A coworker pointed me today at an interesting article on Long Beach Post suggesting WordPress would be a bad business decision.

The real problem, according to Stan Stahl, Ph.D., the President of Citadel Information Group, a Los Angeles cyber security firm, is simple. "WordPress," he warns, "was designed to make for easy blogging with lots of plugin capability, not for security. It should NEVER be used for eCommerce or when connected to sensitive information or back-end corporate databases."

This quote is highly misleading. Yes, WordPress was originally designed for blogging.  It's a highly-extensible infrastructure that empowers developers to add and manipulate features through plugins and custom code in their themes.  But WordPress has always been designed with security in mind.

The core WordPress application is maintained by hundreds of developers with a wide variety of experience.  Every line of code is peer-reviewed.  When security vulnerabilities are found they are fixed quickly and patches are pushed out immediately.  The entire process is completely transparent, which is both a plus and a minus.

Pros of Transparency

The first benefit is that everyone knows when WordPress fixes a security vulnerability.  With closed-source projects this isn't the case.  You may or may not receive a prompt to upgrade but often know nothing about the nature of the vulnerability that was patched - or how long the vulnerability was known in the wild.

Since WordPress is open source, anyone can track down and patch a security hole.  By installing WordPress you are becoming part of a larger community of developers, and someone across the country - or world - might be patching a hole on your site that your internal security team missed.  You reap the benefits of millions of users working with and depending on the same software.

Cons of Transparency

Transparency is a double-edged sword.  If you fail to keep your site up-to-date when WordPress pushes a security update, the entire world will know your site is vulnerable.  Hackers have a slew of automated tools to scan sites at random and detect known issues so they can exploit your server.

With the code base being open to the world, everyone can see exactly what you're doing and how.  They can determine how your forms are posted to the server and have a leg up at detecting potential SQL injection holes or cross-site scripting opportunities.  Opening your code to the world is inviting nefarious individuals to look at the internals of your site and probe for vulnerabilities.

Why the Pros Outweigh the Cons

The cons listed above are not unique to WordPress.  Any open source system in the world will be vulnerable in exactly the same way - but few projects are as open and responsive as WordPress.[ref]I once detected a SQL injection vulnerability in a .Net-based forum project. After patching my own server, I pushed the change back to the original dev team ... who sat on the fix for over a year. This left 1.2 million sites running the forum software open to a major security vulnerability![/ref] Opening your code to the world is a great way to reap the benefits of a global developer community - complete strangers helping to fix and optimize your project - but it's also an invitation to the world's hackers.

Automated scans for security vulnerabilities are also not unique to WordPress - or even to open source.  Any product released to the wild is now available to both white hat and black hat developers.  If a vulnerability is discovered, the black hats will write an automated tool to scan and detect it.  Using an in-house or closed-source system is merely a way to protect yourself through security-by-obscurity - the less widely used the platform, the fewer hackers will target it.

This is not security.

Finally, the allegation that WordPress' extensibility is a vulnerability is false.  WordPress at its core is well-tested and secure. Adding any code to WordPress - as with adding any code to a proprietary or closed-source system - is potentially opening your site to more risk if you fail to properly vet the code beforehand.  WordPress is easy to extend, but you are responsible for making an informed, educated decision of how it is extended.


A decision to use WordPress is a decision to partner with a world-wide network of developers all passionately iterating on an already secure platform.  You can use WordPress to power your personal blog, your corporate website, your e-commerce gateway, or any other web property where it's the best fit.  WordPress won't always be the best fit for your project, but it's a great fit for many.

Where I do agree with Stahl:

Security is management’s responsibility. Management must set the standards and validate IT’s compliance with them.

Using WordPress is the first of many decisions you must make when building your website. Properly securing your server, selecting appropriate additional enhancements, and enforcing certain security measures are some of the next steps - steps that apply to all websites despite your choice in software platform.