Why Most Stories About WordPress Security Are Wrong

I have often heard the remark “WordPress is insecure!”
My response is “Where did you hear that?” and “When did you hear that?”

WordPress Is the Most Popular Content Management System on the Planet.

My first question, “WHERE did you hear that?” is a very important question.

As of this writing, “WordPress powers roughly 18% of the top 10 million websites on the planet, making it the most widely used CMS in the world. The next largest CMS is Joomla, with 3% of the top 10 million sites, and followed by Drupal at 2%.” [1] [2] [3]

That’s a lot of websites running WordPress! This popularity and widespread usage means that WordPress has a much higher profile than other Content Management Systems (CMS). [4] [5]  A larger install base means a larger target for attackers looking for low-hanging fruit.

The popularity of WordPress brings with it inaccurate or ill-informed attention from journalists and bloggers. Many of those who report on technology matters are not security experts, and often they lack a thorough understanding of the issue. A reporter saying “WordPress is pretty easy to hack” in reference to a scripted brute force attack against weak passwords, does not make it so.

The high profile nature of WordPress solicits the attention of security firms who may have an interest in attracting new customers to a product they offer. By issuing vague security white papers directly to the media, these firms might demonstrate that they are more interested in public relations and “free ink” than actually benefitting the WordPress community.
Continue reading Why Most Stories About WordPress Security Are Wrong