WordPress has an unfair reputation for having poor security. It has been around for a very long time and is extremely popular, powering almost 30% of the web. As a consequence, a vulnerability or successful attack on a prominent website becomes big news – and WordPress becomes the scapegoat.
There are two key reasons that news of successful attacks are not representative of WordPress as a secure Content Management System:
- WordPress has an open system for plugin and theme development, and the vast majority of vulnerabilities are actually to do with plugins and themes rather than the core system. That is why we limit the number of plugins we use, and we only use plugins that are well-used, well-maintained and regularly updated. We only use plugins that meet our criteria. We also never use WordPress themes: all of our sites are coded from scratch.
- A major cause of problems has been when a website has not been updated after a security patch is released. As you know this will be true of any piece of software – if a system isn’t kept up-to-date it will be vulnerable to attack. WordPress introduced auto updates a couple of years ago, so security patches are added to a WordPress installation automatically as soon as they are released. This has been very helpful but it is still very important to work with a WordPress agency that can keep plugins up-to-date, make more major WordPress updates, and proactively monitor the security setup of the site.
Fundamentally, any large CMS (or piece of software) is going to occasionally contain bugs that lead to security vulnerabilities. The important thing is that there is an infrastructure for finding and dealing with these vulnerabilities in as short a time as possible. WordPress is actually in a fantastic position in that regard. Since it is so popular and well-used it is highly likely that vulnerabilities will be found by the community before a hacker, and when a vulnerability is found there is a community of hundreds of developers supporting WordPress, so it will be patched quickly via an update of the system.
IT’S CRITICALLY IMPORTANT TO HAVE THE RIGHT SET-UP TO MAKE IT IMPOSSIBLE FOR AN UNAUTHORIZED PERSON TO GAIN ACCESS TO THE SITE.
How do we secure our WordPress websites?
There are a lot of steps that can be taken to ensure a secure WordPress setup, which can be fine tuned to suit your priorities. As standard we ensure the following:
- all user accounts have strong passwords, and only have access to what they need
- disable non-required functionality, such as WordPress comments
- install security auditing and logging software that tracks usage
- install an SSL certificate
Some other things to consider:
- locking down the Admin area to white-listed IP addresses only (so only people located in your location can access the back-end of the site)
- double authentication for all users
- implement other server side measures such as a Content Security Policy and HTTP Strict Transport Security
Finally, it’s worth pointing out that WordPress is used by a huge number of global brands, including a few that are obvious targets for attack. It is for example used for: Walt Disney Corporation, New York Post, Time magazine and many more.
It’s our sincere belief that with the right setup in terms of hardening the core system, the right hosting platform and proactive ongoing maintenance, WordPress can be made as secure as any CMS available today. SeodaPop will help you fully customize your WordPress website or code it from the ground. Take control of your website and what works best for you and your business HERE.