WordPress Core is Secure

Fundamentally, "X is secure" has no meaning (to me, a non-expert in any security field). If it's a term of art, so be it, but make it clear you're using it as a term of art. In the absence of that, I think "X is secure" only makes sense in comparison to other things, not as a standalone statement.<p>What is Wordpress as secure as? This is a flabbergastingly empirical question that could be tackled on different fronts. It hinges on which way(s) you define security.<p>Is security based on the number of users of your application? (I would dismiss that outright, but the author uses it as evidence.)<p>Is security based on the number of publicly disclosed vulnerabilities as compared to competitors?<p>Is security based on some formally-definable metric that can be created by examination of the code itself?<p>Is security based on some financial guarantee from the backers of an application?<p>In the end, I understand that this is a puff piece and so I shouldn't read too much into the article. But <i>saying "X is secure" actually doesn't make it so.</i><p>(Note that I'm not saying that I think WP is or is not insecure; I just don't feel any better qualified to make that assessment after reading this article.)

If you say so.<p>Everyone else: if you can avoid it, don't run Wordpress. You can run a safe Wordpress site, but you do it the same way you drive fast without a seatbelt: by playing the odds.

This is a pretty poor strawman of an argument. Wordpress Core may be secure, but it's also not what people deploy. Nobody uses "Just Wordpress" - you have to use a custom theme and a half-dozen plugins just to get a basic Wordpress install into a usable shape, and therein lies the problem - the number of Wordpress installs compromised through these "necessary" plugins is staggeringly huge.<p>Until that stops being a problem, "Wordpress The Product That Has 64 Million Installs" cannot be considered secure, even if wp-core is the most secure product ever written.

Here is my opinion on that matter. As part of the security team at WP Engine, it's not only my job to educate our users on how to better stay secure, but also figure out <i>why</i> their site was compromised in the first place. The majority of the time, it's because of some out of date plugin that I've never even heard of. Simply searching for "plugin + version" in Google brings up publicly known exploits.<p>The hardest issue, will be keeping WordPress Core up to date. It's easy if you have one website, but if you're managing hundreds, it's going to be a pain to update each manually, or even through Git/SVN. I do agree though, that WordPress needs to have an "automatic update" feature for both core, and plugins. Personally, I would rather have a broken site, than a compromised one. Both scenarios will require work to fix anyways. Our latest deployment of WordPress only broke a handful of websites (I only remember working on about 4 sites that actually had to rollback to a previous version of WordPress). That's pretty impressive.

The problem with this argument is simple: to <i>stay</i> secure, you have to keep WordPress core current with updates. And the only way to apply updates is for an administrator to apply them, either through the admin backend or directly through the filesystem.<p>The vast, vast, vast majority of WordPress users are not that diligent about doing this, and their hosts don't do it for them. So they just sit on whatever version they happened to be running when they first set up the site for years. I do a lot of consulting work on WP sites and see this all the time.<p>So while I would be the first to agree that the WP core team has gotten much, much better about writing secure software, until there's a way for that software to stay secure <i>when used as average users use it</i>, it will never be truly secure.<p>There is a market for WP hosts who will take this administrative burden on for you in exchange for costing you more -- WPEngine is a big player in that market. But I'm at the point now where I think the only way forward is for WP to just update itself automatically when updates are released, no user intervention required. It's not acceptable for security to be something you only get from a few high-priced hosts; most people will never use those hosts. It needs to be secure for everybody, including those who run it on commodity shared hosting run by semi-competent admins, as long as "runs great on commodity shared hosting run by semi-competent admins!" is a selling point for the software.<p>EDIT: They illustrate this problem right in the post!<p><i>"WordPress users must be responsible for their own security, maintain strong Passwords, and keep plugins and themes up to date, as well as WordPress itself."</i><p>How many decades of experience with non-technical users will it take to get us to understand that <i>they just don't do that stuff?</i> They don't maintain strong passwords. They don't run updaters. All that stuff that the post puts on their shoulders, is stuff we know for a fact that many (most?) of them will <i>never even think of doing.</i><p>If you know that's the audience for your software, and you don't design it to be secure when used as you know that audience will use it, the responsibility for the eventual hacks are as much yours as theirs.

The problem is that security is not a feature. It can not be simply added at some point if software was not designed with security in mind.<p>For example, if authorization code is spread all over the code base and mixed with business logic no patching will make this secure, at some point problems will emerge again.<p>I'm not saying WordPress is not secure, because I don't know its architecture. But the argument that after few critical vulnerabilities had been fixed no more were discovered does not convince me. A better argument would be to actually explain the WordPress architecture and why it is a good base for a secure system.<p>For example Ruby Rack architecture is in my opinion a wise design from a security perspective, because it allows to nicely isolate security critical pieces from business logic.

Wait, isn't WordPress insecure?

Great post! "Up to date software is secure. Out of date software is a target." - this is true of Operating Systems too (like Windows and Apple). If you're running an old version of Windows....good luck.

Pertinent Bruce Schneier quote:<p>Anyone can invent a security system that he himself cannot break. I've said this so often that Cory Doctorow has named it "Schneier's Law": When someone hands you a security system and says, "I believe this is secure," the first thing you have to ask is, "Who the hell are you?" Show me what you've broken to demonstrate that your assertion of the system's security means something.<p><a href="http://www.schneier.com/blog/archives/2011/04/schneiers_law.html" rel="nofollow">http://www.schneier.com/blog/archives/2011/04/schneiers_law....</a>

Out of the box Wordpress is configured to allow itself to overwrite its own application files--either via the GUI update process, or via the GUI theme editor. This means almost any exploit can result in arbitrary PHP code execution--which can have many nasty results all over your server.<p>A CMS application should not be able to write arbitrary PHP code to the server under any circumstance. It's possible to configure Wordpress this way, but that is the exception not the rule.

Does WordPress have a pwn2own style event? That would prove this more effectively.

Great read and excellent clarity brought to the subject.

Super secure!!!!!!!!!!!!!!