Abstract image representing online security

WordPress Insecurities

Once again, I find myself up against a client’s preconceived opinion that “WordPress is [inherently] insecure.

It’s a common refrain, and one that I’ve heard over, and over, and over again since I began specializing in WordPress. But let’s set the record straight.

What Is It You’re Really Afraid of?

Is it WordPress you’re concerned about, or open source software (OSS) in general? Despite powering software for most of the planet, OSS still has a reputation of being developed by “amateurs,” and being unstable because it lacks the backing of Big Corporations.

While I won’t argue that OSS has its fair share of abandoned projects, it’s simply wrong that all OSS is written by hackers in their basements at 2 o’clock in the morning. Most major for-profit technology companies—the likes of Microsoft, Apple, Amazon, and Google—are often large backers of OSS, contributing time, money, and resources to its development. They know that their own businesses rely on OSS.

The Myth of “Closed Source Is More Secure”

The only correlation between closed-source software and security is that fewer white-hats (people with good intentions examining software for possible security vulnerabilities) are able to pore over closed-sourced code than open-sourced. (You still have plenty of black-hats examining both, looking for opportunities to exploit vulnerabilities for their own personal gain.)

OSS has the eyes of the world scrutinizing code every single day. Closed-source software only has the company’s own team of developers, who’ve seen the same code day after day after day (and hence, has become jaded and/or blind to its faults). And what if The Security Person is on vacation the day a major exploit is revealed?

When Was the Last Time WordPress Security Hacks Made the Evening News?

Think about the security breaches that make the headlines. I think I can recall a WordPress one back in the 2.* days (WordPress is currently at version 5.2.3). But I can pretty much guarantee that the Capital One, Starwood, and Equifax data breaches did not involve WordPress.

To say that WordPress is inherently insecure is to say that the Internet itself is inherently insecure. I’m not saying that that statement is wrong, but the only conceivable solution to that issue is to stop using the Internet altogether. Does that seem very practical?

Anything Can Be Insecure; Anything Can Be Made Secure

If you throw software out onto the Internet, be that in the form of a website running WordPress or any other platform, and fail to maintain it, then yes, it will, over time, cease to be secure. New vulnerabilities are discovered on a daily basis, not necessarily in WordPress, but in everything that touches the Internet.

The key is to make sure your web properties are properly maintained, with security patches and other updates made when they become available.

Most WordPress Compromises Have Nothing To Do With Software

By far the most common way of breaking into a WordPress site is not through the software itself, but by something called a “brute force attack,” whereby automated attack bots literally try to force their way into a privileged account on the site by guessing usernames and passwords. If you use weak passwords, or (worse yet) reuse the same password across different Internet services, you’re increasing your risk of compromise. Often, data breaches on one service serve as jumping points for attacks on different systems because exploiters know that people often use the same usernames and passwords across accounts.

There are plenty of password security best-practices you can do to reduce your security exposure, including:

  • Using strong, nonsensical, and unique passwords along with a strong password management system such as 1Password or LastPass.
  • Don’t use “common” usernames for your accounts (like “admin”; never create a user account in WordPress called “admin”).
  • Make as few user accounts on your WordPress site as possible, and don’t give users any higher level of access than absolutely necessary.
  • Don’t transmit passwords over email.

Don’t Go It Alone

Chances are, WordPress is not your core business. But it is mine. If you don’t feel like you have the time/energy/resources/interest to maintain your WordPress site properly, get in touch, and we can discuss outsourcing that responsibility for peace of mind.