WordPress security is one of the first and foremost concerns of any user. Why? Because due to its popularity and large usage, WordPress is always under greater security threat than other CMSs. It’s not always WordPress’s fault for your website being hacked though. There are many reasons that could lead to this situation.
While carrying out a small survey among WordPress users on what changes they want to see in WordPress this year, I found out that people do have half of their heart wishing for better security in WordPress. Honestly, I didn’t expect this answer since there are lots of WordPress security best practices out there. It really sparks a discussion here: WordPress security still matters.
Why? And do you think there should be more secure WordPress versions in 2015? Are there any other worth-waiting-for changes? Let’s join the discussion.
WordPress must improve its security – thoughts from WordPress developers
In answer to the question “What change in WordPress would you like to see?”, Bob Parsons – developer and owner of SmallBizWebsite said:
“Security. Security. Security. WordPress has no security whatsoever except for a username and password. The default password is “admin” and most people do not change it. The password is often easy to guess, and WordPress does not enforce strong passwords. There is also no limit to login attempts.
Yes, you can add plug-ins such as iThemes Security and WordFence (both of which I use and strongly endorse). However, I am addressing the overwhelming number of WordPress sites whose administrators do nothing to improve security.
WordPress sites are attacked 24/7 by automated scripts from botnets. They attempt to break in and install malware on your site by altering your PHP files. As a result, visitors to your site get infected, often quietly, becoming another botnet computer. Breaking in is almost trivial for brute force scripts if the default username is “admin”.
After installing iThemes Security recently on two sites, I was astonished to see hundreds of break-in attempts on each site from computers all over the world every day. These were blocked.
WordPress needs immediate, enhanced, built-in security measures that go well beyond a pathetic username and password to protect everybody from botnet growth and virus distribution.”
Built-in security measures for WordPress sounds reasonable, don’t you agree? Of course there is lots of security advice out there for WordPress users, like changing the default ‘admin’ name, creating a strong password, installing WordPress security plugins, using well-coded themes and plugins, etc. – the list can go on and on, but all these tips are very passive and greatly depend on users. Many WordPress users may not be fully aware of what they need to do to protect their WordPress website, so why isn’t WordPress more proactive in this matter?
I’m not trying to accuse WordPress of being easily hacked – there’s a reason for WordPress to become the biggest CMS out there – but adding built-in security functions is worthwhile.
Thomas Scholz – developer at MarketPress, also thinks that:
“I wish WordPress would require a PHP version that still receives security updates, i.e. at least PHP 5.4[..]Plugins come too late to the party. PHP starts before any plugin is loaded, no plugin can protect you from PHP bugs. 99% of all “security plugins” are snake oil anyway.
[…]They (security plugins) are probably better than nothing, but not every site can use them. Just think about the privacy: you don’t want a third party to see every request to your site. This would be illegal in Germany for example. And WordPress security should really not depend on an external service. That’s a recipe for disaster, because they can be hacked too eventually.”
Once again, there’s a demand from developers to see a proactive security solution in WordPress versions.
Anything else to expect from WordPress in 2015?
In 2015, besides WordPress security, there are also many other things that needed to be fulfilled. WordPress will become more localized as well as democratizing publishing – as Matt presented in State of WordPress 2014.
I had a chance to talk with Piet Bos – a developer from Netherlands, now living in China. Piet is the top contributor in WordPress groups on LinkedIn (he’s also the owner of WordPress Helpdesk there) as well as the official WPML Contractors as his specialty is WPML (WordPress MultiLingual).
Talking about his plans with WordPress this year, Piet say he will continue building sites for clients and helping people with their WPML problems. He also plans to write a bit more frequently on his WP TIPS blog and hopefully he can release a few more plugins. Last but not least, Piet wants to further perfect his soblossom starter theme and a few of his sites need a makeover.
Regarding ‘WordPress resolution’, Piet shared these thoughts:
“With the current release schedule (3 versions per year) it seems a lot of improvements are taking place under the hood. I wish the Core Dev team could finally let go of blogging a bit more and focus much more on the CMS aspect of things, but I guess there is a major conflict of interest going on there, so that is most likely utopia.
It does not matter too much for me, because fortunately WordPress is very flexible and therefore almost everything is possible. But, especially for beginners who just want to build a company website without a blog, I think it should be made easier to completely remove the blog/categories/tags/comments “modules” from the Core without having to install 20 plugins to make that happen.”
- Custom dashboard to let users edit the WP Admin dashboard for their own use.
- Front-end editing to allow users to create/edit content without having to switch to admin dashboard.
- More languages supported in WordPress as it goes global and localizing.
- Decentralizing community as WordPress will go deeper in localizing.
- Centralizing professionals with better indexing WordPress experts around the world.
You can visit his blog post on Medium to read in more detail and I’m sure Noel will very happy to know your thoughts too.
One of our friends, Eric Buckley – WooCommerce and WordPress developer (get to know Eric in our last interview with him), joined the wishlist for WordPress this year with his resolutions:
“I would like to see more effort put into the Customizer. One of the biggest issues faced by plug-in and theme developers is the settings/options pages. It would be very helpful to have a nice interface for developing consistent, good looking pages for user settings and configuration.
As a developer, I would also like to see more detail provided for downloads and visits to our pages in the Plug-in/Theme repository.
I would also like to see WordPress push in to the direction of optimizing their platform to utilize fewer resources. They have started to do this already, but more is better.”
And a sneak peek at his plan with WordPress this year:
“Our team will continue to enhance our existing plug-ins (like Little Hippo) and improve functionality and usability.
We will also look at the possibility of releasing a Theme Framework for WordPress developers.
And of course, continue with our current task of building professional, high-quality WordPress web sites.”
Aren’t there quite many things to expect from WordPress, both from security and blogging platform point of view?
How about your WordPress resolutions this year?
Which of the wish-list features above will become true? A built-in security function? The ability to remove blog-related modules when needed? Front-end editing? We don’t know yet, but we can raise our expectations, we can hope, and we can actually contribute to make them happen! That’s what’s really great about WordPress and its community.
What are your resolutions for WordPress this year? Share with us your thoughts and let’s discuss here!
This blog was written by me and published on WooRockets. Image’s credit: WooRockets