One of the questions we get all the time is “Isn’t WordPress insecure” closely followed by “What if WordPress is hacked?”.
In order to adequately answer this question we have to take a step back and look at layers of security. We’ll start with WordPress itself and go from there.
WordPress Core Security
WordPress is one of the most scuritinzed open-source products on the planet. With reportedly 30%+ of the top websites using it and thousands of high-end developers relying on it, that is to be expected.
It is precisely this high level of scrutiny that makes WordPress far more secure than most other Content Management Systems out there. The more scrutiny something gets, the more issues are revealed and the faster they are fixed.
It is far more likely that other systems just have hidden issues that haven’t been uncovered yet – because they aren’t subjected to the same level of scrutiny that occur in the WordPress world.
Going forward that doesn’t mean that security issues aren’t going to pop up in WordPress – all large codebases are going to have security issues pop up on a regular basis – if only because new code is constantly being added and existing code tweaked .
Even Microsoft, Apple, Oracle and other top-tier multi-billion dollar software development companies handle security issues in their software on a daily basis. In fact, just recently (Sept 2020) Microsoft had a level 10 security issue (level 10 is the most severe security level) in Windows.
So, when considering the security of WordPress, the two important questions to consider are:
- The severity of those issues and
- Are those issues reported privately and handled before they could be used in the wild?
Taking a look at the vulnerabilities that were formally reported, most of them were under a level “5” (with 10 being the most dangerous).
And, all of those issues over the last 3 years were privately reported to WordPress developers, patched and rolled out before they could be exploited in the wild.
Once you start comparing that to other platforms you can begin to understand the kind of scrutiny the WordPress receives. The number of issues that are reported is a direct function of that scrutiny. Other lesser used products will likely have far more hidden security issues than WordPress does because they aren’t as closely scrutinized. And what you don’t know there can really hurt you!
If core WordPress had major security issues that caused a problem on a regular basis then developers who are concerned about their reputation (which are most developers) would not be recommending it to clients.
WordPress Plugins and Themes
Most of the security issues that pop up these days are because the threat surface of a standard WordPress installation is expanded by the use of Plugins and Themes.
The more plugins that are installed, the larger the threat surface and the greater the opportunity for a severe security issue to crop up. Similarly, the larger and more feature-rich the theme in use the greater the attack area granted to hackers.
Most use-cases for WPCloudDeploy will likely not involve a lot of plugins which keeps the attack area much much smaller than your average WordPress website.
Additionally, if your use-case is such that customers are not allowed to access servers directly then attack risks are even smaller (since there are no other heavy plugins and your theme will likely be the lightweight 2019 theme.) And, in such a scenario, you can easily lock down access to just your IPs using firewalls, webserver configurations or proxy services such as CloudFlare.
In other words, the deployment profile of WPCloudDeploy is not like your standard every-day WordPress site. Thus, security cannot be viewed through the same lenses as a regular WordPress site.
If you’re considering using WPCloudDeploy then you’re likely a WordPress professional and you already understand that security is a process and that it is applied in layers.
Thus, you’re not likely to just throw WPCloudDeploy on a server and do nothing else. All of your regular security practices should be applied. Basically, some combination of the following:
- Server level firewall
- Proxy security service such as CloudFlare
- A Security plugin such as WordFence
- Use of a 2FA Plugin (you do use 2FA on your current cloud panel, right?)
- Locking down access to particular IPs
Layering security is a key concept in defending against intrusions and it applies to both WordPress and non-WordPress sites.
Back To WPCloudDeploy
In some ways WPCD can be more secure. Here are some reasons why:
- You’re not sharing your WPCD panel with other hosting customers who might be doing insecure things in their dashboards. These things could affect you if those actions allowed for access to the hosting providers’ infrastructure. After all, most hosted dashboards are multi-tenant systems subjected to all the usual multi-tenant security risks.
- The WPCD code is open-source and can be reviewed by anyone. Security issues can be identified faster and privately reported. This is not something that can be done with other dashboards and cloud-panels. You’re depending on their internal teams and maybe the occasional third party code audit (if you’re lucky) to keep you secure.
- Only your cloud provider and yourself have direct access to your server. With many other dashboards and cloud-panels there is a smaller, likely less-experienced (at security) third party in the mix.
- We are committed to outside security audits – our last audit was in October 2020.
We think that the WPJohnny Review nailed it when he said:
On one hand, I totally empathize with this concern and recognize validity in it. Running a webhosting panel out of WordPress is to some degree less secure because the platform has many other integrated apps (plugins) each presenting their own potential vulnerability points.
On the other hand, I think whoever said this should be slapped. There are idiot users with crappy themes and plugins and never update them. And then there are experienced developers running multi-million dollar businesses right off of WordPress.
Let’s get this straight…it is WordPress users that are “insecure”, not WordPress. If you’re running mission-critical apps, you should have enhanced security practices.
Does WPCD open the door for idiot users to wreck havoc? Yes.
But does that mean experienced developers should be punished and lose out on a great tool? Hell no!
Obviously we don’t believe that WPCloudDeploy is any less secure than other Cloud Panels for WordPress. And, in some ways, it is far more secure depending on your threat scenario.
If you have a concern about security with WPCD, the chances are that same concern applies to your current cloud panel – just from a different angle or point of view.
So, go ahead and take us for a spin today (we have a 30 days no questions asked refund policy.) And if you have questions about security or anything else, please do not hesitate to contact us – we’d love to chat!