Website security – why we don’t rate Wordpress
When we’re talking to potential customers about a new website we’re frequently asked if we use Wordpress. We don’t, but it’s a fair enough question; after all, Wordpress is a well-known content management system (CMS), widely used by many web developers.
It’s also one of the few website platforms likely to be recognised by customers themselves. Everyone seems to know someone whose blog or website uses Wordpress.
Why some developers like to use Wordpress
Wordpress uses customisable themes and templates, which makes it easier and faster to work with. This suits some developers; why go to the bother of creating a diamond when a cubic zirconia is almost as pretty to the untrained eye and far less effort to produce?
In other cases, developers simply don’t have the coding or design skills required to build a website from the ground up. Wordpress does much of the heavy lifting for them, but this won’t really be apparent to the customer unless they ask for some complexity that Wordpress can’t deliver.
Why some business owners want Wordpress
Some business owners like Wordpress because, in all fairness, doing simple tasks like updating web pages or adding new blog content or images is pretty easy for employees to learn. And let’s face it, unless you really know your stuff, why would you question the software platform your developer uses?
If you’re on a shoestring budget and a Wordpress developer offers to turn your new website around quickly and cheaply, what’s not to like?
When you’re comparing developer quotes for a new website, it’s tempting to snap up the least expensive option with the promise of a fast turnaround. Unfortunately, this could be a false economy.
Kontrolit dislikes Wordpress as a website platform for various reasons: slow performance, heavy on code, frequent software upgrades and a tendency to recognise the same customised themes again and again. But these are overshadowed by our biggest concern: security.
Wordpress under attack
Online hacking and cyber-security is a hot topic. If you’re the sort of person who guards their bank details, email or social media passwords, you probably ought to spare a thought for the security of your website.
Put bluntly, Wordpress websites get hacked. Quite a lot actually. Sometimes the attacks are small-scale affairs that don’t make the headlines but too often, they’re much, much bigger.
Take this large scale attack in February 2017 for example, which saw more than 1.5 million Wordpress sites hacked by malicious campaigns. After becoming aware of a vulnerability in their code the company worked frantically for a week to patch it before it became too widely exploited by hackers. Even so, thousands of Wordpress websites which weren’t updated with the patch remained exposed.
In September 2016, a study found that out of approximately 22,000 known website hacks so far that year, around 16,000 took place on Wordpress sites. (Wordpress doesn’t come in for all the flak, it has to be said. The same report also identified Joomla, another popular content management system as having 3,099 hacks in the same period.)
Why are Wordpress sites so vulnerable?
Wordpress sites are built on what’s known as open-source software. This simply refers to computer software for which the source code is freely available for others to see, use and customise to their heart’s content. (Other examples of open source CMS platforms include Joomla, Drupal, Magento or MODX, but there are many others.)
Open source code is often developed in a public, collaborative manner by many developers. This openness obviously has advantages if you want to add new features to the code, but it also presents a weakness, giving bugs and determined hackers an opportunity to probe for a way in.
Those opportunities multiply when old code isn’t updated.
Are you at risk?
Generally, Wordpress updates its software several times a year and users are encouraged to always update their site to the latest version to prevent hackers exploiting weaknesses. The problem is, if you don’t log in to your Wordpress admin panel very often, and you don’t have an agreement with your developer to keep an eye on such things, it might be some time before you notice that an update is available.
By that time, your site may have been hacked.
Third party plugins, designed to add extra functionality to basic Wordpress themes, are often another vulnerable entry point for hackers.
For example, experts at the security firm Securi reported in December 2014 that “100’s of thousands of Wordpress specific sites” were impacted when hackers exploited a flaw in the RevSlider plugin.
More recently, a vulnerability in a plugin installed on over 300,000 websites was discovered in June 2017.
Outdated plugins are a particular security risk
Old plugins pose a particular risk, in two ways.
Firstly, the developer who created the plugin doesn’t actually work for Wordpress. Remember, this is open source software, created by anyone with an interest and a willingness to share or sell their plugin. They’re under no obligation to update it and frequently don’t if their interests go off in other directions.
Secondly, even when an updated version of a plugin is available, the user often doesn’t notice or realise the importance of installing the newer version.
In either of these situations, old plugins on many thousands of websites end up as so much abandoned scrap in a junkyard. They can stop working, cause your website to crash, or become a security weakness for hackers to exploit.
How are Kontrolit websites more secure?
The source code on Kontrolit websites is “closed”, which massively improves the security of our software. In addition, without getting into too much technical jargon, Kontrolit sites are built on top of a framework which utilises Microsofts security patterns and best practices, which is better for security.
In fact at the time of writing (and hopefully beyond!) a Kontrolit website has never been hacked.
We launched Version 1 of Kontrolit’s CMS way back in 2002. Major updates are made approximately every three months between each Version. And because the "widgets" which provide the extra features on your site are all owned and developed by Kontrolit, we can carry out thorough testing at every stage to ensure 100% compatibility with every update. That means regularly updated code, no crashes and choking off opportunities for hackers.
We don’t pass the buck for security updates
We don’t believe it’s a customer’s responsibility to keep checking for a software or plugin update, let alone leave them to install it themselves. Kontrolit customers on the latest version of our CMS (called KIT4) don’t have that hassle.
Once we’ve tested and updated our software it’s rolled out seamlessly to all customers with KIT4 websites. You probably won’t even notice we’ve done it. But you’ll have peace of mind that we’ve got it covered, at no extra cost to you.
What price do you put on website security?
Kontrolit provides a professional service at a very competitive price. But here’s the elephant in the room: in most cases, Kontrolit probably can’t create a website as cheaply as a developer using open source software. That costs us new business sometimes, but we’re not prepared to compromise our standards or your online security.
We understand that up-front costs are an over-riding priority for many small business owners, but ask yourself a few questions:
- Will your Wordpress developer keep your website updated with the latest software releases in the years ahead? If so, is this a free service?
- How does your open source developer identify and fix incompatible and out-of-date plugins on a Wordpress website?
- What happens if a plugin or extension breaks your website?
- If hackers exploit your website, who is responsible for fixing it and what’s the cost?
- How long can your business afford to be without a website if there are problems?
What price do you put on website security?
Talk to us if you want peace of mind and an ongoing commitment from a developer who values your business long after you’ve paid the bill.
Click for more information to help you Compare Kontrolit with open source CMS platforms.