When talking to existing and potential clients about setting up their site with WordPress, they often ask us about its security. There seems to be a myth that WordPress is more prone to security hacks than proprietary Content Management Systems. When you dig a little deeper, you’ll find that the majority of people with these concerns are attributing it to the fact that it’s open source — meaning there’s a large community of developers working on it, vs one company. So let’s spend a little time discussing how open source actually helps make WordPress’ security safer and what real caveats to watch out for.
Open Source Software
Open source software, or OSS, is where a project’s source code is freely available for developers to find online and contribute to. Often you may run across it when viewing websites like Github or Bitbucket, where people make their projects “open” for download and critique. That, in and of itself, is not a problem. However, critics of OSS, and particularly WordPress, argue that having the code available for hackers to play with means that it makes it easier for them to find loopholes to exploit.
“The argument that open source must be risky (…) is countered with the explanation that by having so many individuals working with the source code of these projects, potential vulnerabilities and design flaws are uncovered much faster than with programs built on proprietary code” says Andrew Fourie from Astaro, a unified threat management firm. In other words, because so many people work on OSS such as WordPress, it allows them to find and fix problems in a much quicker timeframe than with closed source/proprietary software. Consider that two big pieces of computer infrastructure, the Linux operating system and Apache server, are also both open source projects!
WordPress’ Core Code
WordPress is said to currently run 25 percent (or more) of all websites, including the likes of BBC America, Vogue Magazine, CNN, and UPS. With so many eyes on it for its popularity, naturally there are people out there looking to exploit its codebase. This is why WordPress employs a security team of “approximately 50 experts including lead developers and security researchers (… who consult) with well-known and trusted security researchers and hosting companies.”(source)
Not only that, but also people who are considered “white-hat hackers” and “hobbyists/users” who discover vulnerabilities are encouraged to disclose them responsibly to the development team, allowing the team to create patches and close loopholes sooner rather than later.
So, if open source helps make WordPress core safer, what are the actual points of concern? According to an article from WP WhiteSecurity, any hacks are caused by the following :
- 41% of hacked WordPress were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password.
What these numbers tell us is that the bulk of the issues (51%) stems from users choosing unsafe themes or plugins. Oftentimes these problems can be prevented by spending a decent amount of time vetting before making a choice on a theme/plugin. Are they from a reputable source, or a more obscure third party website? Have they received a stream of updates to keep up with WordPress core changes? Have they recently changed hands in terms of ownership? While the answer to any of these don’t necessarily mean you should stay away from that theme/plugin, they are good to pay attention to.
When it comes to WordPress, there is a fair amount of misconception regarding its security. Thankfully, having an experienced team to oversee development and provide guidance puts you on a great path to protecting your website. If you’d like assistance gauging whether your site is fortified, or would like to consider switching over to WordPress, get in touch with us. We can help shore up any possible problems and put your mind at ease.