Having a secure web application is a top priority of any company and web developers. Lately, WordPress has been a subject of much security discussions. Several large vulnerabilities were revealed. Fortunately, they have all been fixed so if you update your site, you are safe once again. I have zero issues with WordPress security — just the opposite — I think it is rock solid. I have problems with people and companies claiming that WordPress is insecure, some of them even building their businesses on this premise. “Our custom solution is much better. Don’t use WordPress. It sucks”, they say.
I think most of them are completely wrong. It’s not that your system is more secure. It’s that nobody knows about it. At best, you have a bunch of clients with a few visitors (compared to some of the larger sites running on WordPress). No wonder they are “more” secure. Who in his or hers right mind would target such sites? Waste of time, resources and skills.
On the other hand, a quarter of the web is running on WordPress. Users also extend it with plugins and themes which don’t usually go through quality control. What is more, a lot of irresponsible hosting companies are running outdated versions of PHP. Combine all these facts and WordPress-powered sites become the target number one for many ill-minded attackers.
On the contrary, due to the nature of WordPress open source development, when security holes are spotted, they are almost immediately patched. Your poor little CMS system comes nowhere close to the amount of attention WordPress gets from its contributors and users. I’d rather rely on something I know somebody is actively working on (free of charge) than on a closed source software coded in your garage.
I’m not saying my sites haven’t been hacked. Last year, for example, I discovered that I had a remote PHP console parasitizing on my poor little blog. I’m not blaming it on WordPress — heaven forbid! I was simply lazy enough not to update it to the latest version. Nor the plugins. Hardening WordPress? Nah. At least I adopted some Nginx security rules so my site didn’t suffer that much.
I’m not trying to defame other CMS systems. I’m just saying that the companies claiming WordPress is too vulnerable, “You should use our super-duper ultra CMS” are full of shit. These scammers are just trying to capture some attention from publicized WordPress issues. I’m not talking about million dollar custom solutions, of course, those people know better.
And now, hack my site, please. So you can laugh at me.