In 2013 a global brute-force attack struck WordPress installations on virtually every web host in existence.
These attacks were caused by botnets (computers infected with malware and programmed to attack other computers).
(Powering millions of websites around the world makes WordPress a target for hacking)
In March 2014, many technology sites reported that 160,000+ WordPress-powered websites had been hacked.
(160,000+ WordPress sites were attacked in a massive DDoS attack in March 2014. Image: BlogDefender.com)
According to the Cnet report,
“With some old-fashioned trickery, hackers were able to get more than 162,000 legitimate WordPress-powered Web sites to mount a distributed-denial-of-service attack against another Web site.”
(Source: cnet.com/news/ddos-attack-is-launched-from-162000-wordpress-sites)
As described by security firm Sucuri, hackers had leveraged a flaw to attack unsuspecting WordPress sites and direct a distributed-denial-of-service attack (DDoS) towards another popular website.
Whenever attacks on WordPress sites increase in frequency, it’s natural for website owners to start asking just how secure the WordPress platform is for building and running websites.
Powering millions of websites and blogs worldwide makes WordPress an obvious target for hacking attacks. But should you really be concerned about WordPress as a secure web platform?
In this article, you will learn some of the main reasons why you should definitely use WordPress if you are concerned about website security.
WordPress Security Explained
Let’s start by looking at some facts …
Thousands of websites are hacked every year … not just WordPress sites!
The sheer number of attacks on websites and blogs around the world is increasing on a daily basis, and it’s getting worse.
It’s safe to assume that if your website or blog hasn’t been hacked yet, then it’s inevitable that at some point in time someone will attempt to hack into your site … regardless of the web platform you use!
Since it’s no longer a matter of if, but a matter of when before a malicious user will attempt to hack your website, are there any advantages that WordPress can offer you in terms of security?
Are “Open Source” Software Applications Really Safe?
Many people will often try to argue that WordPress is not a secure platform for running websites because it is a freely available open source software program.
Open-source CMS programs like WordPress, Drupal and Joomla are free to use and anyone can have access to the entire underlying software code.
The argument against WordPress, then, goes something like this: If everyone can view the Open Source software code for WordPress, then hackers can also easily obtain the code and go through it in great detail, looking for security weaknesses in the code that could be exploited …
(It’s no longer a matter of if, but when before your website will be targeted by hackers … WordPress or no WordPress!)
While it’s true that WordPress is free to download and hackers can easily access it and study the code searching for security holes or weaknesses (hackers can do the same with any program), the fact that WordPress is a free, open software platform actually makes it more secure in many ways.
The reason for this is that WordPress is supported by a large community consisting of hundreds of software programmers, plugin developers and theme designers who are constantly working to help to improve the platform and make WordPress more secure …
(With WordPress, a large community of thousands of web developers around the world is responsible for keeping the code updated. Screenshot image: WordPress.org)
WordPress continually evolves largely through the effort of a huge volunteer community working around the clock to fix any issues detected by users. It benefits from thousands of web developers, designers and users committed to improving the application, fixing bugs and making it safer for every user …
(The WordPress core software is built by a large community of contributors. Screenshot image: WordPress.org)
As soon as any security vulnerabilities are identified by developers or users, these are immediately logged in user forums and addressed by the WordPress core developers …
(WordPress is continually being improved by a global community community of users and web developers. Image source: make.wordpress.org)
The WordPress community support system, therefore, is very responsive and anybody can help contribute to improving the platform.
For example:
- If you notice bugs or a security vulnerability, you can report these by emailing security@wordpress.org.
- If you find issues in a WordPress plugin, you can report these by sending an email to plugins@wordpress.org.
This is one of the reasons why the WordPress community is constantly releasing new security updates, and why you continually need to keep your sites and blogs updated …
(WordPress frequently releases new version updates to address any security vulnerabilities found)
WordPress Vs Proprietary CMS Applications
Contrast the benefits of using an open source CMS technology like WordPress with proprietary platforms where often the responsibility for improving software security, fixing bugs, etc. falls to a small team of developers with limited resources and you will quickly realize the security benefits of using WordPress to power your site on a secure platform.
WordPress is free to download, use and modify, and hundreds of volunteers and expert developers work on improving the technology. Can a proprietary technology company afford to employ as many developers and programmers and still deliver you a completely free software that you can download, use and modify as you wish?
WordPress Vs Other Open Source Platforms
(CMS Platforms - WordPress, Joomla and Drupal)
Whilst on the topic of Open Source content management applications, there is valid research showing that the WordPress CMS is actually safer than other Open Source CMS platforms such as Drupal and Joomla.
For example, the chart below shows the number of security vulnerabilities discovered in popular platforms during a certain period …
(WordPress has fewer security vulnerabilities than other leading CMS platforms. Source: National Vulnerability Database)
Other studies also show that, because WordPress is quite easy to use and keep up-to-date, when sites across different CMS platforms were tested for security issues, sites built with WordPress had significantly less exposure to risk …
(WordPress users are less exposed to security exploits than other CMS platform users. Screenshot source: BlogDefender.com)
The WordPress CMS Is Not To Blame
If someone breaks into your WordPress site, don’t be too quick to blame WordPress.
According to security vendor Commtouch and StopBadware, a nonprofit organization that helps webmasters identify, remediate and prevent website compromises in a published report entitled “Compromised Websites: An Owner’s Perspective“, a large number of website owners are not fully aware of the threats their websites are exposed to, how to secure a website, or deal with security compromises.
In fact, over 60% of webmasters surveyed for the report didn’t even know how their websites were hacked after an attack …
(Many webmasters don’t even know how their sites were hacked. Source: StopBadware.org)
Of immediate concern is the fact that many security issues seem to be related to users running sites with an outdated version of WordPress …
(Many WordPress sites use outdated versions. Image source: Sucuri.net)
When WordPress security issues were examined in more detail, it was found that only a small percentage of vulnerabilities discovered in third-party code are actually found in the WordPress CMS core, while most security issues are found in plug-ins and extensions …
(WordPress Security Issues. Image source: WebDesign.org)
Like many modern web platforms, WordPress is updated regularly to address new security risks that can arise. Improving software security is an ongoing concern, and to that end, you should always keep your WordPress software, plugins, and themes updated to the latest version.
WordPress Is Used By Many Security-Conscious Businesses!
The amount of misinformation online about WordPress security has even led the co-founder of WordPress, Matt Mullenweg, to chime into the online debate.
In an article entitled “A Bank Website on WordPress” published on April 15, 2015, Matt wrote the following about WordPress …
There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.
I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.
Matt then goes on to provide a couple of security tips, before stating the following …
For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.
As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.
Millions of businesses, including banks, leading brands and e-commerce sites use WordPress to build their web presence, not just bloggers.
Other Factors Affecting WordPress Site Security
Other studies on issues that play a role in WordPress security point to things such as:
- No platform is protected from hacking. As many as 90% of all websites across all platforms are vulnerable to attack, mostly due to using software that is out of date.
- The biggest vulnerability of all content management platforms seems to be the users themselves. For example, many users ignore good password security recommendations.
- Lack of constant system monitoring. All security processes need regular monitoring, testing, updating and improvement.
- Webhosting setup. For example, sites on shared webhosting are only as safe as the least safe site on the hosting grid, so if someone else has a weak FTP password on your shared server, then all sites on the server are potentially vulnerable to hacking as well.
There’s No Reason Not To Use WordPress
As you can see, WordPress is quite secure. As long as you remember to implement basic website security measures (which all website owners should do) and keep your WordPress software (and plugins, themes, etc.) up-to-date, there’s no reason not to use WordPress to run your web site or blog.
WordPress Security – Practical Tips
To learn about ways to protect your WordPress site from brute force attacks see this article: Ten Things You Can Do To Help Prevent Brute Force Attacks On Your WordPress Site
A compromised web site presents malicious users with a resource for distributed attacks, spreading malware and engage in information theft. Blog Defender Security Plugin for WordPress makes your WordPress site invisible to hackers and bots. Go here to learn more:
If you are using outdated WordPress versions remember to back up everything before updating your software to protect your site from the latest security threats. This way, if something goes wrong, you can always restore.
If you don’t want to back up your site manually, there are a number of plugins you can use. Learn about a WordPress backup plugin that can automate your site backups here: Backup, Duplicate And Keep Your WordPress Sites Protected With Backup Creator WP Plugin
Article References
For more information on the above, refer to the sites below:
- ITProPortal.com
- National Vulnerability Database
- BlogDefender.com
- UpAndUpStudios.com
- StopBadware.org
- Sucuri.net
- WebDesign.org
- Quora.com
- Ma.tt
Hopefully, the above information has given you a better understanding of problems that can affect your web site and how WordPress can help you get better business results online. To learn more about the security benefits of using WordPress for a business website please click on links to visit our related posts section or subscribe to receive updates and notifications whenever new content is published.
***
"If you're new to WordPress, this can stand on its own as a training course and will stay with you as you progress from beginner to advanced and even guru status." - Bruce (Columbus, Ohio)