Why your Wordpress site is a huge security risk
Wordpress is one of the foundation blocks of the modern web. From its launch in 2003, it helped changed the nature of a website from developer-centric to user-centric, using the concept of a Content Management System to allow people who weren’t web developers to change text and images on their websites and add fresh content without submitting cumbersome support tickets.
But its age and popularity create serious problems for modern organisations looking to do business on the web. A lot of web development companies today will drive their customers down the Wordpress route because it’s so well known, but there are significant downsides that it can be costly to ignore.
This isn’t agist. Wordpress is in ongoing development (version 5.0 is due out in 2018) and has a huge community supporting the open-source product, adding new features and fixing vulnerabilities. But at its heart, Wordpress is still a blogging platform. If you’ve ever used it, you’ll know that the backend is still full of blogging terminology and makes it very difficult to get a full overview of your website. Compared to the intuitive nature of, say, a modern smartphone, Wordpress feels like a relic.
But of course there are much more serious issues with using an old platform. Wordpress runs on PHP, an old-as-the-hills scripting language. The minimum requirement is for PHP 5.2, which is 11 years old. That version hasn’t had any security updates for 6 years, leaving anything running it wide open to malicious attacks. Which leads us to…
Sounds like a great thing, right? But the open-source nature of Wordpress is also its Achilles heel.
Just to clarify what open-source means to you in this context: anyone can download the source code running your website and look through it to find vulnerabilities to exploit. That is not something you want for your business’s website.
Wordpress is also built around a third-party plugin system to let you expand the functionality of your site. Again, while nice in theory, the idea of letting anyone write the code that will then sit at the heart of your website is ludicrously dangerous. Whether through poor quality coding or malicious intent, you’re putting the security of your online business in the hands of people with no investment in your success. According to wpscan.org, over half of the nearly 4,000 known security vulnerabilities in Wordpress were due to third party plug-ins.
This free mentality often drives Wordpress site users to look for dirt cheap web hosting to go with it. And as we’ve discussed on this blog before, cheap hosting can seriously damage your business.
Wordpress runs around 27% of the world’s websites. That’s a phenomenal number, and it creates a huge incentive for hackers to work on ways to break into it. Finding a back door into 60 million Wordpress sites would be incredibly lucrative. Brute force login attacks, SQL code injections into the Wordpress database, file inclusion exploits, cross-site scripting, malware… they all provide opportunities to get at your secure data, and there are people out there right now working on it. In this instance it’s not good to be part of the flock — the wolves know exactly where you are.
It takes a LOT of maintenance
The Wordpress community is good at working on fixes to vulnerabilities in the core software. This, though, can come with its own downside. Keeping a Wordpress website secure can take a lot of work. It’s not uncommon for there to be several Wordpress updates to be released each month, and each update requires a manual process in the backend of the site, followed by checking that all of your site plugins still work properly and updating them when the authors release their own updates.
You also have to run updates to your site themes, keep on top of comment spam, set up and monitor site backups and face the prospect of your site disappearing from the internet if your web host detects malware.
So what’s the alternative?
The rise of software-as-a-service has opened up new ways of approaching web development. By opting for a commercially-backed web platform you have an entire company behind you that has a financial and repetitional interest in keeping you secure. They’ll be the experts in their platform and the source code will be kept away from the prying eyes of hackers.
For small web projects, services like Squarespace provide a sensible all-inclusive service for a low monthly cost. They provide secure hosting, do all the software updates and provide support if you need it. They also give you a whole load of templates to choose from, so while your site won’t look unique, it’ll look nicely designed.
For business projects, you’ll want to look for a professional all-in-one web service. As we offer at Onward Studios, a monthly subscription can get you a completely bespoke website designed and developed, hosted on professional-grade secure AWS hosting, all security maintenance and technical support included, and ongoing site development to make it more effective over time.
It’s a new way of thinking about websites that will keep your business safe and at top performance, without the dangers of yesterday’s Wordpress world keeping you up at night.