Whenever we talk about WordPress and security, it’s important to address one question right off the bat. How secure is WordPress? The answer is, WordPress is one of the most secure web publishing applications available, and that is due to WordPress’ open-source status.
Now, this might seem contradictory. If the source code for WordPress is open and anyone can see it and tamper with it, and anyone can contribute back into the project, wouldn’t that make the project less secure?
Well, the reality is completely opposite, because an open-source application is built by the people who use it, and the people who develop WordPress have a vested interest in the application working and being secure.
That means any time a vulnerability is found inside WordPress, the WordPress community as a whole bands together to find a way of patching this vulnerability and then submitting an update back to the people who use WordPress. This is what results in these constant updates of the application. You’ll often see a new update every month, and it’s also why WordPress evolves so quickly. Because the community is working together to build a better application, we get security updates right away, and we also get featured updates all the time, with new features and new functionalities built in.
The bottom line is, WordPress is secure thanks to your vigilance. As a WordPress user, you’re automatically part of the WordPress community, and that means as long as you keep your WordPress site up-to-date, you have a secure site, and if something were to happen to your site, you can communicate that directly back to the WordPress community, and the community will band together and find a way of patching that hole and then distribute the patch to everyone who uses WordPress. It’s a constant feedback loop that creates a more secure environment that’s really agile and able to deal with problems almost immediately.
And you can see that exact phenomenon in action. Some time ago (in a version far, far away) a major security vulnerability was found in WordPress and Drupal that could result in sites going down and being impossible to recover. It could also result in servers crashing and a lot of dramatic things happening. Now this was not because of WordPress or Drupal not being secure. It was because of an intrinsic problem with web servers that can be exploited due to the fact that WordPress and Drupal both run on MySQL servers.
What happened when this vulnerability was found was that the researcher who discovered a vulnerability instead of just immediately publishing it or by exploiting it, he contacted the WordPress security team and the Drupal security team and told them about the vulnerability, and both applications were able to immediately push out updates to the applications to the users before that vulnerability was made public. The result was WordPress 3.9.2, which came out of the blue, got auto-installed on millions of WordPress sites worldwide through the auto-update function, and then the security patch was fixed before anyone even knew it existed.
So, if you ever wonder how secure WordPress is, just notice how often these point releases come out, and you’ll know that any time you see one of those, it means someone found some way of getting into the application, and then someone else immediately fixed it, republished a code out to everyone who uses the application, and basically solved the problem before the problem became a real problem.