WDDinc Web Security Blog

Insight from the leader in secure application development

Thoughts on WordPress Security

WordPress Logo

I have a good friend who owns a Web design company, who, with little or no prompting, will tell one and all the security perils of using WordPress. He will talk about the well publicized WordPress hacks that have been written up in online IT publications. The good news is that I always know what he’ll talk about; the bad news is that he is just one of many in the website design/development world who are sadly mistaken.

WordPress, like many widely used, freeware web applications gets an undeserved bad rap, not because it is a security poor product, but rather because of the poor practices that often surround it. With (according to the WordPress website) over 67 million WordPress sites in the world, there are bound to be many (millions) poor implementations in use, many of which just encourage the WordPress detractors.

If we combine the sheer number of hacking opportunities with the fact that WordPress is widely believed to be a product for the masses, requiring little or no IT skill to implement, you can see where we have a hackers’ dream come true. So many targets, so little security implementation expertise.

The several pieces of the WordPress security problem include the following:

  • WordPress hackers, like the gunfighters in the Wild, Wild West, have always viewed WordPress as an idea target that will win the hacker his ‘rep’. Every new release just stirs up the lower end lurkers in the hacker community, each of which just wants to be able to say: “First with a vulnerability discovery”. This tends to put WordPress under pressure from any number of hackers who will hone their skills at WordPress’ expense.
  • Like many freeware products, WordPress provides source code to the developer community. It is much easier to look for security flaws from the inside of a web application – opening up the internal source code of a deployed product makes a hacker’s life a lot easier.
  • The good news behind WordPress is that there are literally thousands of plug-ins – additional components that extent the functionality surrounding WordPress. The bad news is that many of these plug-ins are poorly written and open up the base product to security vulnerabilities. A poor choice of plug-in will open the entire WordPress CMS up to easy security attacks.
  • Like all products, WordPress will issue updates for functionality and security reasons. WordPress, however, as a freeware product, tends to be used in lower end environments that cannot afford IT staff with a responsibility for updating their internal systems like WordPress. If a security flaw is found in WordPress (just like any commercial product) and a security update is not implemented, the hacker community will have its way with the site.

At first glance, it seems WordPress doesn’t have a security snowball’s chance in hacker hell of being secure. What is often overlooked, however, is the fact that WordPress, as a freeware product, is authored and checked by a huge number of very competent developers, many of who are security development experts.  By the time a new release has hit the field it has been vetted by any number of independent developers who feel a personal responsibility for its quality. It will be as security solid as a product can be.

The fact that hackers will eventually find security flaws even in this well tested product is just part of the security life cycle. Hackers continue to probe and eventually they will discover some vulnerability; this is not unique to WordPress, but rather a fact of life for every commercial product on the Net.

Finally, many development and design companies, concerned about WordPress’ poor security reputation, build their own CMS. Unfortunately, this almost always leads to a very insecure product, with no hope in the future of ever returning with a security patch. Many of these custom CMS products are built with limited budgets by staff that is more design than development oriented.

I do like to repeat the often heard words of wisdom from the security world that say one should consider a commercial product (like WordPress) over an internally developed one.

Leave a Reply