WordPress is a complex software ecosystem. Its huge userbase and an active developer community numbering in the tens of thousands make for a potential security nightmare, but, in fact, it functions surprisingly smoothly.
For users who hear only about the most recent security vulnerability, it might not appear so, but the widespread publicity of security vulnerabilities — almost always accompanied by a patch — is evidence that WordPress’ immune system is functioning properly.
Researchers and developers find problems and WordPress’ core and plugin developers fix them, making patches available as updates, after which the vulnerabilities are publicized to ensure users are aware of the risk and the need to update.
Although WordPress’ security model works, there is scope for improvement. A “bottom-up” system with so many moving parts can suffer from a lack of coordination. As Jeff Chandler points out on WPTavern, this April a security researcher released details of a vulnerability before developers were ready with a patch, leaving WordPress sites open to exploitation in the meantime.
To combat this sort of problem, a top-down approach in which someone is responsible for the coordination of security responses is necessary. That’s why it’s great news that Nikolay Bachiyski, a long-time WordPress developer, has been appointed the first Security Czar for WordPress.
Bachiyski’s new job was announced from the stage at WordCamp Europe by Automattic CEO and WordPress creator Matt Mullenweg. It’s not yet clear exactly what Bachiyski’s responsibilities will be, but we do know he will be overseeing the security of WordPress.org, the self-hosted version of WordPress that powers many millions of websites.
Although Bachiyski’s appointment will streamline the WordPress security process, it’s always worth pointing out that WordPress security is a collective effort that involves the WordPress team, plugin developers, web hosting companies like Nexcess, and WordPress users. As Mullenweg made clear in a recent Quora response, many of the security problems in the WordPress world stem from poor security practices on the part of users.
As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.
No matter how efficient and effective the WordPress security process is, it can easily be undermined if users fail to update their installations or implement basic username and password best practices. Security researchers and developers find and fix vulnerabilities in WordPress, but because so many WordPress sites fail to apply the patches (update), they remain vulnerable to exploits.
Nevertheless, the coordination of the WordPress security process will allow WordPress devs to make a cohesive response to security issues, ensuring that the risk to WordPress users is minimized.