Is WordPress a Secure Platform?


When it comes to WordPress scrutiny, security is at the top of the list of concerns. Is this because WordPress is NOT secure? Is WordPress vulnerable and highly susceptible to attack? No, not quiet. A more accurate statement would be that WordPress is susceptible to bad implementation that can create vulnerabilities. For example, as a tech-savvy, desk-bound, developer, I’m not what you would call “handy with a hammer.” So if I was provided with the blueprints and material needed to make a simple house or structure, the truth is the integrity and craftsmanship of my work would be incomparable to an experienced carpenter. I would never trust my novice craftsmanship to stand against the durability of someone skilled for that purpose.

All of this to say that when we discuss the integrity of WordPress as a web solution, what we’re really examining is the following:

  • The Materials – PHP and MySQL
  • The Blueprints – WordPress design patterns and the approach of an open-source project
  • The Contractor – The person(s) building the website or application

“The Materials” have undergone their own investigation and are solid tools for our purpose. For the sake of this article we’re going to focus on WordPress and how it is implemented to determine what it means to be secure.

Open Source Projects

The beauty of open source projects is the “free”-dom we have to use, implement, and adapt the work of someone else to fit our intentions and purposes. But there is an glaring fact within the context of our conversation, it is “open-source,” meaning freely available to both developers and hackers wanting to build with it or find weaknesses to tear it down. Add to the fact that WordPress owns about 25% of the internet as a whole and you’ve just put a big target on its back. Now that we’re being honest about some of the facts, lets not dismiss WordPress in fear of these things, but rather let us see the other side of the coin.

WordPress continues to grow because despite these known concerns WordPress core is still stable and secure. It should be added that just as an open-source project is susceptible to investigation from ill-willed attackers it is also prone to the same interrogation of good-willed developers (a very large community of them). So with each new release WordPress and its community becomes stronger and more aware of the surrounding threats.

Hire a Professional

“If you think its expensive to hire a professional to do the job, wait until you hire an amateur” -Red Adair

The truth is that the question of security when it comes to WordPress comes down to the implementation; “the craftsmanship of the carpenter” sort of speak. WordPress is a platform that has advertised itself for years as a DIY project, and for the technically inclined there is large truth there, but if you ever browse some Pinterest Fails you’ll learn all to quickly that it isn’t an absolute truth. So the truth is if you want something built right, hire a professional that is seasoned in challenges that come with developing a web-based project.

For the “Do-It-Yourselfer”

The point of this post is not to market the services of Div Truth, but to give some perspective to the question of security when it comes to WordPress. Now that has happened let me share some simple practical steps you can take when setting up your own self-hosted WordPress application or website. Below is a link to a post of best practices that I’ve compiled to help lock-down the perimeter of your WordPress installation. Feel free to implement any or all the layers of protection that you feel comfortable with handling.

Self-Hosted WordPress Installation Best Practice

References: