It’s Monday again and as usual I’ll be putting my thoughts out there on a specific topic. As you can tell from the title I’m going to attempt to explain how vulnerable WordPress is as a platform compared to others. Before I start discussing anything I need to say one important thing. If your server is hackable no security plugin or feature can protect you so, make sure that your Hosting Company has its own set of security tools and features at the server level.

Like any piece of software WordPress has vulnerabilities. One can glance these via the public CVE details linked at https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ To be perfectly clear the shear amount of volatilities listed doesn’t mean that I think WordPress is more vulnerable than other platforms like Joomla or Drupal. Honestly, WordPress is more secure just because it is constantly being updated by the team behind it.

As with any other platform WordPress can be extended using plugins. These plugins can be free or paid plugins. The same applies for the theme you use. Now, here’s the thing. You most likely are not the developer of your website and not the developer of any theme or plugins used on your site. As such the only thing you can do to stay as secure as possible would be to update the themes and plugins as well as the core platform, just like you do your computer at home I hope. My point here is that when any developer hands over your website make sure you ask them for a maintenance plan so that if WordPress does update or any plugin or theme updates they can handle that for you. Always remember to ask for a report that proves maintenance is actually being done. Always make sure to ask your developer if any premium plugins or themes are being used and if so, ask them if these will always be yours or licensed to you and if they will always be updated for the lifetime of your website.

Here are some tips that should cause red flags if your developer uses these statements:

1. “Never update your website because the special functionality will break.” This might be true, but he/she should fix it if the core or any plugins or themes are updated since the update most likely patches some security hole or adds new features to the core of that platform itself.
2. “You don’t need an SSL certificate since you aren’t selling products on your website.” He or she is wrong because SSL has became mandatory since January 2017 as shown here https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html Also, most good hosting companies offer free SSL Certificates via the free SSL service called Let’s Encrypt. So why not have one?
3. “I can’t send you a report showing want has been done in regards to maintenance since it’s too technical to explain.” This is not true since there are services like ManageWP that can generate humanly readable reports regarding updates, vulnerabilities, performance and many more things which I am not going to get in to right now.

Lesson Learnt: WordPress is only as vulnerable as any other platform. You can stay relatively safe by keeping everything updated and by making sure that your Hosting Company has its own set of security tools and features at the server level.

If you have any questions, feel free to email me at info@georgenicolaou.me