I’ve heard and read over and over again how WordPress is insecure, hackable, and sub-standard. I never fully believed it but still, I had that nagging question of “what if?” So I decided to see if I could get a clear answer.
I started the way I often do, I put the question to the community on Webmaster World. I gave my post a nice link bait title: “WordPress isn’t secure. Prove it.” sat back and let the community fire away. What I was really after were examples of security holes in the WordPress core. I wanted someone, anyone, to step up and show me an actual example of where the code wasn’t secure. What I got was a bunch of hearsay and suppositions. To be fair, there was discussion on weakest links to a WordPress installation – plugins and themes – more on these later. But not one person could point out a single issue with the code.
The biggest issue with WordPress security was raised by my friend Tom Lambert (ergophobe @ Webmaster World). Tom and I have a running discussion on Drupal v WordPress that has led to some spirited discussions. I’ve learned a lot from him and because of our discussions. Tom pointed out that WordPress has no dedicated security team – at least it appears that way. He did the following searches:
When you look at the SERPs for both Drupal and Joomla you’ll see a clear reference with link to an actual Security Team on the Drupal and Joomla community sites. WordPress – not so much. There are mentions of a security team at WordPress but no dedicated page proclaiming they exist and what their objectives and process were. That’s one of Tom’s sticking points.
So I decided to ask the WordPress community if they could point me to a page that clearly identifies a WordPress security team, their objectives, and process. I posted my question in the WordPress Forums.
Turns out, my question has been asked and answered in a variety of ways though not as clearly as I’d hoped. The most common iteration of my question is “Is WordPress Secure?” Not really what I was after but the answer is an unequivocal yes. I don’t doubt this and the reason why also helps illuminate the existence of a security team. How? Because their work is clearly evident. You don’t get to 7 million installs without doing it right.
As Richard Eber pointed out in his post “Why Most Stories About WordPress Security Are Wrong“, the measure of a security team isn’t just in their existence but in their ability to respond and the speed with which they resolve an issue. The ability to update WordPress for security fixes, updates, and patches is about as easy as you can get – a single click. And with the release of WordPress 3.7 nicknamed Basie, you no longer have to worry about those minor updates as this release now does updates automatically. You don’t get to this level of functionality without a lot of thought and preparation. And from what I gather, the ability to respond to security threats was part of the driving reason for making updates so easy.
Plugins, Themes, & Users
Any chain of security is only as strong as it’s weakest link. In the case of WordPress there are three weak links.
In the case of plugins and themes, all of the themes and plugins are reviewed before they are included in the repository at WordPress.org. But the authors of themes and plugins sometimes fall behind on fixing security issues and then the plugin or theme becomes the weak link in the chain. Selecting plugins & themes created by well known and trusted developers, looking for short response times in the support forums and for high numbers of downloads are all indications (but not guarantees) of a plugin you can use and expect it will be kept up to date.
The third item in the chain is the weakest. You. And me. And anyone that owns/operates a WordPress installation. We are often our own demise because we’re lazy. We see the bold text in the sidebar of the admin area that indicates the number of updates waiting and yet we ignore it. Or we haven’t visited the admin side of the site for months. So when the security hole is published on the hacker forums, our installation is just sitting there waiting for someone to try the exploit.
Try as we might, it’s hard to change user behavior which is part of the reason for the auto update feature in WordPress 3.7.
So is WordPress secure?
What can you do to keep it that way?
- Get rid of unused plugins and themes. Keep the ones you use up to date.
- Use well supported plugins written by active and trustworthy authors.
- Don’t hack the core files.
- Use child themes if you’re going to hack a theme and then be responsible for keeping it up to date.
- Read Hardening WordPress (WordPress.org)
- WordPress Security FAQ (WordPress.org)
- WordPress Core is Secure – Stop Telling People Otherwise (WP Engine)
- WordPress – Understanding its True Vulnerability (Sucuri Blog)
- WordPress isn’t secure. Prove it. (Webmaster World)
- WordPress Security Review Process (WordPress Forums)