– ‘I was told by another developer that WordPress is not good in terms of security.’
– ‘Well, that is not the case…’
That is a recurring conversation I need to have with potential clients. No, WordPress does not present greater security risks than other CMSes. It is well maintained by an active community of users and developers that report security risks and release security patches in a flash.
Why do we keep hearing about security issues with WordPress then?
1. The objective, mathematical reason
It’s probably true that there are more WordPress websites hacked than other websites. But there’s a simple reason for that, which is NOT that WordPress is vulnerable. The fact is that there are many more WordPress websites out there than websites based on other CMSes. See this chart http://trends.builtwith.com/cms ; the first chart on this page shows a pie chart representing the proportion of CMSes used in the top million websites. As you can see, WordPress takes well over 50% of the distribution on its own.
WordPress is also easy to use and profusely documented.
These two facts have two important consequences:
1.1. Pretty much anyone can install and setup a WordPress website, including users with very limited awareness of security good practices. The majority of WordPress site hackings are due to poor password choices, failure to update WordPress and its plugins or the use of ‘one-click’ installs that typically use default or predictable settings. That means there are many WordPress websites that are USED in a way that makes them vulnerable to attacks.
1.2. If there are so many WordPress websites out there, it’s more interesting for hackers to invest time learning to crack WordPress than other CMSes.
2. The cultural/emotional reason
I think flagging security issues just sounds smart.
Levels of ignorance about website security being equal, the person who declares there are security risks tends to be taken more seriously. It is also somewhat flattering for the client: ‘ah, I’m at risk of being hacked because my data is so valuable…’ In other words, it can be an easy sales (pseudo-)argument.
Conclusion: don’t worry! You’re in good hands.
WordPress is no more risky than any other CMSes. On the contrary, I think it is so well-maintained that there might be fewer security issues with it.
If you hesitate going ahead with a WordPress website, simply make sure that you using a developer that knows what she is doing and that you receive good advice about maintaining it. It would be a pity to miss all the great WordPress features on a rumour!