90,000 hackers are trying to get into your WordPress installation right now. That’s a ridiculous statistic but also points to the popularity of the world’s most popular content management system. While we’re fairly agnostic about content management systems, we have a deep, deep respect for WordPress and support most of our clients’ installations on it.
I don’t necessarily agree with the founder of WordPress who largely deflects the attention on security issues with the CMS. While folks can change their administrative login from admin, the biggest benefit of WordPress has always been the 1-click install. If you want them to change the login, that’s more than 1 click!
Additionally, I don’t like the fact that the login screen is a hard-coded path that cannot be modified. I do believe it would be quite simple for WordPress to allow a custom path.
That said, any agency who builds and supports WordPress sites holds the majority of the responsibility in their hands. We host all of our clients on Flywheel since they do such an amazing job of monitoring for security and ensuring stronger passwords. As well, Flywheel requires you to utilize a different login than admin when you create an WordPress instance with them.
We have other clients that have had severe issues with WordPress… bugs, performance issues, and difficult administration. All of these aren’t WordPress issues, though. They’re WordPress developer issues. One of our clients is a sales proposal platform – and they have some very customized content throughout their site. Designed by another agency, the administration of their pages are quite simple using some advanced custom fields:
Using Advanced Custom Fields, Gravity Forms and some good theme development, Highbridge was able to build an entire job staffing site for a client. It works flawlessly and their staff said that the administration is a dream.
Your WordPress site and your WordPress security are only as good as the infrastructure it’s built on and as good as the development of the theme and plugins you’ve included. Don’t blame WordPress… find a new developer and a new place to host it!
We can’t always go back to the producer of the platform and say “It’s your fault this happened.”
I agree that there are some security holes that WP has never really addressed, and I to like the 1 click install. However, I like a secure site more, so I’ll take that extra step. My mistake was that even though I created a new uber admin account with a new username, I did not delete the old admin account. This allowed my site to get hacked.
Overlooking these things become easy because we trust the makers of the platforms, but it is our responisbility to be the gatekeepers of our own site. We need to fortify the kingdom as it were.
Great post.
“Additionally, I don’t like the fact that the login screen is a hard-coded path that cannot be modified. I do believe it would be quite simple for WordPress to allow a custom path.” I cannot agree with you more. The fact that the login screen is a hard-coded path – the /wp-admin – and you cannot change that is, in my opinion, easing the work of hackers that are trying to get into your blog. Thanks for writing this article, there are many things with which I agree very much, Douglas.
There is a plugin that allows you to change your admin and login paths:
http://wordpress.org/extend/plugins/stealth-login-page/
I’ve seen the plugins as well, but this needs to be a core feature that’s part of the WordPress configuration.
“…the biggest benefit of WordPress has always been the 1-click install”. You don’t really mean that, do you? I TOTALLY agree with the rest of the article, though, and especially agree that it falls on us as agencies, hosting companies and developers to do a better job of securing the (free) CMS that’s made us all so much money in the last 10 years.
The 1-click installation and continued ease of maintenance are absolutely what’s exploded the growth of WordPress. I’m not saying that’s the only benefit – there are hundreds more. But there are plenty of other free CMS systems out there that lacked the simple installation that WordPress did… when people couldn’t configure them, they dropped them.
I get what you’re saying, but 1-click isn’t a WordPress feature, it’s a hosting account feature.WP is famous for it’s 5 minute install, not its 1-click install. A 5 minute install that allows you to pick a username ever since version 3.0. Hosts could easily change the WP 1-click Install script to make the admin username more secure.
WP has blown up because the community supporting it reached critical mass, something other CMS failed to do. Ease of installation and on-going maintenance definitely played an important role in that, but there are a number of factors that have had a far larger impact than that (e.g. the advent of custom post types).
Another point to make is that there isn’t 90,000 hackers out there trying to break into known WP installs. That’s a bit of a misrepresentation. 90,000 IP addresses isn’t nearly the equivalent of 90,000 hackers, who could easily do a heck of a lot more damage than a botnet.
Overall, I agree with what you’re saying. We have to take steps to secure WP if we’re going to offer it up as a solution to our clients. Getting your WP Install hacked and blaming it on the core product is like getting a virus on your PC and blaming it on Microsoft’s lack of security. We need to be careful or we’re going to end up with security options we don’t want added to the base product.
this was actually informative – not like most of what i see online. sharing 🙂