Whenever I talk to web developers outside the inner circle of the WordPress community, it is bound to come up: WordPress security. It is the most important reason why a certain group of people does not want a WordPress site. They think, theyâve read, theyâve heard that WordPress sites are not secure and that they have a bigger chance of getting hacked. They donât trust WordPress. This perceived lack of security is what I perceive as one of the biggest threats to the growth of WordPress.
Just because people are scared of something does not mean theyâre right. In the Netherlands, where I live, crime rates have been going down for a decade now. At the same time, people experience more anxiety and fear of crime than ever before. Their perceived idea of high crime rates is induced by (social) media. Peopleâs perception of WordPress security is very flawed as well. WordPress is not insecure or unsafe to use. It is very sad (and a waste of resources) that people use a proprietary CMS because their perception of WordPress is off.Â
Why do people think that WordPress is less safe? I see two main reasons for that. The first reason is that WordPress is far bigger than most people know. Half of all websites are built on it. Statistically, it makes sense that more WordPress sites than sites built with a certain type of proprietary CMS get hackedâ just because of the large numbers.
The second reason is the media. Letâs face it: fear sells. Blogs like Search Engine Journal just love to publish stories about plugins with security bugs and patches. And they should do so when those security issues are real because itâll urge people to update. Thatâs awesome!Â
However, the way these security bugs are described often makes it sound much worse than it actually is. In many cases, youâll have to already have an account with access to the wp-admin section of a website to even be able to exploit the issue. Although in the article, these security threats are described as medium or even low, the title of the article will be âWordPress plugin vulnerability affects up to 2 million sitesâ. As if 2 million sites would have people with access to their admin that they do not trustâŠ
Maybe we should also look at the reason behind these stories. Quite a few of them result from some security companies in our space wanting to âsellâ their product based on the fear of getting hacked. Their âagenda,â in this case, is actually negative marketing for WordPress. They need a big headline, as otherwise, the news doesnât get published, so they exaggerate the impact. As a community, we should discourage this type of behavior from those companies.
A quick analysis of the subject of the articles on Search Engine Journal within the category WordPress published in 2024 also shows us that WordPress vulnerabilities are a hot topic. A total number of 19 articles concerning vulnerabilities appeared and only 8 articles were found that are about WordPress and not about security.
Articles like that actually make developers not want to talk about security issues or put security changes in their changelogs. I understand that from those developers, but itâs not good for any of us. Fixing a small issue that nobody was ever going to exploit should not lead to an article that makes people feel unsafe. Itâs simply not that interesting. We have much more exciting things for journalists in our space to write about.
Let me be clear: this is not to blame Search Engine Journal. Roger Montti, who writes most of these for them, is actually a very nice guy :-). But we need to also tell him other stories. We need to have some balance. I hope the new WordPress Media Corps can help to take care of that, by feeding much nicer stories about other WordPress topics to outlets like this.
I think it’s a much better approach to build security into the hosting platform and enforce certain standards. What WP faces is no different than any other software system it’s just more visible.
I regularly tell people you are probably not going to like me Im going to tighten the screws on your website until it hurts, but it’s for your own good in the long run. Not everyone is a customer, but that’s OK.
I agree on some points but also disagree. I’m pretty sure every experienced WordPress designer and developer has been in the position of taking over a site for a client, logging in to the WP admin only to find a hot mess of outdated and even obsolete plugins, and ads on the Admin that take up 3 page scrolls.
WordPress has a low learning curve, so it’s easy for entry-level developers to jump on the bandwagon and become a designers. Not blaming them, that’s how I started out as well. The problem is that they will often describe themselves as “experts”. Add to that the fact that there’s a plugin for everything and at least 20 plugins for anything you need to do and it becomes a very scary game of which one do I pick. Which plugin won’t get abandoned in one year, in 2 in 5?
Another reason are also cheap WP hosts. When you look at WP Engine (27$/mo for one site and Godaddy at 7$/site/mo) and only compare prices, you will end up with sub-par, poorly configured hosting.
I agree there’s a lot of fear-mongering going on. Still, I think a bigger part of the problem is antipatterns built by junior devs taking on low-budget projects, which will sometimes lead to a bad experience for the client and a bad overall experience for the end user.
When I think of the handful of themes that WordPress.org’s Marketing function (in whatever shape or form such a function has) should push, Security is one of them.
It should be an ongoing effort. I will take time. Supported by the community, too. Including alliances within it.
Perhaps the Enterprise angle is a good starting point. It’s a smaller segment and a number of players in the ecosystem that are already engaged in this space. Great if their success stories can be packaged up and messaged (which is why it makes sense to have a WordPress Media Corps).