Is WordPress Secure?
One of the most common questions about WordPress is, “is it secure?” Many get the impression that it’s not, mostly from reading scare-tactic headlines. Let’s look at the facts, and answer the question, “is WordPress secure?”
WordPress attracts more hacking attempts than other platforms because of its popularity. It powers about 23% of all websites, and about 60% of websites with CMSs (content management systems). Because of its market share, it’s a target, similar to Windows.
Because of its market share, news sites love to make a big deal when vulnerabilities are discovered. Thus, people tend to hear more about WordPress vulnerabilities than vulnerabilities in other platforms.
WordPress core is the set of files that makes up the WordPress software. This is the base of WordPress, to which you add plugins and themes. WordPress core has a good security record over the past few years. When vulnerabilities are found, they’re patched quickly. According to Secunia, WordPress 4.x (the current major version starting September 4, 2014) has no unpatched advisories.
It’s one of WordPress’ strengths that anyone can write plugins and themes, but unfortunately not all developers are security-conscious or maintain their code over time. That means that many security issues are the result of vulnerabilities in third-party plugins and themes. In November 2014 to determine that WordPress pluginsaccounted for 54% of the global WordPress vulnerabilities count (2,407). WordPress themes accounted for 14.3%.
Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.
Though WordPress core software provides many provisions for operating a secure web application … the configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure.
There’s a WordPress Security Team that monitors and responds to security threats to WordPress core, as well as plugins and themes hosted on WordPress.org.
The WordPress Security Team is made up of approximately 25 experts including lead developers and security researchers … The team consults with well-known and trusted security researchers and hosting companies.
As is generally true with software, many security vulnerabilities are due to humans, not the software itself. This applies to WordPress too. In their post Is WordPress Secure?, WP White Security says,
In research conducted in September 2013, WP White Security found that of 40,000+ WordPress sites in the Alexa Top 1 Million, more than 70% were potentially vulnerable to hacker attacks because they were running outdated versions of WordPress core. They simply hadn’t bothered to update. And that’s just looking at core; who knows how many vulnerabilities may have been in the outdated plugins and themes on those sites!
As of WordPress 3.7, WordPress supports automatic background updates of core. However, not everyone has this enabled, and by default, it’s only for core; plugins and themes still need to be manually updated.
Security need not be a reason for deciding against WordPress. We’ve seen that WordPress core is considered secure, but that there may be vulnerabilities in third-party plugins and themes, and in hosting. So, you want to make sure that your site is both developed and maintained by a company that understands WordPress.
WordPress security is one reason we offer our WordPress Maintenance Service, the easiest way to keep your site updated, backed up, and secure. Contact us to have your WordPress site maintained!
Is WordPress Secure?
Reviewed by Unknown
on
10:20 PM
Rating:
Reviewed by Unknown
on
10:20 PM
Rating:
No comments: