WordPress is one of the most popular CMS (Customer Management Software) platforms of all time, and for good reason. The overall ease of use and administration appeals to individuals, bloggers and small businesses. Plus, it’s compatible with tens of thousands of plug-ins to help you perform tasks, transform data, aggregate analytics, grow customer lists, and effectively sell products and services. With all that WordPress has going for it, the install base is in the millions — making it a prime target for hackers looking to take advantage of widespread vulnerabilities. Unfortunately, that’s exactly what happened when a backdoor into the WordPress administration was found in the Display Widgets plugin. The Display Widgets plugin is currently installed on over 200,000 WordPress sites across the Internet. Worse, WordPress.org staff members may have known about this for a long time, and they didn’t take immediate action to stop selling it.
WordPress’s Staggering GrowthDid you know that a WordPress post is published every 19 seconds? – And that downloads of the platform were up over 500 percent in the last five years? WordPress now accounts for nearly 50 percent of websites on the Internet! With hundreds of millions of posts, more than 36,000 WordCamp conference attendees, and installs in nearly 60 countries, WordPress is the “800-pound gorilla” of the Web CMS market. Self-proclaimed as being the most flexible, customizable, and easy to update CMS on the market today, WordPress has moved beyond hosting blog pages to now powering websites for some of the largest and most exclusive brands in the world (like McAfee, Routers, CNN, NASA, Facebook and more).
Is WordPress Secure?Sure, the platform is relatively easy to use, but is it secure? This is the question that millions of users are asking themselves after the news broke about the vulnerability in the Display Widgets plugin. However, if you own a small business, you may not have the time to fully research these security concerns. You just want to know that your blog post is getting published as it should. The intuitive and user-friendly interface is welcoming, but you must take the time research the vulnerabilities before you decide if WordPress is right for you. The same plugins that let you take advantage of new functionality in WordPress can also be your downfall.
WordPress VulnerabilitiesSecurity exploits are nothing new for WordPress users, and the WordPress.org team addresses these issues regularly with security releases and patches. However, if you aren’t keeping up with security patches, vulnerabilities can provide unauthorized access to your systems. Here’s a short list of WordPress security issues and when they occurred:
- 2007/2008: WordPress servers were compromised leading major technology blogs to “cry wolf.” WordPress created a new and more intuitive update process for ongoing updates.
- 2009: After discovering a need for overall hardening of the platform, WordPress released a flurry of updates that began a new and more proactive focus on security.
- 2011 – 2014: Hackers discovered a vulnerability in the Tim Thumb image resizing utility that allowed them to load and execute a PHP code onto WordPress servers. Attacks continued until the code was pulled by the developer.
- 2013: A large-scale review of top sites through Alexa’s software revealed that nearly 75% of them were vulnerable because they ran older versions of the WordPress platform.
- 2015: While the world’s largest body of plugins was still vulnerable, security updates were quickly released. Unfortunately, releasing updates doesn’t mean that users will apply them, even with repeated notifications from WordPress. The XSS vulnerability was a major security outbreak, bug fixes were quickly released.