Use a strong password, and change the username of your admin account
- Pay attention to security advisories, and practice due diligence when downloading and installing new plugins
- Keep your WordPress up to date – don’t lag behind on installing security patches
Latest posts by Steadfast (see all)
- Why WordPress Security Is Only As Good As You Make It - June 26, 2016