WordPress (Lack of) Security

by BANG! Website Design • January 08, 2022
Update: January 8th, 2022

It's been a while since we shared our views of WordPress. I've updated this blog post with some recent information.

WordPress Security Issues a Danger to Web Designers and Business Owners
WordPress Core Vulnerabilities introduced by the core development team. Four vulnerabilities were recently introduced to the core code of WordPress. Those vulnerabilities ranged in severity from a low of 6.6 on a scale of 10 to 8.0 on NIST, the United States Government National Vulnerability Database. A search of the NIST database for WordPress reveals 4,098 vulnerabilities recorded.

Those vulnerabilities included...
 
  • SQL Injection because a lack of data sanitization
  • Authenticated Object Injection
  • Stored Cross-Site Scripting (XSS)
  • And another SQL Injection in a query
These security issues affect millions of websites and 3 out of the 4 issues were detected by 3rd parties, not the WordPress development team. Again, BANG! does not use WordPress for our website CMS (Content Management System) for this reason among others. Read on for some issues way back in 2015.


It's a common occurrence for prospective client's to ask whether or not we use WordPress as our CMS (Content Management System) when building websites. I generally shake my head no and let them know we wouldn't touch it with a ten foot pole. I'm not sure if WordPress became popular because it was free, or if it was because it became well known back when many site owners couldn't edit their own sites without knowledge of HTML. Regardless of why, one of the major reasons we don't use WordPress is because it has a well-founded reputation for not being secure. Just looking at the most recent version, as the screenshot from their own site shows, release 4.0 through 4.31 reveals 7 security releases in less than 10 months.

WordPress Security Releases 2015

This flurry of security releases during late 2014 and through 2015 would mean the owner of a WordPress site would have needed to apply 7 security upgrades to their site in 10 months to remain secure. Back in version 3.7 WordPress added a function to automatically update, but with a past history of updates breaking sites, I really wonder how many have this feature turned on. I'm confident most of our client's would have been appalled if we'd asked them to do so. Of course on our platform during that same time frame, there were zero security updates needed, and if there had been any, we would have taken care of them, not forced the client to do so.

This got me thinking so I did a quick Google Search for WordPress Security Issues and the results from the first page alone were telling.

Google Search for WordPress Security Issues is Telling!

Wow, 30.9 Million results. Let me summarize the first page...
 
  • Cross-Site Scripting Vulnerability in 15 common WordPress plugins (and what site doesn't have several plugins installed?)
  • Common Vulnerability Database lists 199 security vulnerabilities
  • Millions of Sites At Risk
  • 73% of All WordPress Sites Vulnerable
  • Vulnerability leaves 23% of Internet Websites (% powered by WordPress) at risk of DoS (Denial of Service) attack
  • 100,000+ WordPress Sites Compromised by the Slider (slide show) plugin

Wow! Really? I put a slide show on my homepage and now my site gets hacked? Not good.

Here's one of the big challenges for WordPress. To do most anything besides a basic blog, you need to use plugins. These plugins are built by 3rd parties, not vetted by WordPress, and with varying levels of security training. Many website owners don't think twice about adding yet another plugin to their site (a recent prospect had like 23 installed!), and they have no idea that each time they add one they are rolling the dice as to whether or not they've just opened their site up to hackers.

This is one of the biggest areas where BANG! Web Site Design works differently. We don't plug and pray with plugins to build a site. We custom-build functions and features into a site by a development team with decades of combined experience and a careful eye to the security of the site. The result is a site without conflicts between plugins and a nearly perfect security record over the last 20 years.

So the choice is yours... choose WordPress and gamble with security, or choose a professional Web design firm that bakes security in from day one of your site's development.

 

Recent Blog Posts