Why WordPress is not secure (and never will be)
Tired of malware attacks? Concerned about protecting membership information and other sensitive customer data on your website? Keep reading …
We’ve all heard it before: WordPress is “not secure.” The same claim has been made about other open source content management systems (CMS) such as Drupal and Joomla. But WHY is WordPress not secure?
If you’re feeling stuck with the Devil You Know, here’s your chance to understand the costly risks and consequences of continuing to use WordPress—and just how easy it is to choose a secure alternative. Because it’s 2018!
2003 – 2018: a lot has changed in 15 years
First released in 2003, WordPress is an open source software platform that was first developed to host blogs, and later used to create websites. “Open source” means WordPress is built, maintained and modified by a community of developers and WordPress users around the world who use the source code with little to no restrictions.
WordPress is used by over 30% of websites on the internet today. While WordPress is a popular CMS, it’s also a popular target for hackers.
If you have a WordPress site, brace yourself for the following risks:
- There’s a >12% chance of being hacked this year
- There is a >4% chance of being “blacklisted” this year
Also consider the fact that hackers can rely on search engines to research over 500,000 YouTube videos about “How to Hack a WordPress Site”. We can’t make this stuff up!
Did you know that Certificate Authorities (i.e. Comodo) will soon start revoking the SSL certificates of infected websites? Google Chrome now displays a secure warning message for anyone visiting a website that doesn’t have an SSL certificate installed. The big players in the industry are taking the ever increasing security risks seriously - are you? Make no mistake these measures will reduce visitors to your website, if your site is seen to be unsecure.
See for yourself how easy it is to hack a WordPress website
First, follow these 3 easy steps:
- Go to your website (or any website built with WordPress) and right-click on any page.
- A menu will pop up. Depending on which browser you are using, look for “View Page Source” or similar wording to that effect. Click on it.
- You will be shown HTML code. This coding language renders your site—i.e. makes it look and do what you want.
Now consider the following risks:
Hacking Made Easy #1
Take a closer look at the HTML code that was so easy to locate. You will see what a programmer calls “file paths,” which identify where certain files are located. They may look like this: ”http://yourwebsite.com /wp-content/uploads”, or this: “http://yourwebsite.com/wp-includes”.
- RISK: When not properly secured, file paths present hackers with a potential entry point (attack vector) to hack your site—because these file paths lead them directly to the web server where your organization’s website and files are located.
Hacking Made Easy #2
In the HTML code, some of these file paths are used by themes and plugins. Plugins are third party add-ons to WordPress, which can either be free or purchased. Many companies will use at least two or three plugins (or more) to customize their websites with additional functionality. For example, a plugin can allow users to add image slider, web forms and image resizing functionality to your website.
- RISK: Some plugins become the doorway through which hackers can continuously compromise your website. WordPress makes it easy for hackers to find your plugins. Even worse, hackers can refer to public listings that identify in detail various core, plugin and theme vulnerabilities (i.e.) https://wpvulndb.com/
Hacking Made Easy #3
Now look up at your website’s URL, in your browser (i.e. Google Chrome), and type in “/wp-admin” after it (e.g. www.yourwebsite.com/wp-admin). Unless additional steps were taken to secure your website admin area, you will be taken to the WordPress Admin login page for your WordPress site.
- RISK: With this piece of information the Hackers can run Brute Force Attacks to determine your user login and password. Using this information and armed with the knowledge that the source code for your website is located in your root domain (www.yourwebsite.com) they can penetrate your website and wreak havoc.
Hacking Made Easy #4
Did you know that you can download WordPress source code for free? Simply visit https://wordpress.org/download/.
- RISK: Don’t forget! WordPress makes it easy for hackers to get a copy of the exact same source code that runs your website!
WordPress gives hackers everything they need to get hacking
Armed with your HTML code, a list of your plugins, your WordPress login & password and the WordPress source code, hackers have everything they need.
Using automated bots that crawl sites daily looking for weaknesses, hackers can find ways to compromise your website with minimal effort. Because your source code is in plain view and freely accessible, they can also examine the code directly to find vulnerabilities.
Whether the objective of hackers is mischief or financially motivated (stealing or ransom), their goal is to attack you. Attacks negatively impact productivity, performance, revenues and expenses—not to mention the website owner’s reputation, brand and credibility.
But can’t I make my WordPress site secure?
A Google search for “Securing a WordPress site” yields over 15 million hits, each of which will tell you to spend time and/or money to update your WordPress source code and plug-ins regularly to mitigate security issues.
- First, you must ask yourself if your organization has the financial and personnel resources needed to manage this responsibility.
- Second, although the WordPress community does update and fix security problems in the core framework, they do not fix them in your organization’s copy of the WordPress source code. In addition, they do not fix issues related to individual plugins. That’s all on you.
- Third, you must also ensure that the hosting company that houses your copy of the WordPress site and its plugins is secure for WordPress. Is your data center using proactive monitoring, robust firewalls, malware protection, anti-virus and other advanced secure WordPress specific hosting plans and solutions? How often are they updating them? How often do they perform backups? Are they a managed WordPress hosting service?
- Fourth, the operative word is “mitigate.” It takes most businesses six months to detect a breach. Even if a new version of WordPress has 183 days’ worth of potential, undetected vulnerabilities, hackers begin to look for new weaknesses from the moment a new version is released. The reality is that you’re either racing against hackers, or behind the curve, when it comes to making your website secure.
QuickSilk: your secure alternative to WordPress
You can’t change WordPress—that’s just the way it and other open source CMSs work—but you can choose a closed-cloud CMS, like QuickSilk. We even make it easy for you to leave your comfort zone and migrate (or build) your website!
The QuickSilk Content Management System (CMS) is a closed-cloud SaaS web platform that builds comprehensive and responsive websites, microsites and web portals. Other features and benefits include:
easy drag & drop CMS builder
all-in-one design, maintenance, hosting
predictable costs with a reduced total cost of ownership
more sophisticated than Squarespace and Weebly
extensible using our API & SDK
Free SSL certificate for https urls with forced http to https site wide
What truly sets us apart is that we’ve raised the bar for enhanced website security in the areas of hosting, software updates, IT support, security standards compliance, rigorous testing, and certifications. Our source code is proprietary and we certainly don’t broadcast it for the whole world to see!
While there are other SaaS solutions, find out why banks, governments, institutes, associations and organizations around the world are choosing QuickSilk—a more secure alternative to WordPress.