Banking on WordPress: Matt Mullenweg Weighs in on Security Concerns

photo credit: Will Montague - cc
photo credit: Will Montaguecc

If you follow WordPress topics on Quora, you may have noticed a popular question making the rounds regarding security. The question has been viewed more than 30,000 times:

I am powering a bank’s website using WordPress. What security measures should I take?

Ordinarily, such a question is a magnet for trollish responses and uninformed WordPress bashing. However, this time Quora users were delighted to find that Matt Mullenweg, co-creator of WordPress, dropped by to offer an answer to the question.

Following a barrage of anti-WordPress remarks from other users, Mullenweg chimed in to clarify how WordPress can be used successfully in the banking industry.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

He follows it up with two simple tips for keeping WordPress secure, including making sure the software is updated diligently, and using strong passwords for all user accounts. Mullenweg also solicited examples of WordPress-powered bank websites on his post highlighting his Quora response, and several commenters provided links to their work.

WordPress is often singled out for security concerns, given its high profile and dominant CMS marketshare. The platform is also regularly the target of hackers looking to maximize the return on their efforts. According to Mullenweg, WordPress’ security boils down to how you deploy it:

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

In other words, the security of a WordPress-powered banking website depends entirely on whether or not its developers have the necessary security expertise to manage the technology in a responsible way.

Even with all of the negative reactions to the Quora question, the other answers are important to consider, as it offers a window into how people perceive WordPress. Battling negative perceptions about security is one of the biggest challenges facing the platform today.

The recent rash of security vulnerabilities popping up in some of WordPress’ most popular plugins has exposed the need for better education on basic security measures, such as regularly updating your software. Hopefully, a few words of clarification from the project’s co-founder can go a long way towards building consumer confidence.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

6 Comments


  1. It’s nice to have the project’s co-creator step in every once and awhile and set the record straight on a few things.

    Report


  2. As Matt says, if you keep your site up to date and password strong, it will be reasonably secure, its funny how people usually expect security to be a highly involved technical process, instead of just something simple like updating software.

    Report


  3. Matt is a stellar ambassador for our community. Dude is legit.

    Report


  4. Matt was 100% correct. There is no reason why if done correctly, WordPress couldn’t be used to promote a bank’s efforts. With other mainstream heavyweights using the platform, the system has proven itself as a viable choice. We do have to fight security issues (and mis-perceptions), however to make sure it is continued to be utilized.

    Report


  5. What continually amazes me is how many “businesses” are willing to spend money on SEO services, but are unwilling to spend money to maintain their websites and keep software up to date. Then everyone is surprised to find out their website has been hacked/defaced.

    Report

Comments are closed.