A core principle of the WordPress project stipulates that WordPress should be easy to use for non-technical users. Over the last 14 years, a lot of developer time has been devoted to making sure WordPress is accessible to anyone who wants to use it. WordPress is easy to install, it’s easy to create and publish content, and even the least technical site owner shouldn’t have too much trouble modifying their site to do whatever they need.
But, in spite of WordPress’ user-friendliness, we still see thousands of WordPress sites compromised by criminals because they haven’t been updated properly. WordPress is accessible, but without discipline and dedication to following security best practices, it can become a liability. The problem isn’t with WordPress itself. WordPress is as secure as other web applications in its class. It’s not the fault of users who fail to update either: they can’t be blamed for not understanding the complexities of server and web application management under constant threat from hackers and criminals.
The real problem is inconsistent maintenance. WordPress is so intuitive that many small and medium business site owners think that WordPress security takes care of itself. As long as the site is functioning as they expect, it doesn’t occur to them to update every time a major release comes along. Non-technical people are constantly bombarded with update requests from all manner of applications: their phones, their laptops, their TVs, and every other internet-connected device in their lives. Their website is just one more source of update nagging to ignore.
The problem of laggardly updating isn’t helped by WordPress professionals who turn off automatic updates. WordPress automatically applies minor security updates without any intervention from users, a security feature added to WordPress because so many users fail to apply security patches. WordPress developers, professionals, and users who fear that an update will clobber custom code or plugins turn off the automatic updates. Deactivating automatic updates is fine if you intend to test updates before installation, but if — as so often happens — site owners and managers neglect to do so, the results are predictable.
As ZoneFox Head of Security Ian Trump agrees:
“It’s not that WordPress, Drupal or any one of a dozen or more CMS are inherently bad, but setting up a secure web server and keeping it secure is a different art form than simply securing a file and print server inside the firewall.”
WordPress is, in fact, quite secure and it’s not onerous to keep it that way. But it’s clear that, for whatever reason, many SME WordPress sites aren’t being updated in good time.
For me, the takeaway is that the majority of WordPress site owners should use managed hosting. It’s misleadingly easy to throw up a WordPress installation on a VPS and leave it at that. The site will work fine until it doesn’t. A good managed WordPress hosting provider, or a WordPress professional on a retainer, can take care of the minutia of keeping a WordPress site and its server secure, leaving the site owner free to use their WordPress site as the secure publishing platform they wanted all along.
About the Author
Graeme Caldwell works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog, https://blog.nexcess.net/.