Given that the WordPress engine drives 59.9% of websites using content management systems and 31.4% of all websites at the same time, these allegations seem highly exaggerated (w3techs.com data as of July 1, 2018).
The popularity of WordPress
According to the BuiltWith portal for statistical analysis of the use of different technologies on the web, WordPress CMS is used by nearly 27 million websites. For comparison, a competitive, also free solution – Joomla! provides only 2 million pages. Drupal comes in third with a score of one million pages.
Subjectively, WordPress very often wins over other content management systems in terms of ease of installation, operation, administration and expansion. Over the years of development of this system, a lot of commercial templates and plug-ins have appeared on the market, perfectly enhancing the possibilities that this CMS offers by default. It’s not difficult to transform WordPress from a blog platform into an online store, discussion forum, or news portal.
A very large number of pages based on identical source code increase the hypothetical return on investment in software, the aim of which will be to carry out automated attacks on the pages in order to obtain some benefit. In other words, it is more profitable to write a program that tries to break into 27 million pages than it tries to break into 2 million pages. However, this does not mean that WordPress is less secure than its competitors.
What is a prerequisite for WordPress security?
WordPress belongs to a group of programs called content management systems. From Wikipedia we will learn that the word “system” comes from the ancient Greek language and means “complex thing”. WordPress, as well as other content management systems, is a combination of specialized modules. Some of these modules (programs) come from other authors and become part of the system because… They perfectly fulfill their tasks and there is no need to create new, identical solutions.
In addition, content management systems can be equipped with additional functionality , such as discussion forums, extensive contact forms, online shops, specialized content editors, interface elements and many more.
When each element of the system may have its own susceptibility to attacks resulting, for example, from the use of outdated software libraries, the author’s lack of knowledge or scruffy code (done in shortcuts, without good programming procedures).
WordPress is used by amateurs who build their own websites, as well as by professionals who offer their services on a commercial basis. Both groups use templates and plug-ins in their work. However, it may happen that the choice of additional software is not well considered and the code of the final product includes plug-ins susceptible to attacks or abandoned by their authors, which in the next few months exposes the website owner to attacks.
Although the responsibility for the problems lies with the plugins’ authors or developers, the general public is of the opinion that the content management system is lacking. It is a bit like blaming a car manufacturer for its poor quality when the defects result from carrying out repairs using poor replacements instead of original or other high-quality parts.
How can I reasonably assess whether WordPress is safe?
We can divide the problem into layers and look at them separately:
1. System source code (WordPress)
WordPress is actively developed, and security fixes are installed automatically by default, without user intervention. A team of several dozen people works on the security of the system, and an additional contribution is provided by a wide community of users.
2. Source code for templates and plug-ins
WordPress owes its ever-growing market success to a wide range of plug-ins and graphical themes. The security of these solutions, however, is extremely diverse and most often outdated plug-ins are the vectors of attacks on websites based on WordPress CMS. It is worth carefully selecting extensions to your website, minimizing the number of add-ons and in the case of more extensive functionalities – use commercial solutions, the authors of which offer support and continuous development.
3. Authors and administrators (owners) of websites
WordPress is a very accessible platform for building web pages, on which a lot of web guides have been created. However, system accessibility does not always go hand in hand with security. It is up to the author of the website to choose the additional software (plug-ins and templates), the complexity of the passwords and the configuration of the hosting environment. Lack of experience in this area may put the website owner at risk. Find out what to look for when ordering a website.
4. Hosting providers
Hosting companies offer different levels of security, and the configuration of server software is not the same everywhere. Unfortunately, many hosting companies require manual configuration of Apache web server, because the default settings allow you i.e. to view the contents of folders or access key files from external sources. It is advisable to take advantage of the hosting offer of a company that takes security issues seriously and provides an optimized configuration for popular content management systems.
Summary
There is no ideal software, 100% safe. and free from errors. Even the software of the on-board computer of the lunar landing vessel Apollo 11 had an error which almost led to the cancellation of the mission.
It should be remembered that websites based on content management systems are in fact extensive applications, often enriched with additional modules written by independent authors. Safety of the entire system is a result of the quality of the components from which it is built. Therefore, it is worth entrusting the website design to an experienced team, and complex solutions should be based on commercial modules, ensuring professional support. A valuable idea is also to invest in good hosting, which will provide an additional layer of security.
Follow my blog if you are interested in the security of WordPress – in the near future you will find articles about popular attacks on this CMS and a guide on how to reasonably secure WordPress without spending a fortune on it.