Avid readers of ZDNet have noticed that we ran a number of articles in recent weeks and months about security issues found in the popular WordPress CMS and blogging platform. Even the FBI issued a warning about WordPress sites being vulnerable to hacking by ISIS.
This has raised the question: is it safe to use WordPress? One reader asked me, if WordPress is safe, why there are so many reports about problems? In this article, I'll answer both of those questions.
First, let's talk about what WordPress is. There are two main variants of WordPress. There's the hosted WordPress.com service run by a commercial entity called Automattic. Then there's the open-source WordPress software that is installed and operated by millions of people worldwide.
I wrote a detailed article about the differences in the two, but for today's discussion, it's important to understand that WordPress.com is a closed ecosystem where you can only run a limited set of themes and plugins. In the open-source environment, you can do pretty much anything.
Some of the exploits have applied to both WordPress.com and the open-source installations, while others apply only to the open version used by sites across the Internet.
Before I go on, I'll tell you this. I run more than ten sites on WordPress. I also manage and support a number of open-source, free WordPress plugins used by more than 215,000 sites. A few years ago, I ported the entire ZATZ Archive into WordPress. In other words, I've got some experience with this.
And, in 2014, one of my sites got hacked, and it was my own fault. In fact, that experience ties in directly with the answers to the above questions: is it safe and why are their so many reports?
WordPress is enormously popular
WordPress runs on more than 23 percent of all Web sites on the Web and WordPress powers more than 60 percent of all sites using known content management systems. In other words, it's massive.
It also makes a very juicy target for hackers, simply because of the enormous installed base. So the first factor explaining why you're hearing so much about WordPress is because it's huge.
WordPress is an open environment
The second factor is that it's an open environment. Let me explain what that means in WordPress terms. WordPress generally consists of three main elements: the core code that makes up the WordPress install, themes (which determine how sites look and behave), and plugins (which extend WordPress in interesting ways).
While the core is maintained by a large group of volunteers who take incredible care with the system's code, themes and plugins are built by a great many developers. Think of themes and plugins as apps you'd find on the Android or Apple app stores. They're made by many people, some extremely skilled and some not so much.
Like with app stores, WordPress repositories take some measurable care in what is listed for users to use. Themes on WordPress.org go through a testing process and plugins go through an initial vetting before they're first allowed to be posted.
But themes and plugins are also available from many other sources, including -- and this is a real threat -- unscrupulous hackers who get their hands on commercial themes, embed malware in them, and then give them away online to people willing to be suckered into "too good to be true" in return for a deal.
Because of the enormous size of the WordPress installed base and the complexity of the ecosystem, vulnerabilities do creep in. It would be unnatural to expect otherwise.
Managing your site
The key to the question of safety is how you manage your site, given that knowledge.
I mentioned I got hacked a year or so ago. The reason was simple: I set up my site and then ignored it for a few years. WordPress updates very regularly, but until recently, it didn't have an automatic update mechanism. I simply put my sites up and went on with other business.
Bad idea. It would be like installing Windows XP and just letting it be on the Internet.
WordPress can be a very safe environment, but it needs to be managed. The open-source developers are very diligent and patch the code as soon as any vulnerabilities are found.
Zero days rarely impact Web sites. The issue is when a site doesn't update to a new version. Today, you can set up your WordPress site to automatically check and update itself. I woke up this morning with a bunch of email messages from my sites letting me know they had been updated.
But I do more. I now use management services that keep an eye on my sites and check the versions of my plugins and themes. As a result, I can update all my themes and plugins with a single click. They also automatically back up my sites to S3 and other storage pools, so if something catastrophic happens, I can revert back to an earlier image.
This was big a few weeks ago when version 4.2 came out, because there were 67 individual elements across my sites that needed updating. I just clicked one button and they were all up to date.
I also use a managed hosting service that constantly checks my sites for malware. They also check to see if any of the code running on the site needs upgrading and they're approved (and paid) to do automatic upgrades when necessary.
This doesn't cost all that much. For all my sites, I pay something on the order of fifty bucks a month. It's not free, but it also means my sites are reasonably secure.
Can you trust WordPress?
So what does this mean for you? Should you trust WordPress?
My recommendation, with some caveats, is yes. Here are the conditions to that answer:
- If you are unwilling to do any maintenance or management whatsoever, either use the hosted WordPress.com service or hire someone to manage your site.
- If you want the ability to customize your site, you need to keep everything updated regularly. It is well worth investing in either managed hosting or a maintenance service to make that easier.
- If you try to cheat the game by downloading commercial plugins or themes for free from "off-brand" sites, you will get hacked. Worse, you will likely deliver malware to your site's visitors.
I really enjoy using WordPress and I'm very impressed with it and the community. I built my own CMS and ran the ZATZ sites on it for 16 years, and I chose WordPress as their new environment after looking at many other tools, Joomla and Drupal included.
The WordPress community is extremely diligent in their efforts to keep WordPress secure and as long as you use best practices, you're going to be as safe as you would be with any other environment.
But it's important to keep one truth in mind: The Internet and all our connected technology is, together, a living beast. There is no longer any safe "set-it-and-forget-it". You must update regularly because there are bad guys out there.
It doesn't matter whether you're using a Web environment like WordPress or an app from the Play Store or Windows 8.1 or 10, or even iOS. Everything is a target, everything has some level of vulnerability, and everything needs to be updated constantly.