By: Chris LaFay on April 16, 2018
Some 30.5% of websites use WordPress. Let that sink in. Almost one in every three sites you visit on a daily basis are built in WordPress. That’s a ton. And WordPress is 100% open-sourced, run by the community of amazing WordPress developers (as well as some people from Automattic on company time). For each version of WordPress that is released, hundreds of Core Contributors (aka. volunteers) commit patches and fixes to the core of WordPress.
With that being said, this team of people have an intense job to do. They need to make sure that all the Core Contributors are submitting code that actually works. Once code has been submitted, they run the code through tests to validate it’s quality and doesn’t open up WordPress to any new vulnerabilities. They wrangle their volunteer force and keep them excited about continuing to help – because without the volunteer force, WordPress wouldn’t be anywhere near where it is today.
So, how does a cooperative team mixing paid and volunteer workers keep WordPress safe for 30.5% of websites on the web?
Every single day, the WordPress security team is doing code reviews of the core of WordPress. They have a team of volunteers that are internal to WordPress, plus automated systems that make sure the code that is saved away and the most recent platform version is secure.
Who’s better than the millions of people who use WordPress on a daily basis to let the WordPress team know if there are bugs in the system? The WordPress security team partnered up with HackerOne to create a bug bounty program. If you find an error or a security breach in WordPress, submit it through their bug bounty portal. If it’s a legitimate bug, you’ll receive a cash reward from WordPress!
WordPress is by far the most used content management system out there – however, there are other large CMSs: Drupal and Joomla are the biggest competitors in the space. The WordPress security team maintains active conversation with the developers of those platforms to coordinate their updates across the web.
Think about this: let’s say there’s a big hole in PHP (this is the foundation of a lot of the popular CMSs) – the issue isn’t WordPress- or Drupal-specific. The chances of malicious hackers knowing about the hole are relatively slim at the beginning stages. But, if one of the major CMS providers releases a patch before the others, now the vulnerability is out in the public. Malicious hackers will then attack the other CMSs.
Rather than fighting against one another, the security teams at the major open-source CMSs work together when they find an issue with underlying code that effects everyone. They patch the holes in their systems, and they time a simultaneous release of their fixes. This ensures that:
Prior to 2014, in order to upgrade your WordPress website, you had to:
In 2014, that process improved. Automattic created a way to push core WordPress updates to your website, rather than relying on each site’s developer to pull them down manually. This allows Automattic to get the most secure code loaded onto your site before hackers can take advantage of any vulnerabilities in the code. Since its initial run, the synchronous update has boasted fantastic results for WordPress users:
99.9% Perfect Successes
999,000 out of 1,000,000 sites upgraded perfectly without issue
.001% Fail Rate
10 sites in every million the upgrade didn’t work and broke the site
.099% Soft Fail
990 sites the system recognized that the site upgrade didn’t work well (something broke) and was able to safely revert back to the original version
The biggest problem with sites that get hacked are because users have very weak passwords. This is one of the best things you can do to keep everything safe and secure on your site. We recommend passwords at least 25 characters long and filled with combinations of: uppercase letters, lowercase letters, numbers and symbols. The less “guessable” the password is, the better.
The goal here is that if hackers want to get into your website, they have to apply the most time intensive method possible – where they increment each letter and number individually until they find the right password. When you use all the variables listed above within a 12 character password, there are 475,920,314,814,253,376,475,136 options hackers have to get through to figure out yours. If hackers could guess 2 billion passwords per second, it would still take them up to 7.5 million years to guess your password!
LC = Lowercase Letters
UC = Uppercase Letters
N = Numbers
SC = Special Characters
A lot of basic SSL certificates are free. In fact, with Classic City Consulting’s hosting plans, we provide an SSL certificate free of charge.
Even if you’re just writing an entertaining blog about the crazy things your cat does every day, there are a couple of reasons why you need an SSL on your site:
A secure site is a team effort for every website, from the core code developers like Automattic and WordPress Core Contributors to the webmaster you commission to manage your site once it’s live online. Security means staying one step ahead of the risk and investing in the long term safety of your site. Connect with a team you can trust.