WordPress security is a concern. I was just talking to a sysadmin the other day and he made an off-hand comment about their frontend concerning the hardness of the website, “Well, it’s WordPress, so…”. What he’s getting at is that WordPress is known for it’s lack of security.
WordPress is packaged piece of software that may have more functionality than you need. This can go against some good security practices of only having exactly what is required. This method reduces your attack surface, but isn’t always realistic for business concerns. Generally, WordPress allows for a shorter development cycle and moving faster to product implementation. We once built a full-fledged store in a week for a customer that needed it done fast. The site went on to make them tens of thousands of dollars, because we were able to make it to market in time with the product and site.
The core of WordPress itself can be considered to be relatively secure. Why? Because there are thousands of people and businesses around the world who have interest in making it so. As a open source project everyone involved and who uses it, if they have the technical know how, is also invested in making it the best as possible. Similar to how when people drive they don’t purposefully crash into other people. They value their own car and life as well, so they obey the rules of the road.
The biggest problem with WordPress security is plugins. These are third party add-ons where the security is probably not the best. Why? Because they are designed by random people or companies all over the world. Going with reputable companies and paid plugins is best, but honestly, when the business needs certain functionality and they need it now, security takes a back seat.
What we add to provide some protection is a two layer system. We are running an intrusion detection system called Snort at the firewall layer and we run Wordfence free on all our newer website by default. This takes a great step in the right direction. Including it’s own web application firewall, daily security/malware scans, and IP blocking.
Just yesterday one of our sites had someone getting in. There were over 250 malicious files on the site. We move it to a more secure server, and ran Wordfence scan, and were able to completely clean up the website. We also manually went in and searched through the WordPress directly to look for files that looked compromising and adjusted the file permissions for better access control to individual files.
This is some of how we handle security. Websites will get hacked, but supporting and fixing the problems when they arise is what we strive to do for our customers.
Owner, Altha Technology