I have been interested in computer security since being a teenager, when I started playing around with old school GUI programs like the Sub-7 trojan and other similar tools.
Later in life I went to university and completed an undergraduate degree in Computer Security. While still at university I was hired by a penetration testing company where I tested some of the biggest UK brands website security. At the same time I created an Open Source project called Damn Vulnerable Web App (DVWA) to help improve my web testing skills. After university I moved to France and started a new project called WPScan.
I started using WordPress to blog about what I was learning at university; to share my new knowledge and experience with others.
You know, I can’t remember the exact reason why I chose WordPress as my first blogging platform, but I did. It was my own blog that lead me into creating the WPScan tool, as I started to become aware of security flaws in my own blog and wanted to create a tool for my fellow penetration testers to be able to more easily test the security of WordPress websites.
The strengths are that it is widely known, stable and the core software is secure. Arguably the biggest strength is the WordPress plugin ecosystem, it allows users to easily expand WordPress’ functionality, and there’s a plugin for almost everything that you may need. On the other hand, the plugin ecosystem is also one of WordPress’ biggest weaknesses, that is in poor quality and insecure plugins. The vast majority of security issues stem from these third party plugins.
Yes, WordPress is secure. It only becomes insecure when it is mismanaged, and that is often the case with WordPress as many of its users may not be super technical, or may lack the time to ensure it is managed properly.
Managing a WordPress blog is fairly straight forward, but does require some human interaction, such as ensuring updates are installed. As mentioned previously, the real problem stems from some of the third party WordPress plugins. Almost anyone can create and distribute a WordPress plugin, and some of these developers may not have the skills to properly secure their software. That bring said, some of the most widely used and popular plugins are very secure today as the vendors have realized the importance of security and have invested time and money in the security of their own plugins.
Yes, we (WPScan) do monitor website uptime, performance and errors. But we do not currently use WordPress on any of our websites, instead we use a mixture of technologies and custom code to run WPScan. That’s why we use third-time party applications (uptime robot, CloudFlare, Kibana) and not a plugin to monitor our website’s uptime, performance and errors.
Given its current trajectory in terms of its market share growth, I can only see WordPress growing in the future. With the heightened interest in WordPress security and the number of companies catering for that, I can only see the WordPress ecosystem becoming more secure too.
I think WordPress will continue to evolve its technologies, as can be seen from the implementation of Gutenberg and the new REST API, as well as others. To me, the future of WordPress looks bright for a long while yet.
At WPScan we have recently finished redesigning our main website and consolidating a few others into the same website. Our CLI tool, website and the API are pretty stable and mature now, so I think they will require less of our time in the future. Going forwards we will be putting more effort into our WPScan WordPress security plugin, and I hope that as a result of that will see a significant increase in the number of active plugin users.
We also want to continue to ensure that we are as fast as possible and as accurate as possible when maintaining our WordPress vulnerability database.