WordPress powers more than 23 percent of all websites and over 60 percent of all sites running a content management system. It is easily the most popular platform for building and running websites because it’s user-friendly, exceptionally robust, and has a huge user/support environment that’s constantly making feature enhancements.
But with anything this popular there comes a lot of unwanted attention – hackers who attempt to bring down WordPress sites by discovering and exploiting vulnerabilities. The WordPress user base is so huge it’s an attractive target because the impact of any disruption will be widely felt and therefore generate a lot of buzz.
Popularity, though, should not equal vulnerability, and in the case of WordPress, it’s actually not that vulnerable.
So, what gives?
Why do we hear about these security issues if WordPress is not vulnerable?
David Gewirtz on ZDNet helps explain what’s going on in his article, WordPress: is it safe to use for my websites?
WordPress generally consists of three main elements: the core code that makes up the WordPress install, themes (which determine how sites look and behave), and plugins (which extend WordPress in interesting ways).
While the core is maintained by a large group of volunteers who take incredible care with the system’s code, themes and plugins are built by a great many developers. Think of themes and plugins as apps you’d find on the Android or Apple app stores. They’re made by many people, some extremely skilled and some not so much.
Like with app stores, WordPress repositories take some measurable care in what is listed for users to use. Themes on WordPress.org go through a testing process and plugins go through an initial vetting before they’re first allowed to be posted.
But themes and plugins are also available from many other sources, including — and this is a real threat — unscrupulous hackers who get their hands on commercial themes, embed malware in them, and then give them away online to people willing to be suckered into “too good to be true” in return for a deal.
Because of the enormous size of the WordPress installed base and the complexity of the ecosystem, vulnerabilities do creep in. It would be unnatural to expect otherwise.
The key to the question of safety is how you manage your site, given that knowledge.
David goes on to state:
WordPress can be a very safe environment, but it needs to be managed.
We completely agree and that’s why we offer managed WordPress hosting that keeps an eye on versions of plugins and themes, and updates them when necessary. Our hosting also vigilantly monitors sites for malware and other security issues in addition to providing backups, analytics and a host of other website support features that keep a site optimized.
But what if you’re a do-it-yourselfer and would rather maintain your own site? Well, fear not, there are a number of things you can do and Yoast provides a clear outline of the steps you can take in his article on WordPress Security.
- Don’t use admin as a username
- Use a less common password
- Add Two-Factor Authentication
- Employ Least Privileged principles
- Hide wp-config.php and .htaccess
- Use WordPress security keys for authentication
- Disable file editing
- Limit login attempts
- Be selective with XML-RPC
- How to Select a SecureWordPress Host
- Stay up-to-date
- How to Select (Free) plugins & themes
- Using a Service Like Sucuri
As a bonus, Yoast includes a video that’s worth watching on How Websites GET Hacked from Sucuri, a company that provides a security stack for any website, not just WordPress.
So when you see popular headlines from Sucuri, like what happened earlier this year, that state “Nearly four in five hacked websites were running WordPress,” you should rest assure knowing WordPress is not an open smorgasbord for hackers to freely tear apart.
In fact, those issues can be attributed to 3 plugins which Softpedia explains in their article addressing Sucuri’s report, A Quarter of All Hacked WordPress Sites Can Be Attributed to Three Plugins.
Sucuri says that, from all the compromised WordPress sites they analyzed, they found the intrusion point inside a vulnerable plugin. A quarter of these attacks can be attributed to three plugins: RevSlider, GravityForms, and TimThumb.
The problem was these plugins were not being updated properly when a vulnerability was uncovered, and the consequences can be quite serious.
RevSlider is also the plugin suspected to be at the core of the Panama Papers data breach.
These plugins are secure. The vulnerability patches have actually been available for quite some time.
What makes this statistic more mind-blowing is the fact that, for all three plugins, developers released security fixes more than a year ago. For TimThumb, the security fix was released four years ago, yet there are still WordPress sites using the plugin’s vulnerable version.
What the article really emphasizes is that WordPress is actually the most secure content management system out there. The numerous plugins, themes and updates that need to be monitored and are not is what’s creating these issues and headlines.
These statistics talk to the challenges website owners face, regardless of size, business, or industry. Website owners are unable to keep up with the emerging threats.
So even though there seem to be a lot of reports about vulnerabilities in WordPress installations, we still think (actually we know) it is a safe environment to use for hosting your site IF it’s properly managed and maintained.
Don’t want to risk managing your WordPress site on your own? Check out our fully managed WordPress hosting service. It covers security, performance, ongoing development, support, and marketing. Learn about our WordPress Website Care Package and to find out how easily your website can be secure and always available.