All you WordPress fans should be aware of the recent problems WordPress has had with cross-site scripting vulnerabilities – I did a recap on the issue a couple weeks ago. Things have calmed down considerably but there’s still some who are unsettled with WordPress security so I wanted to take a moment to address this.
Brian and I recently participated in a Security Webinar and while we didn’t get any eye-opening information the facilitator did say one thing that stuck with me:
For the record, I completely agree. A WordPress site created, thrown onto the web and then left to rot with no updates is very vulnerable. A WordPress site carefully built, with solid themes and plugins, configured to be secure, backed-up, with excellent web hosting, and frequent updates is as good as any site out there. Yes, there will always be new vulnerabilities discovered, new hacks attempted, and mistakes can be made – never assume that your site is 100% safe. But a WordPress site can – and should – be well-built and secure. And if you do that security problems should be exceptionally rare.
I’m going to supplement this with a link to some content we’ve been working on for the campus site, getontheweb.ncsu.edu. This is a new(-ish) site meant to help users identify the right campus web tools for them. It will also be a resource to answer frequently-asked questions and address other web issues: accessibility, domain and web policies for campus, and of course security. We’ve recently added some information about SSL (probably a blog post for another day) and have a lot of information and tips on WordPress Security. I urge you to check it out, and if you have the need or interest, do more research on the web and in the WordPress Codex. The Codex article on “Hardening WordPress” is an excellent place to start. Happy reading!