Does anyone know how secure WordPress is?
I have no clue how to define “how secure”. But compared to other CMS systems, how secure is it?
Update:
To elaborate a bit on my project.
I’m gonna have a lot of users registering. Once logged in, they will have access to plugins which I’m developing. In about 6 months I will also offer paid services – I’m thinking PayPal. All sensitive details will be handled on PayPals https.
Update2:
(15.07.2013)
I found this article over at MOZ: The Definitive Guide to WordPress Security
I don’t really know how to define how secure it is, but I can tell you a few things about it that should help you make up your mind.
By default WordPress does not secure logins, so usernames and passwords are passed in cleartext. And most people use WordPress like that.
That said, since version 2.6, you can force logins to be under SSL by adding this to your wp-config.php:
You can also opt for forcing SSL for all administrative tasks by using:
That should make it pretty good. And regardless of the version you are using, you can always force SSL for admin with mod_rewrite:
And, if you need a different folder for the SSL part:
That would force everything under wp-admin to work under SSL and everything else would be forced to “regular” HTTP.
Other things to consider is MySQL. If your blog communicates with MySQL over the Internet, you have one more thing to worry about. Most setups have MySQL inside a secure network, though. Even better if MySQL runs on the same machine as the web server, so you can communicate without relying on TCP/IP at all.