I manage a network of 300+ WordPress sites. These vulnerabilities, are they in the room with you now? I'm joking of course but like Windows, WordPress is attacked because it's ubiquitous. Yet, here I am running a network of 300 sites with over 600 deferent plugins and hundreds of themes over a span of almost a decade without major issue. How is this possible? Should I pick some obscure CMS instead? (aka security through obscurity). WordPress has served my clients well despite being "riddled" with security holes.
also, modern WP and WP from 10 years ago are very different beasts. Now most of the risk is in plugins, and if you're careful about plugins - it all works okay, without security issues.
I've been deploying WordPress for 10+ years and would agree. WordPress is much safer and mature, it's the plugins and sometimes the themes that are the problem now. But we monitor, and patch. No big deal.
That critique would be fair if I was talking about my one WordPress site but I'm talking about hundreds, maybe even a thousand if you count sites I've built that came and went. It's a pretty decent sample size (IMHO) both for the number of instances but also the time period (10+ years). And it's also not 300 clone sites, each one was built unique, and each has their own mix of plugins & themes.
Unless you manage every Wordpress site out there, you're biased.
YOU, are a technical person and understand the value of updates, vetting plugins, etc, yet a majority of these sites aren't run by people like you/me.
They are run by end users, with all of the baggage.
You have a point, to an extent. I wholly disagree with your stance on WP though.
It's got issues, numerous issues, and a majority of the sites aren't professionally managed.
You're worried about your fleet and that's great. I'm more concerned with the internet as a whole and Wordpress is just vuln after vuln.
I'm happy your systems are secure. That's great.
Unfortunately, that doesn't apply to the 1000s of installations done by amateurs, lax IT, etc. etc. that make the WP vulns a much bigger issue than the 300 you manage.
I'd say WordPress is worst in class for security, compared with all other software and all operating systems. WordPress even has a hidden folder for hackers to put plugins that will not show to administrators, unless you go browsing the file system! I've never encountered any worse software than WordPress for security and usability, and I doubt it is just because of it being everywhere.
It is amazing how much time and effort in the world that has been lost because somehow it became the standard.
Quality WYSIWYG editors and hosting tools will come back with a vengeance soon. As soon as austerity and efficiency returns to the economy.
Surprisingly I've run a handful of WordPress sites for 10+ years now, some with quite a few plugins for e-commerce stuff, and haven't had any issues with sites getting hacked.
I mostly think it's due to updating quickly, generally I update the next day and manage it all with a central service, and just not using unknown plugins that don't get updates.
I used to fix hacked Wordpress sites, top causes were:
* Using a plugin written by a someone who has no idea how SQL injection attacks works.
* Failure to update WP/plugins after a known security vulnerability.
* Poor general security practices. Tip: don't use your domain name with the "o"s replaced by "0"s. Also, don't create a secret backdoor into your site because the owner has trouble remembering his password.
All good points, I've seen some sites with every plugin years out of date when I've helped friends with theirs, weak passwords, that sort of thing.
I've always done my own hosting too, just a minimal setup of nginx, php-fpm, and mariadb on a 1GB RAM VPS. That way I can keep the server side up to date with security patches, instead of relying on a webhost that may not do it.
Backups run nightly offsite, and I monitor the sites with Change Detection so if a plugin update does break something or in the worst case a site gets hacked, I know fairly soon and can either fix it or roll back to a backup.