“You love secure and you use WordPress?!?!”.
This is the common comment I can hear from many people. This is for sure driven by so many news we heard in the past related to security holes in one of the most popular CMS with hacked sites all around the world. The same negative attitude I see against other widespread web applications like Joomla or Drupal.
This is the main subject pushed by custom or commercial application vendors.
But are you sure this approach is the right one?
An application like WordPress has a huge number of deployments around the world, this means a single bug or a security flaw can have a large impact over thousands of sites and users, probably it will make a loud noise with news around the internet, but this does not mean there are more problems than in the other custom or commercial softwares. Think about your application, do not think about the effects a bug/security vulnerabilities can have at global level. When you site is vulnerable, who cares if million of other sites has the same problem: your site is compromised, that’s enough. From this prospective in case your application has a vulnerability, if it is a custom application and you are the only one to have this problem, or you are sharing the same vulnerability with millions of other people, basically it is exactly the same. What I can suppose the second scenarios has more chances to be discovered and fixed in a very short time, while if somebody is using the vulnerability of your custom application probably you won’t be able to realize it for a very long time.
“but my custom application is unique, you need lots of time and a very specific focus to discover any vulnerability”. This is deeply false: 90% of custom application vulnerabilities are really similar and they can be discovered with standard security tools. Some of them are quite tricky, but the largest number were discovered without investing time lots of time to study the target application.
Let’s see the pros and contras of these common used application.
Pros:
– they are open source products, this means there are a large community of developers contributing improve the software and fix quickly all possible problems.
– the code is public, there are lots of people reading the code and opening issues to developers before these issues became problems
– there are a large number of users continuously using and testing these applications to rise up possible issues.
Contras:
– They include, by design, in the same public application the editor and the publisher. This simplify the users’ life but it is not a secure approach. Having 2 different applications you can enforce stronger security policies to the editor part, maybe placing the 2 softwares into different servers, with the editor hidden from the publisher to protect it.
– there are people spending time to discover vulnerabilities in these softwares with malicious intentions, because at the end it is a good investment, but they are really less than you can imagine
– there are much more people ready to use these discovered vulnerabilities against not updated sites, and this is the main problem. A guy with very very low experience can follow basic instructions found in the Internet to test a vulnerability discovered against your site, withour being a deep experienced hacker. These instructions became a weapon in the hands of anybody able to use a Pc, means a very large audience with a multitude of motivations.
In next posts we will see how to protect the editor part of your WordPress.
But the most important point is keeping your open source application updated (the same for any commercial one).
It sounds somehow trivial, but all the people with a little of experience with WordPress know how it can be problematic. WordPress is so widely used even thanks to the large number of themes, widgets, plugins, customization and so on. All these external components are often the reason why your site is no longer compatible with any update, or the reason why any update could potentially break your site.
Software updates are mandatory and frequent. Be prepared!!
Try to be plan the action to be taken to implement these update, reducing the number of external component and deep customizations, being ready to change the theme of your site with something different in case of problems.
Bottom line: think about your needs, maybe these open source applications do not fit with your requirements of scalability, approval processes, content control, standardization, but do not accept passively the idea these software are less secure than any other commercial/custom application. Simply it is not true.
