Is WordPress secure enough?

In the past week we’ve lost two well-known journalism blogs that used WordPress. might be down for the count, and Matt Waite has decided to stop using WordPress after his site was hacked and his MySQL database ruined.

Waite is now developing a custom Django-based platform for his new site. He is done with WordPress, and its security issues. Should we all be concerned about the security of WordPress? Are there better, more secure options available?

I love WordPress and think it’s a fantastic platform, but if it’s not secure enough, I’m wasting my time. An insecure platform can destroy a Web site and a entire company. Hopefully, WordPress 2.5 fixes many of these issues. I wonder which version of WordPress MultimediaShooter and Waite used?

This is yet another reminder of the need to back up regularly. Hopefully, this is not a disturbing trend that is forming.

  • Do you have proof It was WordPress? How do you know It wasn’t one of the plugins he had installed, or a theme with malicious code in it? WordPress is the most secure blogging platform out there. Else, hundreds of thousands of user wouldn’t be using it…

  • To be fair to WordPress, the blame for the lost database belongs to a bad hosting company, not WordPress. The hacking, however, was all WordPress. My logic for shifting goes like this: when the vast majority of users use a specific platform, that platform becomes the prime target for hackers, spammers and other pieces of #$%!. Why did every email virus that ever came along attack Outlook? Because damn near everyone used it. Same with WordPress. Great blogging platform, but a victim of it’s own success in my opinion.

  • And I was on 2.3 when I got hacked, 2.4 when my database was chewed up.

  • You do have to have a little technical knowledge to run things like web servers and blogs, you know. You have to understand how to update servers and apply patches… or hope you are hosted by a vendor that does.

    Yes, WordPress has had it’s security issues… but they are always addressed quickly. I daresay that PHP, the language that WordPress was written in, has had far more issues. The same goes for Linux and Apache and good Lord, IIS for a long time was a hacker whore.

    Its an administrator’s roll to insure that patches are applied in a timely manor. This applies to Blogger, MovableType, WordPress, Drupal, or what the heck ever as well as the underlying OS. It’s why we make the big bucks (when compared to Journalists).

    Frankly I’ve seen a number of high profile Journalism blogs — yes including JI — that have run outdated versions of WordPress for months on end. This isn’t WordPress’s fault.

    The latest version of WordPress is 2.3.3, are you running it?

  • Ike

    He was running WP 2.4 when the database got hosed?

    2.4 has never been released, nor will it be. The decision was made to skip the 2.4 branch and concentrate on the 2.5 release (which was due on 3/10 but now delayed at least a week.)

    I can’t argue with Matt’s logic, but jumping to the arcane as a security measure seems a little extreme, and potentially self-defeating.

  • Amen to Marc’s comments. And I’d add that this “disturbing trend” has been going on for quite some time now. Basically, if you have a web host that doesn’t secure its hardware and you don’t update your software, you’re practically inviting damage. So choose carefully, update and backup regularly, and don’t believe that any piece of software will solve all of your problems for you.

  • pat

    I’m personally running 2.3.3. I do need to be more proactive with updating to the latest releases. I’m often a 0.0.1 behind.

    This post is just a thought, because WordPress very well might be the most secure blogging platform available. There are several issues that could lead to someone’s blog going down. One I would look to would be plugins. Even if WordPress is secure, there could be issues with certain plugins.

    Also, Marc brings up a good point about hosting providers. Not all hosts are created equal, and I see a lot of complaining on Twitter about hosting.

    Matt, what host were you using when your database got hacked? I wonder what host was on as well? I’m considering getting another host if and when I launch a for-profit blog (nothing like this blog).

    Obviously, WordPress is going to be a target since it is so high profile. Maybe it is just a weird coincidence that both blogs went down in a week. I don’t know, but I do know I’m sticking with WordPress for the forceable future.

    Maybe we need to make a list of hosts that do secure their hardware and that are worth paying for each month?

  • Thanks Ike for correcting me. It was 2.2 when it was hacked, and then I updated to 2.3 in response. My bad (must have had Python versions on my brain). And please understand, my reasons for rolling my own Django app are more because I can than because I want to flee WP.

  • My current host (Dreamhost) makes it so damn simple to use WordPress — a one-click install — that it’s no wonder millions of folks use it.

    I’ve used WordPress for a past version of my personal site, but switched to Movable Type because I was more familiar with the templating. I’m now running on my own blogging app in Django.

  • Amanda

    Out of curiosity since I was a linux admin in a previous life – what was his root folder permission set to?

    If it was 777, a welcome doormat reading “hack me” was basically put out. Not to mention that his wp-config.php should have been set to read-only.

    Unfortunately WordPress makes it easy to install without going into security details.

  • pat


    Great questions. It would be interesting to know the setup of WordPress installations that get hacked.

    Certainly a Web site is a lot like a car. Any car can get hacked, but attackers tend to prefer the low-hanging fruit.

  • It would be nice if Matt or someone would release their custom Django-based blogging platform as an open-source project. I’m sure there would be some interest in that.

    I know of a couple of other sites that were hacked, probably because they were slow to upgrade (college newspaper site among them). Not sure of the solution, but most of us don’t have the mad skillz to write our own blogging app.

  • I keep reading all these posts about wordpress getting hacked. I am considering a wordpress site, however all these hacks I read about makes me reconsider.

    I would agree though anytime you have something popular that’s what the hackers like. And I don’t believe that any script is perfect or hacker proof. Some certainly do a better job than others though.

  • Jeremy,
    There are solutions that you can use that will properly protect your wordpress blog. I have helped well over 200 wordpress users secure their blogs from hackers.

    Using proper solutions will cut down the chances of hacking greatly..


  • Tobias

    There’s no such thing as 100% secure software. So bailing out on WordPress is basically futile. Plus the developers do a good job of fixing security problems quick. So maybe Waite should learn how to secure his site before diving off into other software packages.

    This might help: Maximum Security for WordPress – Keeps WordPress Secure

    BTW: I’ve seen a copy of “WordPress Secured” sold by mass-marketer James Stein (link to his name in the previous comment listed above) and in my opinion it’s not the way to secure WordPress, plus it creates a real pain when you need to upgrade WordPress. I’d advise people to not use it – especially if you’ve already upgrade to WordPress 2.7.

  • Hi Pat,

    I’m sorry to hear that. You know, WordPress is secure if properly secured. Of course, this isn’t a one-time thing, but the bulk of the process is, and the rest is easy to keep up.

    I’ve produced a video, a 10 tips how-to, and wondered if I may link to it from here? If that’s not cool I understand, but here is a link for your perusal.

    Video How-to: 10 Tips To Make WordPress Hack-Proof …

    Anyhow, hope that helps someone.


  • @Tobias – You can suggest people do not use it all you want. Fact is offers the “ONLY” security to wordpress. It is not a plugin, it is wordpress coding changed and secured. Well over 400 customers in total are very happy with their purchase and glad that their blogs are no longer hacked.

    I also go way beyond wordpress by offering an additional script that can help secure your entire site and not just wordpress.

    Unless you have 15 years of coding under your belt your suggestion does not mean anything. People that listen to those that do not know what they talk about is the reason why those people get hacked.