WordPress Logo

WordPress Security

Many business websites run on WordPress. But many who are (or should be) concerned about risk, don’t understand the complexities within the WordPress ecosystem. And it is just that, an ecosystem.

WordPress is a framework, not just a static website template. It runs on the PHP programming language, one that was designed for the Web 2.0, or the interactive web of today. Because it’s backed by a programming language rather than just the text formatting language of HTML, it comes with additional risks.

First and foremost of these risks are the plugins. There are approximately 50,000 plugins available for WordPress. Some of these are small and meant to perform a single task (like force your site to use HTTPS only), while others are large and attempt to solve many problems (like social media integration, advertising, SEO optimization, statistics, analytics, etc.). As complexity increases, so does risk. The two best things you can do when using a plugin is:

  1. Investigate the plugin prior to installation and activation
    1. Read the reviews – are they good? bad? Use known and trusted sources to find a plugin for your need.
    2. Search it on Google – are there vulnerabilities? are they major or minor? Are the results glowing or dire?
    3. Check the update history – is still being maintained? have there been any recent updates?
  2. Keep it updated – check the WordPress dashboard for update alerts regularly

Just as you should keep your plugins updated, you should also keep the WordPress framework updated. The dashboard will regularly alert you when new releases are available.

There are plugins that will auto-update both plugins and the WordPress framework.  However, you should consider the risk trade-offs of automatic versus manual updates. Automatic updates will ensure your site is always running the most updated version of WordPress and plugins. The update process might not always work as advertised, though. By manually updating you have more control over the process. If an update does go badly, you can more easily back out of it and restore your site to proper working order. If an automatic update goes badly, you may not even know until users start complaining. Your circumstances will help you decide whether to choose an automatic or manual update process.

And many of the usual security precautions are in play here, as well. Your site should only be accessible over HTTPS. There is no reason to have an unencrypted HTTP connection for a WordPress site today. The same strong password rules also apply. There are numerous password brute force tools out there for WordPress. Articles on their use in the wild almost seem like a weekly occurrence.  Also minimal is best. Don’t continue to run plugins that you aren’t using. If they aren’t in use, deactivate them. If they are aren’t going to be activated again soon, delete them. The same goes for unused themes. Remove them.

Ultimately, WordPress is a great tool to design a flexible website with numerous active components to meet the needs of many businesses. While some people shun it based on reported flaws and vulnerabilities, you shouldn’t follow suit blindly. Every piece of software has flaws. Major pieces of software have many flaws. The greater concern should be with the severity of risk from those flaws and how quickly they are patched by the developer. Make an informed decision about risk, put processes in place to manage that risk, and then make use of software packages like WordPress to empower your business. If we abandoned all software just because it had flaws, we’d be suck with stone tablets.