Is WordPress Secure? Can you build complex websites with WordPress?

I read with interest an article in a local Norwest publication making the claim that due to WordPress being widely used and Open Source it is a security risk.. Also that due to it being ‘unsophisticated’ you cannot do complex websites on it.

These statements are so wrong and ill considered it’s difficult to know where to start… But I’ll start with the security aspects.

  1. Open Source does not imply a security risk. The fact that the source code of WordPress is available to all software engineers who use it means that potentially thousands of skilled people examine and improve the security of the code over time. WordPress often release updates to their software (which are now automatically deployed) both to release new features and provide security fixes. By way of example the programming language Java is open source and you will find that in everything from your Car, your TV to your Smart Phone – yet you would not consider them insecure?
  2. WordPress is used by over 60 million websites worldwide. A website framework does not achieve this level of usage on the global stage without being able to be secured.
  3. WordPress is as secure as the hosting framework it is hosted on. It has been my experience that most attacks against WordPress have occurred due to the hosting not being set up to work with WordPress to be secure. For instance weak FTP passwords are a common method by most websites are compromised. This equally applies to Drupal and other frameworks.

At Aykira we have created a hosting framework particularly well suited to hosting WordPress websites both reliably and securely. The hosting framework provides multiple levels of protection against attacks using several techniques:

  • Request filtering – This is where incorrectly formed requests to the server are blocked.
  • Minimal permissions – The hosting only allows WordPress to do and access what it needs and no more.
  • Active traffic monitoring – Attacks on websites often follow patterns that can be analysed and blocked on mass.

So far (touch wood) no hackers have got anywhere near breaking into our hosting framework, they often have a go and then give up and try far easier targets. Such is life on the Internet, hackers are trying all the time to break into all websites. Security is something we take very seriously and it is something we actively invest in on behalf of our clients to keep the websites we host secure.

For instance, there has been a recent increase in co-ordinated dictionary attacks against WordPress and other CMS’s with web logins in an attempt to gain admin access to the websites. Our framework notified us of the increase in these attacks, we analysed the attack patterns and modified the active monitoring to identify and block these attacks. Within 24 hours the attacks stopped as those doing the attacks realised it was ineffective against our hosting. Did your hosting provider do anything specifically to deal with this? We even notified our clients to make them aware of the attack and let them know the issue was in hand.

So, the question really comes down to this:

Would you host with a business who has the direct professional security & technical expertise to maintain your website security or go with a business who tries to use FUD (Fear, Uncertainty and Doubt) techniques to gain your business?

As regards WordPress not being able to run ‘complex’ websites, that is utter rubbish. WordPress is designed to be almost infinitely expandable & scalable – there are lots of ways of extending its functionality. It is very capable of operating fully featured E-Commerce websites, forums, listings services, mailing lists, multiple blogs, etc, etc.  It has over 12,000 plugins.. You can give different users different roles, define new roles and even specify what they can do or access down to per page or set of pages.. Some of the worlds biggest websites run on WordPress. Plus if there is something specific you need a plug-in can be written (by us) to extend the functionality.

For instance the website you are reading this on is based on WordPress – would you say it is ‘unsophisticated’? I think not.

Also do not worry about the GPL License – what this means is if you sell or supply on a website CMS based on WordPress you must supply all source code. If you just operate a website which uses custom plugins and data, there is no requirement for you to provide the source code to those who just visit the website. The GPL also does not cover at all the Data in the website, its just code specific. So if you do not intend to sell on plugins to third parties the GPL License will not affect you. If you are really worried about this there are ways of completely separating proprietary code from WordPress yet still interact with it via WordPress -we know how to do this.

If you would like to talk to Aykira about hosting your website, or you are looking to do something special online, please get in touch today with your local Internet professionals.

Pin It