So your financial institution is embarking on a website redesign, and someone has suggested you use WordPress for your Content Management System (CMS). Is this a great idea or a terrible one?
Let’s take a step back and talk about WordPress. A free and open source tool which was originally developed for bloggers, as of August 2013 WordPress was used by almost 19% of the top ten million websites. It also continues to be the most popular blogging system on the internet, with more than 60 million blogs being driven by WordPress. Find more facts on their Wikipedia page.
Beyond the appealing price tag, WordPress is very easy to install, customize and maintain. The expanding universe of available themes and plugins, many also free, adds to a user’s ability to customize their website at will. In fact, I use the system for several websites including Manic Mommies, Steve the Bike Guy, and here at Sundin Associates. I love WordPress – and having spoken with others, I know I am not alone in my enthusiasm for the platform.
But there are other factors to keep in mind before making the decision to use WordPress as your CMS. According to the WordPress site, a free and open source tool “means there are hundreds of people all over the world working on it.” While this collective intelligence undoubtedly contributed to the rapid evolution of the channel, it also means the code is open for less scrupulous members of the online community to examine and exploit.
And exploit they do. According to an infographic from WordPress Security, in 2012 the two primary types of attacks were “injections” – where advertisements injected into your site’s code show up, not on your site, but in the search results – and “back doors” which bypass the login protocols, allowing attackers to access your site, run commands, and generally wreak havoc.
I can tell you from personal experience that the effects from a WordPress attack can be devastating – earlier this year, ManicMommies.com was down for almost one week as we recovered from an attack that infected our site with injected code and corrupted files. It took a team of people including our host provider and our programmer to restore the site, and even today it doesn’t work quite as well as it had.
And yet, here I am, still using WordPress – so I go back to my original question. Is using the popular CMS a great, or terrible, idea?
The answer, especially for financial institutions, is not an easy one. While no CMS is invulnerable, the fact is WordPress is attacked more often because of its open source development and popularity, meaning there is a real risk the site could be compromised.
If you do choose to use WordPress as your CMS, there are several things you can do to protect yourself and your business, including:
- Harden your hosting – This can include tightening security on your server, requiring a secondary password to access the WordPress admin page, and removing unused and out of date themes, plugins or files.
- Improve your user ID & password – Avoid using the default username “admin” and create a password that is both easy for you to remember, but hard to guess. (I like to use words with special characters, for example T!ger12 ).
- Update, update, update – WordPress regularly releases updates to the system – many of which fix small security bugs or flaws. Generally, it’s not worth delaying to upgrade. The same goes for any Plugins or themes you are using on the site.
- Use security tools – Speaking of plugins, there are several designed to evaluate your WordPress installation for security holes, and monitor the site.
- Limit the use – For some clients, we utilize WordPress to maintain select sections of a website, for example, to run a newsroom. This allows us the easy updating capability while minimizing the risk if WordPress is compromised.
- Have a backup – One lesson I learned this summer was the importance of having a backup of my site’s theme on file. Fortunately, our programmer had a copy which he was able to reinstall after the infection was cleared up.
Finally, and most importantly, make sure your developer and host provider understand the security risks and are up-to-speed on how best to protect you, your business and your customers.