I’ve often heard that WordPress and other open source platforms are very insecure and that basing any large operation on them is a huge risk. I’ve also heard that WordPress is less secure than many of its open-source peers, like Movable Type.
But Qualys’ study with its BlindElephant open-source security tool shows that only 4 percent of WordPress sites have critical vulnerabilities. Meanwhile, as CMSWire points out, other open-source platforms have much higher percentages of extensive vulnerabilities:
- 77 percent of Movable Type sites
- 91 percent of Joomla sites
- 95 of WikiMedia sites
- 69 percent of Drupal installs
It’s important to note that this survey looks at the core software and not plugins, so it’s key to use plugins that are developed by reputable developers who frequently update their software. Pay attention to ratings and comments on WordPress plugin directory pages, too.
Upgrading your core software is a good decision, too. If you look at the breakdown by WordPress version above, far more sites running on 2.9.2 have vulnerabilities to attack. That may be because of WordPress’ explosion in popularity around 2.9’s release. But for WordPress 3 having 12.7 million downloads and counting, vulnerabilities are thus far pretty scarce.
GigaOm (running WordPress itself) reports that Zenoss’ 2010 Open Source Management Survey shows that 98 percent of large enterprises are now using open source software, with growing numbers preferring open-source solutions to proprietary disasters. In fact, 71 percent of enterprise-level businesses said open source is easier to deploy, and 76 percent said they prefer to use it whenever possible.
Next time you hear someone use fear-mongering (“They’re so insecure. Do you want to be down all the time!?”) against open-source systems like WordPress, these stats should be nice to have handy.