WordPress Core is Secure – Stop Telling People Otherwise
The fourth post in our security series is an in-depth look at the history of the security of WordPress written by Jason Cosper, the head WordPress Expert at WP Engine. Jason has led support teams for 10 years at places like DreamHost, and now at WP Engine. He also has a strong background in Information Security growing up inside the Los Angeles hacker community.
It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.
Recently, there were even stories about a large botnet that was trying to “brute force” its way into WordPress sites, but wasn’t able to touch sites where site owners set strong passwords, were running the latest version of WordPress core, and were vigilant about security.
But, if you’re still skeptical, that’s ok. I’m going to make a case and change your mind.
During the summer of 2009, WordPress took some knocks in the web publishing community for a series of security vectors that were exploited. The internet realized WordPress could become huge, and aimed some criticism and blog posts in the hopes of making sure WordPress would be secure enough for the crowds of end-users it was attracting.
In many ways, the internet was saying,
“Hey there, WordPress, we know you’re ambitious, and we love you for that, but we gotta know your security is bulletproof for your end-users before you get too popular.”
WordPress core developers responded, and in the months that followed, collectively added patches and tightened up security across the board to make WordPress one of the most secure CMS’s on the internet. That was four years ago. An eternity in terms of technological innovation.
The Summer of 2009
Within a span of a few weeks in 2009, the WordPress core team released a series of 4 security patches. The team was rapidly and systematically closing off remaining security vectors in WordPress core. And by the end of the summer, the WordPress codebase had begun to look like Fort Knox.
However, if you owned more than one WordPress site at the time, you had to update WordPress as often as a security patch was released. In total, six versions of WordPress were released, starting with 2.8.1 on July 9th, and ending with 2.8.6 the week before Thanksgiving. That’s a lot of updating.
Updating WordPress isn’t hard. But, new updates every few weeks can quickly become a pain. Each new security update means testing the update against plugins and themes before pushing it live. Then the next update meant doing that all over again. But software is only as secure as the latest version, so you have to update every time a version is released.
But, imagine having to do that every 2-3 weeks. For every site you own.
That might create some lingering emotion.
Fun like a root canal
In the span of just 34 days, four security updates were released for WordPress 2.8. This was before managed hosting or WordPress management tools made maintaining installs easy. No, each of the updates was done manually.
Honestly, this whole run of updates ranked between “standing in line at the DMV” and “having a root canal” on the fun scale.
And, not everyone was updating. And some of the out of date sites got hacked. I know, because that year I was doing a ton of the cleanup work from hacked sites that had been running old versions of WordPress. This is why we harp on the importance of keeping WordPress up to date, and why WP Engine automatically updates customer sites. Up to date software is secure. Out of date software is a target.
Hacking is newsworthy
WordPress installs were already ubiquitous in 2009, so this whole saga was fairly newsworthy to boot. A constant stream of bloggers, posted, about the security of WordPress that year. We got so used to seeing those blog posts, that they remained in the internet’s collective memory.
Now, four years later, you can’t have a discussion about WordPress without someone chiming in to ask, “Wait, isn’t WordPress insecure?” HackerNews, I’m looking at you.
WordPress suddenly had a reputation, fair or not, for being a platform that always needed to be updated, and might not be secure.
In reality, by the end of 2009, WordPress had become secure enough for millions of end users to use it without problems, not to mention massive sites like The New York Times, and AllThingsD. WordPress’s popularity is even reflected in the growing trend of large organizations and the enterprise moving to WordPress in droves.
Shared Responsibility with WordPress Users
The user’s responsibility will never go away. Many users who understand the value of extensive security host with WP Engine because we add additional security layers, like forcing strong passwords, and performing routine security scans. We also back up our security with a guarantee.
Secure enough to be the most popular
I hate to go with the “most popular” argument, but it’s the final bit of evidence.
With 64 Million installations and counting (17% of all sites are built with WordPress), the math is compelling. No other technology (Ruby on Rails, Python, etc.) even comes close to having as much adoption.
WordPress core is secure enough to support that massive user base, so it always puzzles me when brilliant developers are unaware how secure WordPress core has been for years.
At that scale, even the .1% security vectors should become downright common, and yet WordPress is doing nothing but grow without any major problems.
Looking at the evidence, it’s time to put the debate to rest. Maintaining security is an on-going process, and constant vigilance is essential. But, the core team has done an amazing job to ensure the security of WordPress, and will continue to do so as the platform continues to grow.
But, we’ve reached a point in the history of the internet where WordPress has earned a reputation for its security. It’s time to act like it.