Recently there has been growing debate in regards to how secure WordPress really is. WordPress has grown into one of the most popular and well known publishing platforms. It’s popularity comes with increased risk of becoming a target for thieves, malware, exploit hackers, spammers and other Internet undesirables.
A recent discussion took place inside Chris Pirillo’s Gnomies mailing list where members detailed their thoughts on WordPress security. One opinion was that a key feature that makes WordPress so appealing is what makes it a security risk. WordPress plugins give users a variety of useful solutions with a simple install. As WordPress has matured these plugins have required less manual coding input to function.
The wide range and variety of plugins is where security risk come into play. Since WordPress is open source software anyone with programming skills can contribute to it’s code. With so many options knowing a plugin source is trustworthy is the first step in security. Peer review and security processes in plugin approval help to reduce security related problems. This doesn’t mean that issues don’t occur.
In the past 30 days there have been 2 major security incidents with WordPress. Both of these recent events were plugin related. Is the best way to stay secure using WordPress not to use plugins? One opinion feels this is exactly the best option to take. Or at least “tweak” the plugin code to make it less malware bot friendly.
In the real world that option isn’t going to work for 98% of WordPress customers. The install base has grown away from it’s coding geek roots. Your average WordPress user wouldn’t know what to look for inside plugin code. If your not aware of what opens you up to exploit it’s not possible to close that opening. It’s also not good practice to start messing with code if your not sure what affects your meddling will create. Upgrading the core of WordPress has become easier as the software has matured. When this process works it works well and is headache free. Plugin updating normally is easy and goes smoothly. The real security threat is with theme updating. I’m honestly surprised we haven’t seen more theme related exploits being used.
What will work for the majority of WordPress users is basic common sense and following simple best practices. It always preferable to run the latest version of a plugin and WordPress core. In many cases these newer builds offer security fixes that have been put in place. Install any WP plugins directly from WordPress Plugins page. This reduces your chances of installing a compromised plugin. You will also be able to read reviews and other feedback in regards to the plugin author. Certain developers have earned a solid reputation over the years. But even trustworthy sources can be compromised.
I’d venture a guess that the vast majority of WordPress sites would remain completely safe as long as they kept up to date. With basic security practices and running the latest version of WP code you greatly reduce your risk of being exploited. Here is the one thing I think many people forget. In most cases the open source community keep each other honest. If there is a real problem the community almost always makes sure it gets addressed.
The WordPress community and developers have a good track record in regards to dealing with security related problems and threats. The core software is updated quickly when threats or exploitable code is found. When plugins were recently found with trojan backdoors – warning was given fairly quickly and updates applied to remove the malware. Actually some of us were never given proper credit for bringing this to every ones attention.
Unfortunately most WordPress installers get plugin happy. You should only use the plugins you truly need. Completely uninstall any unused plugins. This will help reduce your risk of exploit and should improve server performance. Less clutter is always a good thing.
There are large number of WordPress security plugins. Some claim to scan your WP install for vulnerabilities. Others state they will provide firewall protection against common types of attack. I’ve not tested any of these – so I can’t give an opinion as to their value. A few looked like a major hassle to install. I also wondered how these security plugins might effect overall site performance.
Security solutions not properly installed are almost as bad as no security at all. Do some serious research and background checking before installing any security plugin for WordPress. Always make sure to download these and any other plugins directly from WordPress directory.