WordPress is used on over 20% of websites. It’s a huge success story and with good reason. WordPress is a powerful content management system with just the right combination of ease-of-use and configurability to appeal to both web development professionals and amateur web masters.
However, a fly in the ointment of WordPress’ success is the raft of stories we’ve had over the last few years that focus on hacked WordPress sites and vulnerabilities in the software. In truth, WordPress is no less secure than any other popular CMS and is a good deal more secure than some.
Much of the perception of apparent insecurity that surrounds WordPress is the result of its popularity. The ubiquity of WordPress sites makes them an irresistible target for hackers in much the same way that Microsoft Windows is the target of choice for malware developers. It makes sense for them to focus their efforts where they are likely to see the biggest return. But, also like Windows, WordPress is the content management system of choice for many webmasters who are not well versed in Internet security. As a consequence, WordPress is often misconfigured and, even more crucially, many users fail to understand the importance of regular updates.
In a recent study from Sandro Gauci of EnableSecurity, who surveyed WordPress sites among the Alexa Top Million sites, it was found that the 42,106 WordPress sites looked at were running 74 different versions of WordPress and less than 20% had immediately upgraded to the most recent version (WordPress 3.6.1).
The fragmentation of WordPress versions and the non-compliance of webmasters with upgrades creates both a security and a PR headache for the WordPress developers, which may well be the motivation for the planned introduction of automatic upgrades in the next point release, WordPress 3.7, which is expect to be released later this month.
If WordPress users are unwilling or unable to update their sites frequently enough to avoid exposing themselves to vulnerabilities, then it makes sense to implement a mechanism to do it for them. It is good for WordPress and for the Internet as a whole; the fewer malware vectors and zombie WordPress sites, the better.
But, experienced WordPress users also have a multitude of legitimate concerns about automatic updating. Any developer with a bit of experience running a WordPress site knows that updates have the tendency to break things like plugin compatibility and other site features. None of them relish the idea of waking up one morning to find that their site has been hosed by an automatic update. As things stand, auto-updates are only going to apply to minor point releases with security patches and bug fixes, but the intention is to make them opt-in, rather than opt-out, which doesn’t sit well with some developers.
If you want to get a taste of automatic updates, there is a plugin which implements a superset of the features that will be included in WordPress 3.7.
What do you think? Are automatic updates a step too far or a much needed solution to WordPress’ security problems?