February 19, 2016

The Great Debate: Is WordPress Secure?

Quench web design shown on laptop

This past year we had the opportunity to attend WordCamp U.S, which took place right here in Philly. Security was one of the main topics in several sessions, including the ‘State of the Word’ address

It was evident that the WordPress community as a whole has steadily and consciously been advancing proactive measures – pushing security updates more often and enforcing automatic updates along with strong password practice.

Today, 25% of all websites are made with WordPress (an amazing number, by the way), with more widespread adoption happening every day.  The more that percentage grows, the harder WordPress works to ensure that their users’ websites are at the highest level of protection.

Here at Push10, we’ve championed that effort and have always taken the steps to further improve WordPress’ security, at the application level and at the server level. We’ve implemented additional steps to harden the WordPress installation, prevent file injections and version exploits.

Regardless of what CMS is being used, no one can guarantee 100% website security, which is why we highly recommend our on-going maintenance plans for our clients. As part of the maintenance plan, we regularly back up the site, as well as run updates to the WordPress core.

There are various factors that can leave a website, WordPress or otherwise, vulnerable. The following statistics illustrate that much of the blame for blemishes on WordPress’ record does not necessarily lie with the CMS itself:

  • 41% of WordPress hacks occurred due to a vulnerability on the hosting platform, not the CMS
  • 29% of hacks were the result of security issues within cheap, canned themes
  • 8% of WordPress sites hacked were because of weak passwords

WordPress is often heralded for having three times the number of installations as Drupal and Joomla combined. Some of these installations are created by inexperienced developers using cheap off-the-shelf themes, as opposed to custom solutions. Lacking strategic security measures, these types of sites tend to be more vulnerable to attack, thus can have a significant impact on the stats listed above.

Just as web applications are constantly evolving, our practice is to constantly adapt our security approaches and strategies over time. Some web security steps we may have practiced a couple of years ago have been intensified for today’s digital world. Web crawlers and bots are getting smarter by the day, and DDoS (Denial of Service) attacks are more common. Crawlers are looking for weak passwords and DDoS attacks can bring your website down for several minutes or even hours, exposing other vulnerabilities.

Below are several ways in which the site admin can take steps to keep your site protected. (And don’t laugh if you think any are no-brainers. You’d be surprised how often these points are overlooked):

  • Don’t use ‘admin’ as a username
  • Use a stronger password
  • Hide wp-config.php and .htaccess
  • Deny access to your plug-ins and other important directories
  • Backup your data to DropBox
  • Don’t install free and/or cheap “canned” WordPress themes
  • Don’t display ‘Wordpress Version’ on your blog
  • Use the most trusted plug-ins to prevent security holes, like Better WP Security, Secure WordPress,
  • Login Lockdown and Website Defender

WordPress itself has several safety measures available for users to beef up their security. Numerous security plug-ins provided by WordPress, as well as outside plug-ins, are easy to access. Along with the safety measures at the core level of WordPress, skilled developers are inventing more options daily. Those developers who have created security based, WordPress friendly plug-ins are typically readily available and very enthusiastic to assist users who need more reassurance.

For those wondering if WordPress is an appropriate CMS for large-scale websites, here is a list of some enterprise-level companies that trust WordPress as their CMS of choice:

  • The New York Times
  • CNN
  • The Library of Congress
  • Sony Music
  • Tech Crunch
  • BBC America
  • eBay Inc.
  • MTV
  • ESPN (various sites)
  • Fortune

Our goal is and always has been to stop the threat before it reaches our clients’ websites. That’s why we recently chose to work with the team at Sucuri, which enables us to place websites behind a firewall; filtering out malicious code, bots, attacks, and backdoor exploits before they can reach the sites. This adds a whole new layer of security on top of all the other things we are already doing.

In Conclusion
Your website represents a significant investment. It’s an important aspect of your brand and it’s vital to keep it protected at all costs. Both WordPress and Push10 have the capabilities to keep your site well protected and functioning properly. After all, we want you to spend less time worrying about the security of your site and more time focusing on the impactful content you share with the world.