According To WPEngine WordPress Is Secure

It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.

That pretty much sums everything up but I highly encourage you to read the entire post as Jason Cosper brings up a number of good points that illustrate just how secure the core of WordPress is. Outside of the big brute force attacks on WordPress sites which really had nothing to do with the security of WordPress, I can’t remember the last time I updated due to a critical security vulnerability in the core. There are so many variables that are sometimes out of the control of the end-user. Unfortunately, all too often, webhosts put the blame on software such as WordPress when the real issue is their server setup.

Check out this comment from Mark Jaquith in 2011, in response to someone claiming that running WordPress was akin to running Windows 95 without patches, as comical as that sounds.

4 Comments


  1. The state of shared web hosting security is grim. Customers need to demand better. It’s not an unsolvable problem. Hosting companies have just mostly been competing with a race to bottom-barrel pricing. When you’re paying $5 a month for hosting, three things will usually suffer: Stability, Security, and Support.

    I maintain that shared hosting, by and large, is a disaster waiting to happen. And the funny thing is, you can get a solid VPS on the cheap now. The host I recently switched to, Digital Ocean, has a plan that only costs $5/month. Five dollars a month will get you a box, a virtual machine that’s properly walled off from other customers, with 512MB of memory, 20GB of space on an SSD and a higher monthly data transfer quota than the vast majority of sites would use in a year. RamNode has similarly attractive pricing.

    All it takes is a tiny amount of Linux knowledge and you can install an nginx+php+mysql stack and be up and running in a couple hours.

    There’s really no reason for someone to subject themselves to the horrors of shared hosting.

    Report


  2. Well, why isn’t their an industrial strength validator for plugins??? I have had many of my WP sites wrecked over and over by those exploits. The only way I can run WP now is with no plugins whatsoever. It’s boring but it’s the only way I can keep out the pirates. I use 1-and-1.com so there are no “server configurations” I can monkey with. I only get to choose my PHP level and that’s all folks.

    Report


  3. I agree that the WordPress core is as secure as you can get. I use many premium plug-ins and to date I’ve had no hassles. I guess it all boils down to where you get your plug-ins from and to always keep them updated to the latest version.

    Report


  4. @redwall_hp – I agree with your sentiments on shared hosting. I’ve had my fair share of horrific experiences with shared hosting but for the past few years, I guess I would consider myself lucky with HostGator. Outside of yesterday, I’ve experienced little in the way of issues with them. I pay about $120 a year for my hosting plan. Meanwhile, you’re talking about $70 bucks a year. However, that little bit of Linux knowledge needed is a barrier. I went down the VPS road awhile ago but all that ended up happening is the box became compromised soon after it went online because I had no clue as to what I was doing. I learned that if whatever I’m using is not managed, I don’t want to mess with it.

    @Victor R. Volkman – I’m curious as to which plugins you’ve been using? Plugins are one of the reasons why so many people love using WordPress so it sucks to you subject yourself to the inability to extend your installation. When you say wrecked, what happened?

    @Mark – I use a couple of commercial plugins here on this site but I also use about 20-25 free ones. In the past few years, I’ve not had any issues thanks to automatic plugin updates when a security issue is discovered.

    Report

Comments are closed.