If you follow the WordPress blogosphere, you’d be forgiven for thinking that WordPress is riddled with security vulnerabilities and that you’d be crazy to build your site on a platform that is likely to be hacked five minutes after you install it. So, why not dive in a bit into WordPress security issues! In recent months, whenever I’ve advised someone to use WordPress to build their site, I’ve inevitably been met with the response: «But isn’t WordPress insecure?» That’s a reasonable response given the available information, but I think it’s largely due to a misunderstanding about the nature of software and the way that an open source development community goes about minimizing the impact of security vulnerabilities.
All Software Is Insecure
It’s a sobering thought, but there is no such thing as perfectly secure software. As Quinn Norton recently pointed out, Everything Is Broken. The truth is that we don’t know how to build software that is perfectly secure, feature-rich, and economical. You can have two out of three. Feature-rich and perfectly secure software are massively expensive to create, which is why almost no one does. You can have truly secure and economical software, but no one would want to use it because it wouldn’t do very much. Or you can have feature-rich software that consumes a reasonable amount of resources to create, but it’s not going to be perfectly secure.
The software is one of the most complex human endeavors and it consists of hundreds and thousands of moving parts all of which interact with each other. Sometimes those interactions are unpredictable, and sometimes people make mistakes. In this WordPress security is no different from any other piece of software: it has vulnerabilities, its plugins have vulnerabilities, and it’s unlikely that will ever change. It’s cold comfort, but you can replace WordPress with any other content management system and the previous sentence would still be true.
Because WordPress is hugely popular, everyone’s attention is fixed on any problem that impacts WordPress users, so when a WordPress security problem occurs, everyone hears about it.
At Least You Know About It
That we hear about WordPress security vulnerabilities is, counterintuitively, evidence that the WordPress ecosystem’s immune system is functioning properly. Once you accept that all software is vulnerable, you have to look at how those vulnerabilities are handled by the development community. WordPress is open source, which means that development takes place in the open — that’s how we know about the vulnerabilities in the first place, unlike in the closed software world where you’ll get an update every now and then with a vague «security update» label.
WordPress developers and white hat security researchers are in a constant battle with online criminals to close vulnerabilities before they cause problems, and the WordPress blogosphere is part of the process. You are aware of WordPress vulnerabilities because publicizing those vulnerabilities is part of the process of rendering them innocuous.
WordPress Site Owners Should Play Their Part
The WordPress immune system can only work if individual WordPress site owners play their role in the process. Vulnerabilities in WordPress are discovered, fixed, and pushed out to the millions of WordPress sites as updates. If you don’t update your WordPress sites, then they remain vulnerable, which puts your users at risk. Site owners are on the front line of a battle and they should play their part.
Is WordPress Insecure?
Yes and no. WordPress is a complex piece of software, so it is bound to contain at least some vulnerabilities, but the open source development process, the responsible disclosure doctrine, and conscientious users work together to make sure that it is as secure as humanly possible.