[josefresco]

I manage a network of 300+ WordPress sites. These vulnerabilities, are they in the room with you now? I'm joking of course but like Windows, WordPress is attacked because it's ubiquitous. Yet, here I am running a network of 300 sites with over 600 deferent plugins and hundreds of themes over a span of almost a decade without major issue. How is this possible? Should I pick some obscure CMS instead? (aka security through obscurity). WordPress has served my clients well despite being "riddled" with security holes.

[jshwlkr]

Similar experience. I just make sure I only put trustworthy plugins on the server and run updates in a timely manner and I have never had a problem.

[Aloha]

also, modern WP and WP from 10 years ago are very different beasts. Now most of the risk is in plugins, and if you're careful about plugins - it all works okay, without security issues.

[josefresco]

I've been deploying WordPress for 10+ years and would agree. WordPress is much safer and mature, it's the plugins and sometimes the themes that are the problem now. But we monitor, and patch. No big deal.

[sonicanatidae]

It hasn't happened to mine, so it's all bullshit.

FTFY.

Quick, now tell us how secure Adobe products are.

[josefresco]

"mine"

That critique would be fair if I was talking about my one WordPress site but I'm talking about hundreds, maybe even a thousand if you count sites I've built that came and went. It's a pretty decent sample size (IMHO) both for the number of instances but also the time period (10+ years). And it's also not 300 clone sites, each one was built unique, and each has their own mix of plugins & themes.

[sonicanatidae]

Unless you manage every Wordpress site out there, you're biased.

YOU, are a technical person and understand the value of updates, vetting plugins, etc, yet a majority of these sites aren't run by people like you/me. They are run by end users, with all of the baggage.

You have a point, to an extent. I wholly disagree with your stance on WP though. It's got issues, numerous issues, and a majority of the sites aren't professionally managed.

[jshwlkr]

I don't understand your argument. Are you trying to suggest WP isn't safe or WP isn't easy?

[sonicanatidae]

Both.

You're worried about your fleet and that's great. I'm more concerned with the internet as a whole and Wordpress is just vuln after vuln.

I'm happy your systems are secure. That's great.

Unfortunately, that doesn't apply to the 1000s of installations done by amateurs, lax IT, etc. etc. that make the WP vulns a much bigger issue than the 300 you manage.

Manage on, friend.

[Aloha]

I'd agree with you that wordpress core of 10+ years ago had constant security issues, now, its mostly in plugins, and even then, not as often.

[carlosjobim]

I'd say WordPress is worst in class for security, compared with all other software and all operating systems. WordPress even has a hidden folder for hackers to put plugins that will not show to administrators, unless you go browsing the file system! I've never encountered any worse software than WordPress for security and usability, and I doubt it is just because of it being everywhere.

It is amazing how much time and effort in the world that has been lost because somehow it became the standard.

Quality WYSIWYG editors and hosting tools will come back with a vengeance soon. As soon as austerity and efficiency returns to the economy.