Wordpress security?

[Mendalla]

I know we have some Wordpress admins and users on here so this article in one of the IT newsletters I get at work caught my eye. I don't use Wordpress myself (considering it if I start publishing my stories myself rather than on the site I use now) but thought others might be interested.

Vulnerabilities in WordPress plugins more than doubled in 2021: Report | Channel Daily News

Vulnerabilities in WordPress plugins more than doubled in 2021 compared to the previous year, according to a report, a worrying trend because most can be exploited by threat actors on the e-commerce and news sites that rely on the platform. The report, released today by researchers at Risk Based...

channeldailynews.com

 

[Nicolas FR]

The ransom for success

 

[Ksentile]

What dedicated blogging software or CMS do people recommend these days if the Wordpress security issues just keep piling?

 

[TLDR]

WordPress... But keeping your stuff updated.

 

[Mendalla]

WordPress... But keeping your stuff updated.

Which really goes for whatever software you use. Widely used software like WP has the disadvantage of being targeted more but the advantage of being more widely supported and reported on. A more obscure program could have just as many bugs and security flaws but they might not get reported as widely or fixed as quickly. So using the devil you know is probably safer in some cases.

 

[Alternadiv]

What dedicated blogging software or CMS do people recommend these days if the Wordpress security issues just keep piling?

WordPress is insanely popular and I've tried many times to like it, but I never can.

I've done my research on alternatives. I wanted something without all the bloat because I only ever planned to use it for a small blog about my travels. So, while these might not be for you because of how raw they are, I really like:

Ghost CMS: https://github.com/tryghost/ghost

Jekyll (hosted free with GitHub Pages): https://jekyllrb.com

Hugo: https://github.com/gohugoio/hugo

And you can see a bigger list of options like these, here: https://jamstack.org/generators/

 

[TLDR]

Which really goes for whatever software you use

I agree. And WordPress makes it easy to stay up-to-date with its auto-updates (zero clicks required!) for core, plugins and themes. (Well unless a plugin authors releases a broken update, but oh well)

The problem with lesser-widespread software is: Once it becomes widespread, the issues that were obscured by its popularity, may come up on a daily basis. So in the end, you might be better off to just use "what everyone uses".

Or to quote the article in the OP:

There’s evidence malicious actors go after vulnerabilities they can easily exploit

However, I am not sure why you should "focus" on any known security issue. Like, just keep everything updated. But okay.

 

[Sheratan]

Ah, Wordpress. "The walking backdoor." as my colleague said. WP security is ok, but always keep an eye for update and security news. Some extra security layer like OWASP, modsec, or even CDN are always help.

 

[Mendalla]

The problem with lesser-widespread software is: Once it becomes widespread, the issues that were obscured by its popularity, may come up on a daily basis. So in the end, you might be better off to just use "what everyone uses".

Security through obscurity only gets you so far is what we used to say in the IT management world.