ergophobe - 3:18 pm on Jul 29, 2008 (gmt 0)

Thanks for some great tips Greg. Incredibill has made it his mission to let everyone know how secure Wordpress is [google.com] especially as compared to a hosted service [webmasterworld.com]. So there's fair warning.

Then there are a few more tips from Matt Mullenweg [webmasterworld.com] and others, as well as our own Inredibill's suggestion to block some query strings and UAs [webmasterworld.com].

Personally, on a setup as open and vulnerable as Wordpress (or most CMS), I think the best defense is a backup plan. Literally. Depending on how busy your site is, daily or hourly DB dumps archived on a rotating basis is a ncecessity, because it's probably more of a "when" question than an "if" question.

The same things that make the most common platforms popular are the same things that make them vulnerable
- huge user base means a huge target worth shooting at
- open architecture means large holes that are difficult ot plug without losing functionality that many users desire
- an all things to all people approach means many holes
- again, the open architecture means many contributors often without serious code review, so even if the core is solid, the plugins and modules create points of vulnerability.

Does that mean don't use them? Depends on your risk tolerance of course. For a content-based site, a CMS saves you so much development time... but if you're on a popular platform, you'll get probed daily and can count on at the very least, spam inundation, at worst, being completely owned.