We hear this one quite often. Because WordPress is open source (and so popular) it’s inherently insecure, as every hacker on the planet is going to tear it apart looking for vulnerabilities.
In our opinion this is an alarmist statement. We’ve been using WordPress alongside our custom coded websites for years now, and provided WordPress is set up in the correct way and locked down then we don’t see any more security problems compared to a bespoke CMS.
Keeping it current.
The main thing is just to keep everything up to date. This is vital. Whenever a new version of a plugin is released, update it. If your WordPress dashboard tells you that your current installation is now out of date, install the latest release. This is all easily done from within your control panel, but to make things extra secure we now manage all updates on our customers’ behalf – so you’ve nothing to do. We’ll take care of the lot.
Make the environment secure.
We use Unix servers which run the Apache system, and first and foremost, like our WordPress installations we make sure that it’s all up to date, and any security holes are patched as soon as possible. It doesn’t matter which CMS you run if a hacker sidesteps it completely and attacks the server. We also protect the server with a dedicated hardware firewall, configured to automatically block incoming connections that are suspected of being malicious.
The benefits of open source software.
The benefit of using WordPress is that it’s made by an online community of many thousands of coders, who submit updates and improvements which are then authorised by a core of WordPress developers. The biggest single cause of security breaches in websites is via programming errors, and lots of people collaborating on a project (having their work checked and verified by others as they go) is far less likely to lead to errors than an individual working alone, or in a very small group. A custom coded website is therefore actually more likely to be the victim of a security exploit than an ‘off the shelf’ package like WordPress.
Are custom coded sites really 100% custom coded?
It’s also worth considering that custom coded websites usually aren’t 100% custom coded. They often still use third party plugins to make things work. Does it have a slider, or a contact form, or a lightbox gallery? If so, then these plugins are just as vulnerable to attacks on a custom coded site as they are on WordPress.
Lot’s of developers also use software such as Dreamweaver to write their custom sites, and they’ll often use extensions from third parties to make things easier and quicker. The extensions essentially automate the code writing for specific items (like database queries for example), but as these extensions are a mass marketed product they’re just as likely to be attacked as WordPress is. Often a custom coded site isn’t actually as custom coded as you might think!
The customer has control.
The advantage of WordPress is that with a little training it’s relatively easy to keep it all secure. There are a multitude of security plugins available that make a hacker’s life very difficult. Our favourite at the moment is iThemes Security, but we also like Wordfence. Both of these plugins constantly monitor your website and will notify you if it thinks anything looks a little odd (if a file changes for example). They also know what the more common WordPress exploitation techniques are, and they deal with these for you.
Another advantage of the WordPress system is that if a security hole in the code is exposed then a fix is released (free of charge) usually within a couple of days, and the customer is notified of this in their control panel. On a custom coded site you often don’t find out about the breach until it’s actually happened, and then the developer is left to find out how it occurred and what needs to be done to fix it. This can be extremely time consuming, and expensive for the customer.