Is WordPress secure for Fortune 500 companies’ websites?
Definitely. We count many of them among our list of VIP clients, and many others use WordPress on their own servers.
Is WordPress safe for government agencies and public-facing sites?
Absolutely! In fact, a whole slew of government sites are already using WordPress. Check out our Spotlight on WordPress for Government for more information and examples. NASA, the U.S. Senate Democrats, the Republican and Democratic party websites, and the British Prime Minister’s Office site all run on WordPress.
What happens when there’s a security problem in WordPress core?
If a critical security vulnerability is identified in WordPress, the goal is to issue a security release that addresses it as quickly as possible (typically within days, but often faster) depending on the severity and complexity of the issue.
I’ve heard of X WordPress site being hacked and I’m afraid it can happen to my WordPress site.
WordPress.com VIP has had a lot of experience helping clients with “hacked” sites and though each case is different, two types of “hacks” unrelated to WordPress often receive a lot of attention.
The first case is a weak user password or a user’s password being utilized across multiple services, and one of those other services gets compromised. In this case, the password is compromised and used to obtain access to the WordPress site. The site hasn’t technically been hacked at the software level; the user’s password has been compromised.
We have some strong password guidelines we recommend for all users – make sure you keep your user list updated and encourage your users to regularly change and create strong passwords.
If you need some assistance in setting up your servers to be secure, that’s something we can help you with via VIP Support.
Do you have any security guidelines or best practices for end-users of WordPress.com?
Yes. We have a document about Security on our public-facing Support site which details some security measures all WordPress.com users can take to help protect their sites.
What happens if my team discovers a security flaw in WordPress core?
If you find a security flaw in core WordPress, here are the instructions on WordPress.org about reporting security flaws.
The WordPress security team is made up of 25 experts including lead developers and security researchers — about half are employees of Automattic, and a number work in the web security field. We consult with well-known and trusted security researchers and hosting companies. — Andrew Nacin, WordPress Lead Developer, in a presentation “WordPress.org & Optimizing Security for your WordPress sites,” June 2013.
What about X plugin – is it safe?
Plugins aren’t as rigorously reviewed as the core software, and there are occasional, wide-spread security issues that they’ve introduced. We encourage everyone to review any code they’re planning to run on their site — and that’s also why WordPress.com VIP provides code reviews as a service for our support customers as well.
How does WordPress.com VIP Hosting handle DDoS?
At WordPress.com VIP, we have various types of DDoS protections in place as well as various mitigation strategies when they come up. DDoS can happen several times a day but in most cases you won’t notice as either they’re small and our infrastructure can absorb the increased load, or our automated protections kick in and apply various techniques to minimize the impact.
For extremely large-scale attacks, if we have control over DNS or you’re using a CNAME we have other DNS-level mitigation techniques to minimize the impact on the site and others on WordPress.com.
Do your WordPress.com VIP clients ever do security audits to determine whether or not your security setup matches their internal requirements? If so, what does that process look like?
If necessary, and compatible with our own guidelines and requirements, we will work with a security audit team to provide more information about security on WordPress.com VIP.
Have a question which hasn’t been answered here, or want to get started with WordPress.com VIP Services for your site?