Mythbusting continued: WordPress security


This is the second post in a series. The first post touches on a number of misconceptions about WordPress. This one addresses security.

Security is an utmost priority for any organization’s website. This is especially important for Alley’s clients, who include leading newspapers, media networks, think tanks, and universities. While it’s widely known that WordPress is an unbeatable choice when it comes to content publishing, editorial usability, and performance, we sometimes hear concerns about WordPress’s security. 

WordPress itself is fundamentally secure and extremely stable. The vast majority of security issues with WordPress sites are caused by avoidable errors: failing to update WordPress core, using unvetted plugins, and using insecure passwords. Security-oriented developers will have automated linting systems and code review processes in place to ensure these mistakes aren’t made. 

The widespread popularity of WordPress is both the source of its security woes and the reason that the software itself is extremely secure. Because WordPress is accessible to any web developer and there are millions of WordPress sites on the web, many of these sites are not well maintained or even initially built using best practices.

WordPress, an open source software, is regularly maintained and updated, especially to prevent and mitigate security vulnerabilities. Major WordPress releases aren’t automatically installed, and diligent developers need to be sure their sites are updated to prevent security problems. Alley and other top WordPress companies like WordPress VIP have procedures in place to preemptively identify any potential security issues before they make it to your server, and staying abreast of the latest activity in WordPress Core is a major part of this effort.

Plugins, which are essentially packaged pieces of code that can be “plugged in” to achieve specific functionality, can introduce security vulnerabilities if not properly evaluated or kept up to date after being installed. At Alley, we ensure that all plugins installed on our client’s sites undergo thorough automated and manual security reviews. 

WordPress’s ubiquity makes it an obvious target for bad actors. Hackers target the CMS by writing scripts to brute-force guess passwords. To address this problem, WordPress encourages users to generate unique, strong passwords and to further secure user logins by using two-factor authentication and setting up brute-force protection on log-in forms. Login can also be managed through an existing authentication system using LDAP or OAuth protocols if in-house IT teams are better able to manage such accounts. The right approach will depend on how the CMS will be used and who needs access.

Despite the challenges associated with being the world’s most popular content management system, WordPress’s widespread adoption means it’s the most vetted and tested content management system available. The dedicated WordPress Security Team, made up of approximately 50 experts including lead developers and security researchers, is proactive in its approach and is responsible for ensuring that potential vulnerabilities are put forward and fixed as soon as possible. WordPress security is further improved by hosting with a professional and experienced platform, which adds an additional layer of protection against common vulnerabilities and attack vectors. 

When you work with a partner who can provide expertise in security, WordPress is one of the most secure options available.

To learn more about WordPress security, visit the Security Team page or check out WordPress VIP’s information resource.

Photo by chris panas on Unsplash