I just got off the phone with a past client who has moved on to a new company and wanted to bring her Champions Of The Web along with her. This new company has a Joomla website and are looking for a site facelift. But, when they found out that our company specializes in WordPress they changed gears because, in their words: “Wordpress is not secure.”
While it would seem like I have a bit of a vested interest in proving the security of WordPress, it is really the inverse of that. I’ve chosen WordPress as a CMS and centralized my web development efforts on it partially because of the security that WordPress can provide.
One of the common misconceptions about WordPress security is often simply a matter of numbers. WordPress powers somewhere around 20% of the Internet. This makes it far and away the most popular CMS in existence.
By sheer popularity people hear about the benefits and flaws of WordPress more than other CMS platforms on the market. By contrast, it is estimated that Joomla powers less than a
third seventh of the websites than WordPress. So for every seven websites that use WordPress, there is only one website running Joomla. That makes it a distant second as a CMS tool.
Security by Obscurity?
This does raise the concern of if WordPress is more of a target simply because it is popular. The question is valid, and it is true that WordPress suffers more hacking attempts because of its popularity.
By contrast, however, WordPress supports an active community nearly three times the size of the Joomla community. There are companies which are dedicated to WordPress security, while there is precious little in competing products other than their word that they are more secure.
Any time you open source a product or include hooks for third party development, security flaws will crop up. It is part of the game. Better security is being able to quickly identify and secure issues which crop up in a product. In the open source world (where most CMS systems live) the larger the community, the better chance you have of someone finding and patching a security flaw before it is exploited for malicious purposes.
Update Cycle And The Genius of WordPress
One of the primary things that sets WordPress apart from their competition is the update cycle that WordPress sticks to religiously. Unlike some CMS products on the market (we’re looking at you, Joomla), WordPress only maintains one branch of their software. Updates include backwards compatibility with plugins and themes to ensure that ALL websites get new features and security updates without compromising function or internal code design.
Since updates are rolled out on a regular basis, the core remains secure and new flaws are patched quickly and efficiently.
Also, since WordPress has built in update tools for third party content, plugins and themes which are properly coded can also deploy security updates on a regular basis. It is not uncommon to update 10-15 plugins a month on larger websites. This may seem like a lot of updates, but compared to other platforms which are not able to deploy security updates as easily, the flaws just sit (sometimes for years at a time).
The Plugin / Theme Debacle
This brings us to the most common security concern leveled at WordPress, and it is a valid concern. Most security issues with WordPress come through third party development. Themes and plugins created by people who are not adhering to WordPress API standards (or clean programming standards) can leave WordPress websites wide open to external attacks. Occasionally, a major flaw in a commonly used third party plugin will be exploited and a ton of WordPress sites will be taken down. This is usually because of two things.
- People fail to update their websites and plugins to the latest version.
- People install plugins or themes from non-reputable sources.
Determining if a source is reputable is somewhat up for debate, but there are a few key red-flags which a technical WordPress administrator can use to figure out the security level of a giving plugin or theme.
- Does the third party tool try to make use of insecure or uncommon web server components (the biggest offenders being Exec or Register Globals).
- Does the plugin trigger PHP errors?
- Is the plugin not available in the WordPress Plugin repository?
- Does the plugin conflict with other themes or plugins? (Conflicts are often (but not always) indicative of poor code).
More advanced users can dive into the code of a plugin and see if it is using WordPress APIs to call database functions or if it is trying to bypass the Core (as well as the inbuilt security) to interact with the database. Obviously, a plugin or theme that tries to bypass WordPress is probably going to cause problems. There is precious little that you cannot do without working with the WordPress API. This allows developers to make some incredible software while still leveraging the built in security that WordPress provides.
So How Does WordPress Get Hacked?
In spite of all our talking about themes, plugins, and versions, and updates, all this only accounts for only half of successful hacking attempts in WordPress. 41% of successful hacking attempts are caused by a flaw in the hosting platform running WordPress.
A significant feature in WordPress which sometimes is not present in competing systems is its ability to run on almost anything that can run PHP. WordPress in incredibly portable and runs on almost any version and configuration of PHP, Apache, Litespeed, Nginx, or IIS released in the last five years. The versatility can be a bit of a double-edged sword because web hosts do not keep up with security patches on their systems.
Often, what happens is that hackers will compromise the web host and then proceed to compromise every website on the host. Since WordPress is so common and so easy to install, everyone thinks their WordPress site was hacked, when in fact, the websites were compromised because of the server they reside on.
This means that nearly half of successful hacking attempts in WordPress have nothing to do with WordPress what-so-ever. Of the other half, most of those issues are relating to poorly maintained WordPress installs (not updated). And only a small percentage is related to brute force attacks.
So What’s the Bottom Line?
As I have dug into WordPress over the last 8 years, I’ve learned that the biggest unspoken “gotcha” of the software is often related to poor maintenance. Not taking the time to properly update the WordPress software, or not taking responsibility for the hosting environment can lead to catastrophic results.
But this doesn’t mean that WordPress is an insecure system. At least, not any less secure than any other piece of software released since the 18th century. In some respects, WordPress has simply become a victim of its own popularity. Hackers target WordPress because it is popular, and news about WordPress hacks spread faster because people know and understand WordPress better than its distant competition.
But on the same note, security is a prime concern with WordPress developers and there are a lot of brilliant people working on finding and fixing security flaws in the core and third party applications on a regular basis. Because of the gigantic community and huge install-base, it is easy to place bets on WordPress security as long as you are consistent with maintaining the software.
Obviously, I would be remiss without taking a moment to mention Champions Of The Web’s WordPress Evolved maintenance service. We’ve taken everything in-house from hosting, to development, to management, so we can keep all of our clients secured and speedy. You can take advantage of the ease of WordPress to build out your site while we provide the technical assistance to make sure that your site doesn’t become another statistic. 🙂
Of course, you can try to rely on a lesser known, (poorly) supported software to try and stay safe, but with a 50% chance of security failure from your hosting environment, even obscure or “safe” software packages will be compromised simply by association with poorly managed web hosts. Sign on with us and know that there is a team of people dedicated to the technical gotchas of doing business in the digital marketplace.