How Secure Is WordPress?

Aravind Ajith

Sat Jun 10 2017

WordPress is without question the most popular Content Management System (CMS) in the market today. 63.1%  of all CMS based websites are hosted on WordPress (source), with the next CMS based competitor Joomla hosting only 2.8% of the population (source). Of the top ten million websites (made on any platform) online today, 27.9% are created on WordPress (source). With constant applaud for its dynamic structure, millions of themes and plugins, and an open-source platform for coders and developers, it is the preferred choice for web developers and users across the globe.

So WordPress has no flaws?

WordPress has always been accused of one drawback: weak security. More number of WordPress websites have been hacked than websites on any other platform. But this is quite understandable. Why is the greatest CMS provider having the highest number of hacks understandable? Let me explain with an example.

In India, during the 90s, it was estimated that 80% of all road accidents in the country were on cars made by popular manufacturer Maruti. You’d think Maruti had some serious flaw in their design, right? No, that was not the case. 90% of all cars on Indian roads were by manufacturer Maruti, and so it is not a surprise that the likelihood of a Maruti car being involved in an accident would be high.

The same holds for WordPress security. When you talk in numbers, the number of WordPress websites being hacked is more than other platforms, but that is only because the majority of websites are designed on WordPress!

Now, this is no excuse of course, and WordPress has a security team in place to tackle online threats if and when they arise.

How is WordPress Tackling Security Concerns?

WordPress, like every major organization today, has a dedicated security team to ensure the cyber safety of the CMS. The security team comprises of about 50 experts that include lead developers and security researchers. Half the team’s members are employees of Automattic (creators of WordPress.com, a leading, free blogging site and contributors of the open-source WordPress platform) and a number of them work in web security. Andrew Nacin, a WordPress Lead Developer said the security team consults with leading security researchers and hosting companies (source).

WordPress’ security team is aware that plugins made by 3rd party platforms, which are a major feature of WordPress, are susceptible to security vulnerabilities. For this very reason, WordPress’ security team collaborates with the plugin platform’s security team to jointly come up with solutions that fix loopholes and plug threats within a plugin. For example, the vulnerability in the PHP XML parser, used by the XML-RPC API that comes with WordPress, was resolved by joint efforts from the WordPress’ and Drupal’s security teams.

WordPress has undergone constant change and improvement on the security front since its inception. They have successfully addressed and secured their platform against threats on the top ten list identified by The Open Web Application Security Project (OWASP), which is an online community that deals extensively with testing and documenting online security threats and protection methods.

  • The WordPress Security team has made available a host of functions and API’s that site developers can and must utilize to make their website safe from injections and to validate and allow only authentic data through.
  • Direct Object Reference provided by WordPress looks for unique identifiers during login, restricting unauthorized access.
  • Besides, WordPress user account’s passwords are ‘salted’, which means extra characters are added to a password on the back-end giving it an additional layer of security.

Apart from focusing on threats through plugins, WordPress’ security team, working alongside the WordPress Core Leadership Team and continually supported by users of the WordPress global community, constantly works to identify and resolve security issues with the core software that is distributed for installation.

With all the Effort, Why Are WordPress Sites Vulnerable?

The beauty of WordPress is its extensibility and open-source nature, which gives developers the freedom to design dynamic websites. Also, WordPress allows the use of 3rd party plugins to facilitate ease in website creation. These very features also open the gates to security issues, by granting direct control to end-users. Luckily, this also narrows down the cause, making it easily fixable. If the website and plugin developers design secure products, continue to monitor and release updates for bugs, the number of security issues on WordPress will come down to zero.

Dre ArmedafromSucuri, a leading website security company says:

It is not a WordPress problem if you are not updating your software in general. This goes for themes, plugins, modules, templates — any of those fun things that enable you to extend any open source platform. Nearly 80% of actual infections across all platforms are due to some type of vulnerability in outdated software or access/password exploits.

This is a very astute yet on-point observation. The website developer or owner must ensure they are firstly installing only known and validated plugins. Secondly, plugin developers are constantly coming up with updates that fix bugs and patch security issues. It is the developer’s job to stay informed and update their plugins regularly.

Michael VanDeMar, a ‘de-hacker’ of compromised sites and also the author of How To Completely Clean Your Hacked WordPress Installation says:

I clean many (hacked) websites, and it has been a long time since I had to clean one due to insecurity in the WordPress Core. Most of the time it is either due to an insecure script (such as an older version of TimThumb), an insecure host, or someone whose FTP access has been intercepted by a local virus.

This reaffirms the case made earlier, WordPress’ vulnerability mainly comes due to negligence by site owners.

How Does WordPress Fare Against Competition?

As a consumer, you may not be interested in the statistics and the dealings of the back-end team. You just want to know ‘how is WordPress in comparison to other CMS providers and which is the best’. How stable is WordPress’ security when compared to that of competitors Joomla and Drupal?

De-hacker Michael VanDeMar says WordPress is used by approximately 3.5 times more users than Drupal and Joomla combined! This means vulnerability in WordPress is a threat to more users than on other platforms, and also means more chances of it becoming known. This is why hackers target WordPress sites more than others. Similar to the Maruti example we gave earlier, being more popular makes WordPress more susceptible and the attacks more visible.

VanDeMar also states that apart from the numbers, there is no reason to say WordPress is less secure than other platforms. He also comments that WordPress sites are now more secure than ever before.

Armeda from online security company Sucuri seconds these thoughts by stating that their security company hasn’t seen any major threats since pre 3.x versions, although small security bugs have been detected but fixed immediately.

How Do I Ensure My Website Is Secure?

What precautions can you, as a developer or website owner take to ensure your website is safe from hackers? Follow these “five key principles of website security” defined by website security giant Sucuri:

  1. Update every Plugin and API, and install Core patches as soon as they are released.
  2. Clean up your website, remove the redundant extension and design files.
  3. Always use unique, alphanumeric passwords.
  4. Manage admin access properly, do not give unnecessary permissions.
  5. Take a periodic backup of all files and data.

Historic data confirms that WordPress’ core is extremely secure and the majority hacks come due to lapses on the user’s end. Not creating secure user names and passwords, not forcing visitors to use strong passwords on a login page, not updating plugins regularly and not updating the core software regularly are the leading causes for hacks, and are very easily fixable. Following these five steps will ensure your website always stays safe. You can get more insight here: WordPress Security: Everything You Need To Know

The Verdict

It is obvious right now that WordPress is an extremely safe CMS platform. A certain level of responsibility lies with the user (you), to ensure regular updates and tight passwords. The WordPress online community is one of the largest online communities, and a lot of valuable safety tips are provided there. If you are ever under attack, you can easily reach out to the WordPress’ security team, to the wonderful contributors of the WordPress community, or 3rd party security solutions like Sucuri.

All WordPress statistics are taken from https://wordpress.org/about/security/

Sucuri Website: https://sucuri.net/