Salty Key specializes in building custom WordPress websites for its clients. WordPress is a powerful web content management system (CMS) that is used by over 25% of all existing websites. What started out as blogging software now powers some of the largest companies online, like Sony Music, Walt Disney Corp., The New Yorker, and countless more.
Unfortunately, there’s a false narrative that WordPress sites are more at-risk than other platforms. First, let’s address some of the most common security concerns people have with WordPress websites.
- As an open source web software, WordPress sites are more vulnerable to exploits than proprietary systems since hackers can see the core files. This is especially true for outdated versions of WordPress, where hackers can also see what security changes were made in the latest version. The same holds true for any outdated plugin or theme. According to WPScan, there are 4,233 known WordPress vulnerabilities — and over half of these (52%) come from plugins. Even the FBI has warned webmasters about potential attacks resulting from outdated plugins.Every site developed by Salty Key is built to the latest version of WordPress and all plugins used on the site, and every site we develop is maintained for the following three months. Keeping WordPress files updated is your best defense against attacks, yet over 60% of all current WordPress installations are running outdated versions of WordPress as of February 2016.
- Another concern people have is the idea that WordPress sites are targeted by hackers more often than other sites. WordPress powers 39% of all existing websites that use a CMS; the next-highest is Drupal at just 9%. Hackers target WordPress because of its popularity, not because it’s more vulnerable to attack by design.
How else does Salty Key protect my website?
Salty Key protects its websites with WordPress security software that defends against a variety of attacks, including brute force attempts, cross-site scripting (XSS), and SQL injections. We’ll also receive advance warning of any possible server exploits (the majority of attacks on the web are via server vulnerabilities) and spam traffic visiting the site. We maintain an active blacklist of known spammer IPs and are quick to block any traffic that looks suspicious. (When bots are searching your site for vulnerabilities, they’ll repeatedly generate 404 errors and consume a ton of bandwidth — two telltale signs of malicious activity.)
Many issues that plague WordPress sites today are easily avoidable, but website owners sometimes underestimate how susceptible they are to attack. Some of the biggest misconceptions regarding web security:
So what should you look for? A good web host runs a server-level firewall to filter and block malicious traffic before WordPress even loads. A good host also offers malware scans/removal and securely stored backups (database and website files). Beyond that, some hosts will provide preventative measures when WordPress is installed, such as changing the database table prefix (i.e. NOT the default “wp_”).
What’s the sign of a bad host? You don’t want a host that runs an outdated version of PHP or MySQL. You don’t want a host that jams as many sites as it can on a single server (for both security and speed reasons). You don’t want a host that can’t patch its servers quickly in the event of an attack. You don’t want a host that won’t help you restore a backup or whitelist your IP (if it gets blacklisted), or doesn’t have failover hosting in the event of a server outage or attack.
Automated attacks allow spammers to target thousands of sites simultaneously. If customers can find your site, so can hackers.
We’d also like to mention that Salty Key provides a complete backup solution (including database and disk files) for all sites, in addition to any host-generated backups.
Should I worry about using WordPress for my website?
Absolutely not. With proper security measures, WordPress is as secure as anything on the web. Any site, no matter what CMS you use, is subject to security concerns. Drupal experienced a zero-day exploit in 2014 (dubbed “Drupalgeddon”) that affected all versions of Drupal 7. Joomla! also experienced a zero-day exploit just a few months ago, and discovered another vulnerability that affected all versions of Joomla! released over the last eight years.
This page isn’t meant to scare you, but it is meant to highlight the importance of web security. WordPress is the perfect solution for business websites because of its ease of use, deep library of plugins and extensions, and ability to be updated without the need for HTML-editing software. WordPress issues frequent updates to the core software, ensuring maximum compatibility with all major browsers and quickly addressing any security exploits.
And, yes, there are sometimes security concerns. Our job is to make sure you don’t have to worry about them.