WordPress Security: Fact or Fiction?
WordPress Security: Fact or Fiction? avatar

One of the biggest shifts in website development in recent years has been toward sites that can be managed independently – commonly referred to as Content Management Systems (CMS) or “dynamic” websites.  WordPress has emerged as the leader due to its flexibility (with over 27,000 free plugins available for download), its intuitive administrative console and huge developer community.

What many people don’t realize is that any website that enables browser-based editing (the ability for you to manage your own content via your web browser) is more vulnerable to cyber threats than an ‘old school’ static website. 

Two HousesThe reason is quite simple. Let’s compare your website to your house.  Imagine your house has a front & back door, and several ground floor windows.  Now imagine your next door neighbour’s house has no windows and just the front door to get in and out.  If there’s a burglar roaming the streets, which house is the more likely target for a robbery?

Your house has more possible points of entry – with a greater likelihood that someone has left a door or window unlatched.  This makes your house the bigger target, and more vulnerable to a break in. 

Your website is no different.  A CMS by definition opens up doorways; enabling you to manage it and perhaps enabling your visitors to create accounts, and post feedback.  So while these doorways are a good thing for you and your visitors, they are also potential doorways for shady characters intent on doing bad things.

What To Do?

The most secure system is without a doubt a static website.  But if you want the ability to actively manage your site and interact with your visitors, you’re going to need a CMS.  Selecting a CMS is a topic that warrants a separate post (we recommend WordPress) but regardless of the CMS you choose, here are some tips for securing your site:

  1. Set up your CMS with a reputable Web host. If your Web host isn’t running up-to-date software and doesn’t have good security protocols in place, your site will be vulnerable to attacks regardless of the steps you take to secure your site.  A quick Web search of hosting providers is a good place to start. You can also check out our post “What is this “Hosting” thing and why should I care?“.
  2. Have your CMS software and database installed by a professional.  There are some ‘1-click’ CMS installation systems out there (like Fantastico or SimpleScripts).  These work ok, but they do not provide the ability to customize the initial configuration settings required for optimal security.  Want more info?  Check out this article.
  3. Make sure your CMS administrative settings are properly configured.  If you’re using WordPress, you’ll want to pay particular attention to your Discussion Settings which allows you to adjust the settings for visitor comments. If you prefer not to allow comments, it’s a good idea to close and lock that door.
  4. Take advantage of security plugins.  Again, if you’re using WordPress, there is a growing list of very solid security plugins to help secure your site.
  5. Keep your CMS and your plugins up-to-date.  Many people have the misguided belief that there is no need to update CMS software.  Because CMS software is by definition vulnerable to hacking, the developer community works hard to keep the software as secure as possible.  Any good CMS will require occasional security updates to take advantage of this.  One of the reasons we like and recommend WordPress is because the developers have made the software so easy to update.  In fact, as of October 2013, WordPress has the ability to update itself for minor security updates!  Plugins still require manual updates – but thankfully, these are – for the most part – ‘1-click’ updates.

If you would like to talk with someone about hosting, or the pros & cons of a CMS vs a static website, or how to implement CMS security, please call us at 1-705-927-2308 or send email to .