The Double-Edged Sword of WordPress

WordPress is a great platform for building many different types of web sites. In fact, we use WordPress for our own site and for most of our clients’ sites. WordPress is so popular that many hosting providers have a “one-click install” feature, allowing just about anyone to setup a basic WordPress site in minutes. What’s often not talked about is how equally easy it is for a novice WordPress administrator to get into trouble.

Let’s start by giving an overview of how the WordPress platform is designed. The main WordPress software itself (also called the “WordPress core”) is managed by a small team of developers who follow best practices and coding standards. While anyone can submit contributions to the WordPress core, the changes must be approved by the WordPress development team before they are released to the public. This helps reduce the amount of bad code that is introduced into the software.

In addition to the built-in core functionality, WordPress can be extended or enhanced by using a theme or a plugin. WordPress themes are typically used to change the look and feel of a web site. WordPress plugins are typically used to add functionality to either the WordPress administration interface or the web site itself. Most themes and plugins are not written by the core WordPress developers, so they follow a much less stringent release and review process.

Anyone from around the world can design a plugin or theme and release it for anyone else to use. While many plugins and themes are developed by knowledgeable, experienced developers who write well-constructed code, others are written by people with little or no web site programming or WordPress experience. Inexperienced developers are more likely to have their code subject to Cross-Site Request Forgery, Cross-site Scripting, SQL Injection, and other types of attacks. These are all dangerous vulnerabilities that can lead to your web site being hacked, deleted, or defaced and your customer information being stolen.

Therefore, it is important to follow these tips when setting up your own WordPress installation:

  • Even though the core WordPress software is held to a higher standard than themes and plugins are, it can still contain bugs and security vulnerabilities. Always run the latest version of the core WordPress software and check for new updates at least once a week. The latest versions of WordPress will automatically notify you via email when an update is available.
  • Choose WordPress themes and plugins that are mature (have been in use for at least a year or more), have wide acceptance (have been downloaded/installed by at least 10,000 people), and are updated on a regular basis (at least once every 3 months). Always run the latest versions of themes and plugins to ensure known bug fixes are in place. There is typically not an email notification setup for theme and plugin updates, so check for updates manually at least once a week.
  • Any web site that contains a login area should be secured with an SSL certificate. Even if your public-facing web site doesn’t require usernames and passwords, your WordPress administrator interface does. Without an SSL certificate, your WordPress administrator username, password, cookies, and session tokens are subject to being captured by third parties, especially if you use public wireless networks. We recommend installing an SSL certificate on every new web site you setup. In addition to the security benefits, you may also receive a slight SEO ranking boost.
  • Do not use the default username of “admin”; choose your own unique username. Choose a password that is long, strong, and unique. We recommend a combination of at least 20 uppercase, lowercase, numeric, and symbol characters that you do not use on any other web site.

If you’re feeling confused or overwhelmed, our affordable WordPress hosting will put your mind at ease.

More readin'