The formula is pretty simple, really. Take something that is widely popular but wildly complex, and make it simple. Really simple. You’ll have people eating out of your hands. That’s exactly what WordPress did way back in 2003. They took what was really a complex puzzle (web development and graphic design) and made it simple and user friendly. It’s no surprise that WordPress has grown exponentially in the intervening years. Now, here in 2017, it’s still a site of choice for many developers, and it will likely continue to have brand loyalty into the foreseeable future. However, beneath the glossy cover, WordPress hides some secret dangers that newbies and old school developers need to keep in mind.
For starters, WordPress is freeware and therefore has open source code. This is highly useful for new or seasoned website developers who want to build sites quickly, and yet still offer really great content with nice graphics. The whole system is fluid, helpful, and profoundly simple.
On the other hand, being open source has it’s downfalls as well. For example, there are always security threats that are substantial on WordPress. The recent update to version 4.7.3 took place because of the substantial risk of site takeover under the previous version. Patches are helpful, but only as helpful as web admins are at installing them. When a patch is left uninstalled, and the software is not updated, the user is at risk. WordPress has had auto-installed updated since late 2013, but users can choose to disable this feature, making the site radically vulnerable. A recent study found that a huge number of sites had not updated even from very old versions like 3.7. In fact, even with the known vulnerabilities in the 4.7 version. The study found that over five percent of users had not updated their software, and the websites were open to takeover.
Sites that have been ‘taken over’ are used to send spam phishing emails from the site, which then greatly increase the chance of click-through and fraud. The malware users are able to imbed a small string of code that allows them access to the site, and can then send the information without the site admin ever knowing. A simple update to the version would stop the spamming, but the owner of the site is unaware.
The other tool that is hugely popular on WordPress is plugins. They offer nearly unlimited tools for WordPress programmers, and are hugely helpful in making tough tasks simple. However, plugins also hide a malicious back door. Because plugins are third party code, they often remain without updates for an extended period of time. This old code provides a wonderful backdoor to highjack the site and use it for nefarious purposes.
Overall, WordPress is a great tool. However, it requires careful analysis and it’s always helpful to keep the auto updates on. While that may disrupt services and even require some hasty fixes on the site, protection should outweigh inconvenience.