The State of WordPress Security

Stolen entirely from is this about how Wordpress kicks ass..;) and makes the point that most exploited WP sites are done so through weaknesses in the hosting companies and dodgy plugins..

The article How did WordPress win? has certainly been making its rounds the last two days, but all eyes seem to be (for the most part) on this comment by core developer Mark Jaquith, who sums up the state of WordPress security quite well. It sure is hard to avoid quoting the entire thing here, but here are a few key points:

I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously. Every time I investigate a compromised WordPress install, it is either because they were running an old version (usually not just a little bit old, but really old), or because their web host was compromised.


When you’re paying $5 a month for hosting, three things will usually suffer: Stability, Security, and Support.


Two big priorities right now are: (a) making it super easy to stay up-to-date and (b) pushing web hosts to get their act together.

To summarize the major points in the comment, your WordPress installation is safe as long as it’s up to date (and your password is good), the developers are working on ways to make staying up to date easier, and make sure that your hosting provider isn’t taking shortcuts with their security.

As a gentle reminder after reading this article, WordPress 3.0.5 and 3.1-RC4 were released a few days ago, so don’t forget to update your installation!