WordPress (Lack of) Security
by Brian Rideout • October 16, 2015
It's a common occurrence for prospective client's to ask whether or not we use WordPress as our CMS (Content Management System) when building websites. I generally shake my head no and let them know we wouldn't touch it with a ten foot pole. I'm not sure if WordPress became popular because it was free, or if it was because it became well known back when many site owners couldn't edit their own sites without knowledge of HTML. Regardless of why, one of the major reasons we don't use WordPress is because it has a well founded reputation for not being secure. Just looking at the most recent version, as the screen shot from their own site shows, release 4.0 through 4.31 reveals 7 security releases in less than 10 months.
This flurry of security releases during late 2014 and through 2015 would mean the owner of a WordPress site would have needed to apply 7 security upgrades to their site in 10 months to remain secure. Back in version 3.7 WordPress added a function to automatically update, but with a past history of updates breaking sites, I really wonder how many have this feature turned on. I'm confident most of our client's would have been appalled if we'd have asked them to do so. Of course on our platform during that same time frame their were zero security updates needed, and if there had been any, we would have taken care of them, not forced the client to do so.
This got me thinking so I did a quick Google Search for WordPress Security Issues and the results from the first page alone were telling.
Wow, 30.9 Million results. Let me summarize the first page...
- Cross Site Scripting Vulnerability in 15 common WordPress plugins (and what site doesn't have several plugins installe?)
- Common Vulnerability Database lists 199 security vulnerabilities
- Millions of Sites At Risk
- 73% of All WordPress Sites Vulnerable
- Vulnerability leaves 23% of Internet Websites (% powered by WordPress) at risk to DoS (Denial of Service) attack
- 100,000+ WordPress Sites Compromised by the Slider (slide show) plugin
Wow! Really? I put a slide show on my homepage and now my site gets hacked? Not good.
Here's one of the big challenges for WordPress. To do most anything besides a basic blog, you need to use plugins. These plugins are built by 3rd parties, not vetted by WordPress, and with varying levels of security training. Many website owners don't think twice about adding yet another plugin to their site (a recent prospect had like 23 installed!), and they have no idea that each time they add one they are rolling the dice as to whether or not they've just opened their site up to hackers.
This is one of the biggest areas where BANG! Web Site Design works differently. We don't plug and pray with plugins to build a site. We custom build functions and features into a site by a development team with decades of combined experience and a careful eye to security of the site. The result is a site without conflicts between plugins and a nearly perfect security record over the last 20 years.
So the choice is yours... choose WordPress and gamble with security, or choose a professional Web design firm that bakes security in from day one of your site's development.