How secure is WordPress compared to its competitors? Originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.
Asking how secure WordPress is, even compared to it’s competitors, is sort of like asking “how high is ‘up’”
WordPress is a content management system, designed to let people without significant computer skills provide constant updates to a web site’s information by just writing and pasting in pictures and the like. As it’s popularity soared, so did the number of people trying to install and administer it, and as a result it’s now a system that can be installed and operated by people without any significant experience as well.
That’s where the issues arise.
WordPress is built on what we call the LAMP stack – Linux, the Apache HTTP Server, the MySQL database, and the PHP programming language. And it’s running on some server or virtual server somewhere as well, which adds another layer.
If you know what you’re doing, you can install Linux, harden it so that it’s only running the bare minimum of stuff that needs to be running, and that you’ve got iptables configured to block and log all access that isn’t needed to allow your site to function.
You can then install Apache, and crank down on its security. There are over two dozen things that I do from disabling directory listing and disabling default DSO modules to running as a different than default user and group. Everything you do makes the site that much more secure.
Once that’s done, you install MySQL. Or not. If I’m running in AWS, I typically spin up an RDS instance rather than running it locally on the same server. You get massively better performance by doing this. In any event, you need to harden your MySQL implementation, and that’s not terribly easy or convenient.
There nearly three dozen steps to harden MySQL to what I consider “reasonable levels of security”, depending on whether you’re running a local instance or running a separate RDS instance in AWS. Lots of testing to make sure that in tightening things down, you haven’t broken things.
You’ve done all that, now you’re ready to install WordPress. The default installation script will not work if you’ve split the MySQL to RDS, so you have some tweaks there, but once you have WordPress installed, you can then start securing it. That comes in four parts.
You have to fix the core installation – some of that is easy stuff, like “don’t use stupid passwords”, some is harder like changing the default database prefixes. All in, there are about twenty things you need to do to secure the default core installation.
You need some security plugins. I can’t imagine not running Wordfence, some kind of two-factor authentication, and some kind of activity logging. Setup and configuration will depend on what you chose.
You need backup. As in “backing up your WordPress site to something that’s not in WordPress”. There are a number of solutions out there, but you need to install and configure one, and make sure that in doing so you don’t open other security holes.
You need to audit your site regularly. Pay attention to what the logs are telling you – I used to routinely take bad actor IP addresses and block them at the Security Groups layer in AWS, so they never had the opportunity to hit the server, for instance. Make sure that WordPress core is up to date. Make sure that your plug-ins and themes are up to date. Makes sure that your core software – Apache, MySQL, PHP, Linux – are fully patched and up to date. Note that in doing these updates, you need to make sure that you don’t inadvertently create a leak in your security as your current settings might not carry thorough, or might not be appropriate, for an update.
The level of complexity you need to undertake depends on your use case. If you’re running a fan blog for some movie franchise, you don’t have a lot of exposure. If you’re running a blog with a subscription-only portion which has content that you don’t want to make available to non-subcribers, that’s a little more involved. If you’ve integrated Shopify and are running a full-on e-commerce site out of WordPress (lots of people do that, BTW), that’s probably at the high end of the scale.
Done right, you can make WordPress just about as secure as you can make any publicly available Internet resource.
Done wrong… not so much.