Is WordPress secure?
WordPress is one of the most popular technologies on the planet, but is it secure?
It sounds like a daft question. It must be reasonably secure by virtue of its popularity. And it is.
That said, like the Windows operating system, its popularity makes it a natural target.
WordPress v6.5 codenamed ‘Regina’ was released in April 2024, more than 20 years since the first version of the content management system (CMS) which debuted in May 2003. It’s come a long way over this time, but it never lost a sense of what it is or who it’s for – WordPress is the poster child of user-centric content editing. The CMS of the people.
But just how popular is it?
It depends where you look. By some estimates, WordPress supports around half of the entire internet. Or nearly 500 million websites. Let that sink in for a moment. It’s the world’s most popular open source content management platform.
From popular publications like the New York Times and Time (Magazine), to more astute institutions like Harvard University, WordPress can be found in every corner of the web. And with many, many good reasons.
With great power comes great responsibility
Hackers, botnets and malware operators are just as interested in WordPress as afficionados like us.
To follow on with the Windows operating system analogy, more viruses exist for Windows than other platforms. A virus written for Windows has many more chances of finding its target.
It’s the same for WordPress. Anyone looking to compromise a web application (or the server it sits on) is naturally going to target popular technologies to be in with the best chance of success.
However, “security through obscurity” simply doesn’t hold true either.
Hacks and breaches are ever more sophisticated, often targeting the underlying infrastructure or social engineering methods alongside the web application itself, and running a less popular or proprietary (closed source) technology isn’t inherently more secure. If the platform isn’t maintained by a large community and doesn’t receive regular updates it could easily become a bigger threat.
Thankfully the community surrounding WordPress is as impressive as the number of sites it powers.
Hundreds of thousands, probably tens of millions, of developers, specialists, consultants, designers and security practitioners have devoted their time and money to the industry. In 2021 it was estimated that the WordPress industry was worth a staggering $597bn each year.
The open-source nature of WordPress means anyone can download and read the code. If there’s a problem, we can be reasonably assured some bright spark will find it. Issues are often patched before they become widely known, making any potential exploits null before they have a chance to cause widespread damage.
This becomes slightly murkier when we look at the broader ecosystem of WordPress themes and plugins. Some are paid-for, and most are maintained by a small team or even a single author who might have limited time to investigate and patch any reported issues. These extensions are also used by a smaller subset of users, meaning they receive less attention from security experts.
Reducing the attack surface
How do we keep our client sites secure?
There are a few golden rules when it comes to hosting secure WordPress websites.
Keeping WordPress and any plugins up-to-date is the first. Regular patching ensures you benefit from the latest features and security enhancements. This extends to the underlying webserver Operating System and any additional software or packages that sit in the middle to help administrate a webserver.
We don’t rely on too many 3rd party plugins, instead preferring to stick with a handful of popular solutions which add real value to an installation. They are used in millions of other websites, are often licensed, and the revenue they generate for their authors ensures regular improvements and updates.
We also harden each installation, making it more difficult to probe or attack. We hide the login page, enable brute force protection, stop username enumeration, block known bad networks and URLs and tweak the CMS to reveal less about the installation and its dependencies.
It doesn’t stop there!
Access to our servers and critical infrastructure is strictly controlled and monitored. Multi-factor authentication is enabled everywhere. We run regular anti-malware and virus scanning. Traffic is routed through an enterprise level Web Application Firewall (WAF) with custom rulesets. Server resources are monitored 24/7/365. We subscribe to 3rd party penetration testing tools…
…It’s fair to say we take a belt and braces approach to hosting and delivery, particularly when it comes to security. We recommend you do, too.
Plan for the best, prepare for the worst
Does that mean we’re bulletproof?
No, unfortunately not. Where there’s a will there’s a way. Our efforts help to secure our digital estate against those looking for quick wins or easy targets, but no technology (or process) is perfect and we have to imagine a day when it all goes horribly wrong.
Thankfully that hasn’t happened yet, but if it did we like to think we are prepared.
Having a solid disaster recovery and business continuity plan is an important component of good security posture. No one wants to envision a day when their servers are compromised, or a client website is defaced. But facing that scenario without a clear remediation plan is arguably worse.
Our servers are backed up every day. We host those backups in multiple locations, both on and “off” site. Our web and database servers are imaged each day. We keep copies of our DNS records and have fallback redundancy systems in place. We host our applications in a load balanced, highly available infrastructure that spans multiple datacentres in case of failure.
It might take us anywhere from a few minutes to a few hours to get our systems and sites back up and running in the event of a disaster, but that’s better than not being able to recover at all.
In summary
WordPress is popular and secure, especially if it’s maintained by experts.
At more than 20 years old, WordPress today is a highly secure CMS. When combined with good development practices, regular maintenance, and a robust hosting infrastructure, it offers peace of mind for us, our clients and their stakeholders.
- Regular updates for the CMS, plugins, operating systems and middleware
- Harden and protect the installation to reduce the attack surface
- Ensure you have visibility and monitoring over the digital estate
- Choose a reliable hosting provider, even if that is more expensive
- Make sure you have a robust backup, disaster recovery and continuity plan in place
We LOVE talking about all things WordPress, so please contact us if you would like to know more or discuss how we can help support your digital presence.
