ergophobe - 2:17 am on Oct 31, 2013 (gmt 0)
All right, I'll bite.
The more technology you run, the bigger your attack surface. That said, Wordpress security has improved so much over the years, that people who say "Wordpress isn't secure" and point to attacks that took place on version 2.x are basically the same as the people who claim Windows isn't secure because of attacks on Windows Millennium. That does NOT make Wordpress or Windows 8 impervious, but they are different animals from the previous version that were designed with almost no attention to security.
There's always a tug and pull - large user base and open source code means a lot of eyes on security issues, but it also means the creators of automated scripts will target the system. I think security via review is a better bet than secuiryt through obscurity.
WP is no less secure than a Drupal or Joomla or any CMS script out there
More or less true, but there are differences and they are significant.
In favor of Wordpress, it's a way smaller codebase than Drupal and so therefore a smaller attack surface.
On the other hand
- Wordpress allows direct editing of files on the server from the admin interface.
- All Drupal modules are under the same umbrella and the security team watches over all of them. Clearly, obscure modules don't get much review, but major third-party modules are treated much like core. I don't believe that Wordpress has anything similar. Also Drupal segregates security fixes from bug fixes, which helps people stay up to date on major security issues.
- By implication, this also means that the security team has the entire universe of Drupal modules on a single git repo, so when an exploit is discovered, they can grep for similar code in all modules and try to roll out fixes across the board.
- in a default install, Drupal automatically sends a nag email daily if there are security updates that should be applied to a site. Again, because there's a centralized clearinghouse for security issues, this is possible.
So while I think much of the Wordpress bad reputation is outdated, I wish that Wordpress would adopt a bit more of a Drupal-style plugin management and security overview. I think that would help a lot.