WordPress Security — Concerns and General Advice for Prevention
A search in National Vulnerability Database for the term wordpress revealed very interesting statistics. Over the years, WordPress has increasing number of vulnerabilities, from 2 in 2004 to 63 in 2007.
Although it is an apple to orange comparison, because WordPress is usually compared head to head with Drupal and Joomla, here is a comparison table showing statistical data of those content management systems:
| Platform | 2004 | 2005 | 2006 | 2007 | 2008 |
|---|---|---|---|---|---|
| WordPress | 2 | 13 | 21 | 63 | 58 |
| Drupal | 0 | 8 | 37 | 39 | 79 |
| Joomla | - | 4 | 70 | 76 | 117 |
From the table above, you notice that the more complex CMS solutions have larger number of vulnerabilities in recent years compared to WordPress. However, webmasters who use WordPress still should be worried about the figure.
Switching to Another Web Publishing Tool — A Solution?
I read on a public forum the other day (and on a few blogs too) people recommend against using WordPress for security reason. For them, WordPress is not worth the hassle just because it is vulnerable.
But let’s see it from a few standpoints. If you ask any web developers, they would agree that it can be very hard to make sure a group project of a decent size to be secure 100 percent. Also take into account the fact that WordPress gets very popular in recent years.
Perhaps a better analogy is to compare this situation with Firefox vs IE security debates. While it is believed Firefox is a better and more secure browser, it currently has a larger number of vulnerabilities than IE. The good news is, because Firefox is a community project which includes source code, fixes will be made available soon after exploits were found.
With the availability of source code, one would argue that it also makes it easier to locate points of attack.
Just like in Firefox, solution for WordPress problem is usually available in minutes, but news would spread weeks after that. Some bloggers are really fast, but most are still interested in the topic long after it appeared the first time.
Switching to another solution is a workaround at this point, in my opinion, because just because there was no report about one CMS doesn’t mean it is secure. Perhaps it has small user base that people have not discovered its vulnerabilities yet.
Add to the fact that it is actually possible to harden a WordPress installation if you take the time to do it. Is it worth it? Yes, I’d say. And if you consider the size of WordPress community, I think working on fixing and auditing security is more of an option than switching.
How to Secure Your WordPress Blog
This is the first of a series of planned articles on how to install WordPress and harden it if you already have a WordPress blog running.
It is not possible to cover the whole thing in one post, but if there are a few suggestions to keep you on the safe side, it would be:
- Increase your awareness. Subscribe to WordPress Development Blog. It should be on your list of feed so you are updated about recent development, including security issues.
- Update. WordPress takes only a few minutes to update, so spend some time at the end of the day to do so. I prefer to allocate some time in the weekend though. With update, I don’t mean just the core WordPress code, but also the plugins.
- Use supported themes. If you are not a theme designer, make sure you use a theme that is well supported so if there are problems you know who to run to for a solution.
- Backup often. There is no reason not to do so because you can easily schedule backups of your WordPress database and files. Be safe rather than sorry.
Even with these approaches, there is no guarantee you will never experience security breach related to your WordPress blog because there are always possibilities in finding new exploits. Hopefully, crackers who find your site more updated than other blogs will choose not to spend their time on your blog.
But if you have a fresh backup off-site, you can always update and restore your data.
Other articles:
- How to Install WordPress Securely
Return to How to Blog for Fun and Profit.
Return to Blog Tips for a Better Blog — Blog Building University.
