WordPress was born out of a desire for an elegant, well-architectured personal publishing system (blog platform before slowing becoming a preferred CMS) built on PHP and MySQL. It is the official successor of b2/cafelog. WordPress is modern software, but its roots and development go back to 2001. Since its official inception there have been many claiming it is too vulnerable to hacks and it lacks in security.
WordPress a Secure CMS
I have seen many articles addressing both sides of WordPress security, and after working across multiple server environments with a wide variety of content management systems, I have come to the conclusion that WordPress is as secure as any other CMS out there is. Most consumers who are hacked lack security awareness as a whole, and do not have proper protocols and processes in place to keep them from being an easy target.
WordPress is currently powering just under 25% of all websites on the web. Yes, 1 out of 4 websites is likely utilizing WordPress as its CMS platform. That is crazy if you think about it is complete domination by the open source platform. That’s more than every other content management system, combined.
So naturally when you are that big, you have a target on your back.
However, as mentioned earlier, security really lies within two aspects of a website: the application running the site and the person(s) maintaining it. So let’s discuss these aspects in more detail.
THE WORDPRESS COMMUNITY IS PHENOMENAL (Especially at keeping WordPress Secure)
WordPress is an open source web software platform that is supported by hundreds of developers with a history of extremely fast responses to any vulnerability that has been discovered. The community is on top of problems quickly and will have a security patch released within 24 hours if not much, much sooner. Being the big player in the industry and constantly being tested also means by definition that any security breach or issue is quickly found and resolved by the community.
The person maintaining the site is always the unknown, and more often than not, the weak link that causes an intrusion to occur if one does indeed occur. Maintaining your WordPress site or nominating yourself as the active Administrator is not a responsibility you want to take lightly. Your website security is only as good as the person maintaining it.
There are a few crucial points that everyone who touches the administration area of the site should be aware of. The first and maybe the most important is not to use the default “admin” as the username, and certainly don’t use “admin” as your password. Anything that is set by default is going to be an easy target when it comes to username and password. You would be surprised how many developers turn over a newly developed site with the default user/pass as “admin/admin” and their clients are never educated on changing it. The WordPress codex has some good general guidelines for creating a password. The most important thing is to avoid using a name of any kind—or even a single word. Stay away from using your last name with year of birth combo that so many people seem to like! The more complex you make the password, the stronger it will be. If you are one of those people that choose easy passwords, or use the same password for everything simply because of ease, then you should probably read my post on free or inexpensive password management applications.
Keeping your WordPress Install and Plugins is probably one of the most important tasks to remember.
All that hard work the community does to ensure that a security patches are created and distributed quickly is all for nothing if you don’t keep your WordPress install up to date, including installed plugins.
I am going to hit again on WordPress plugins because this is a critical area that most website Administrators fail at. I have seen time and time again websites that were compromised because there WordPress plugins were extremely outdated. Just because you update your WordPress install doesn’t mean you can ignore the plugins you are using. Plugins are segments of code that can add functionality but can occasionally cause issues. It is best to install only the plugins that are needed and from sources that are trusted. Don’t go plugin crazy because maintaining your WordPress install could become an unnecessary chore. Keeping your plugins to a minimum and only using plugins from trusted sources is good practice.
When looking at hosting, the company or person maintaining your site also has several options and actions that can be taken to help further ensure the security of the WordPress install. Here at Upshot we offer hosting to our clients because we take security serious; and we do the leg work to keep their website secure and up so our clients can sit back and focus on their business.
So in closing, I can sit here and tell you that the WordPress software platform has evolved into a robust, powerful, and secure CMS platform that is very intuitive for even non-technical people to manage.
If you liked this post please share it using the social media icons and/or comment below. We will respond!