Just how secure is WordPress for eCommerce? Probably more than you’d think…

WordCamp London welcomed hundreds of WordPress professionals and aficionados through its doors last month.

Daniel Foster, co-founder of Manchester-based web hosting company 34SP.com, was amongst the revellers and used the opportunity to discuss some of the biggest issues currently surrounding the WordPress platform, perceived security threats for 2015, and the opportunities it holds for eCommerce.

eCommerce is currently one of the fastest growing sectors in the world. Indeed, according to eMarketer, global eCommerce sales which include products or services, excluding travel and event tickets, ordered using the internet reached $1.316 trillion in 2014, up 22.2% from $1.077 trillion in 2013.

As consumers become increasingly reliant on technology, internet access continues to spread worldwide, social media usage increases, and online marketing becomes even more fruitful, eCommerce is clearly here to stay.

WordPress and its universal appeal

WordPress is currently one of the main platforms used to host websites, with an estimated 23 per cent of all sites on the internet hosted on the platform.

A 2014 34SP.com survey of over 1,000 WordPress users revealed 52 per cent used the platform for business purposes, debunking the idea that WordPress is solely a blogging platform.

The platform is favoured as it allows for a range of options that create a personalised website, including secure payment gateways, checkouts and passwords, plus a large range of security plugins.

Thousands of templates and plug-ins make and the opportunities for creating bespoke sites is hugely appealing to businesses and individuals alike but due to the open-source nature of the platform – which essentially means anyone is free to edit its codes – security can be a concern.

Lack of training and security precautions amongst WordPress users is leading to them becoming vulnerable.

However, speaking to a number of experts at the UK’s largest WordPress dedicated exhibition, WordCamp London, if users are able to get their head around preventative measures, many believe security should be a problem. So what are the main things businesses should look out for?

Check your coding and watch out for unsecure plug-ins

While WordPress has a strong history of security, Phil Wylie, WordPress developer at the eCommerce specialist, iWeb has seen premium WordPress themes which come bundled with plugins causing issues as of late.

He said: “The idea is to provide additional functionality and value to the end user. However, as the theme author is the licence holder for the bundled plugin, it is their responsibility to update and distribute the patched files.

As the site owner, you might not even be aware you’re running out-of-date, exploitable code. Adding any third-party code to your WordPress installation increases the potential for introducing vulnerabilities.

You should source your themes and plugins from the official repositories or from reputable developers who provide a clear update process.”

Harry Metcalf, managing director of public sector web developer and hosting business, DXW, echoed Phil’s sentiments around insecure plugins and coding issues.

He said: “WordPress has lots of wonderful plugins, many of which are coded to an extremely high standard. But sadly, many are not. Of the plugins we’ve assessed and published at security.dxw.com, over half have some kind of security problem that should make users think twice.

If you care about the security of your site, be careful: numbers of downloads and star ratings are an unreliable way to assess a plugin’s security. Wherever possible, get someone who knows what they’re doing to code review plugins before you use them.”

Metcalf also believes that one of the most pressing issues facing WordPress’ security is users failing to update plugins and the WordPress core in a timely fashion, and added, “Updates often contain fixes for security incidents – and when they do, the publication of the update will alert attackers to the presence of a vulnerability in the old version.

As soon as an update is released, the clock is ticking, so apply updates quickly.” 

Look at the bigger picture

Phil Wylie went on to state that the most important steps you can take to secure your WordPress site are not necessarily specific to WordPress – “Good password practices and keeping your software up-to-date are often overlooked. In my experience, the root cause of security incidents tend to be a trusted administrator with a bad password or an exploit in an unpatched, third-party plugin. A strong password doesn’t use dictionary words, it’s made up of a combination of mixed case letters, numbers and symbols. And it’s important to use a unique password for every website. Not only because a security breach on another site could give up your password, it could also make it possible to access your email and therefore an attacker could request a password reset from your WordPress install.

Keep software current

“In terms of keeping software up-to-date, WordPress has a built-in update mechanism to keep itself, its themes and plugins updated”, added Phil. “Running the latest version of each means you’ll benefit from new features, bug fixes and crucially, security patches.

You can access the updates screen within the WordPress dashboard to see and install available updates. The WP Updates Notifier plugin can email you when an update is made available for your WordPress site, saving you from having to manually check.

“If you’re looking after a number of sites, there are some brilliant remote management tools available. Jetpack now includes a Site Management feature which has many of the useful features the more established services such as WP Remote and ManageWP offer. From one interface you can get an overall feel for the status of your websites and remotely install updates.”

So what measures can businesses apply to protect their WordPress sites?

Harry Metcalf offered five useful tips to businesses and individuals when considering the safety of their WordPress site:

  • Install updates quickly. If you don’t have time to do it yourself, pay someone else to do it for you. It’s the single most important thing you can do to keep yourself safe.
  • Choose hosting that’s appropriate for what you’re doing. If you’re running an eCommerce site, you should not be using cheap, shared hosting to do it. On the flipside, if you’re hosting a personal blog, you don’t exactly need WordPress VIP to be looking after it. Think about the risks you face and choose a hosting provider who you have confidence in – someone who’ll have the time and the skills to help you in a crunch.
  • Follow basic security best-practices. You should probably use anti-virus software, exercise caution when using internet cafes and public WiFi, never plug in USB devices that you don’t trust and be very wary following links from emails. Any computer you use to administratively access your site is a potential point of weakness, so be wary of what’s going on, and suspicious of the unexpected.
  • Check that the plugins you’re using are coded to a high standard. You could start by looking the plugin up on security.dxw.com. Or get a developer to check the plugin for OWASP top-10 vulnerabilities. If they don’t know what those are, find someone else!
  • If vulnerabilities exist in the plugins you use, make sure you’ll know, and do something about it. We’re currently working on MongooseWP, a service that will alert you when security vulnerabilities are found in the plugins you’re using – and tell you what you need to do.

So there you have it, WordPress is generally secure, but users should take steps to update, maintain and optimise the platform on a regular basis. Users wouldn’t go wrong to seek help from a professional to ensure they’re protected from hackers and bugs.

Due to the piecemeal nature of the WordPress ecosystem, you’re expected to connect a lot of the technical dots yourself. After all, WordPress was developed first and foremost with developers in mind.