While it’s not surprising to hear about WordPress being insecure from users of rival platforms (as a few of my Movable Type friends will tell me), it’s odd to hear the statement from a company using it to power their blog.
Trend Micro (an anti-virus company) put out a list of risky software or sites which included Mac OS X, Facebook, Google and yes, even WordPress.
The riskiest software used by websites in 2010 was the popular blogging platform WordPress. Tens of thousands of unpatched WordPress blogs were used by cybercriminals for various schemes, primarily as part of redirection chains that led to various malware attacks or other blackhat search engine optimization (SEO)-related schemes. (Trend Micro Blog)
Note: Emphasis in bold is mine.
Blaming WordPress’s security woes on unpatched blogs makes as much sense as blaming an architect for building an insecure house despite the fact that the home owner refuses to lock their doors.
Users choosing to self host their blogs outside the walls of WordPress.com are ultimately responsible for their own security, updates, etc., although Automattic (the company behind WP.com) is trying to remedy this problem via VaultPress.
While choosing a secure host can go a long ways towards ensuring that your blog doesn’t fall prey to hackers, making sure your WordPress blog is updated to the latest version (via the one click update button) is one of the best ways to secure your blog.
Patches aside, as far as Trend Micro assessment as to why WordPress receives far more attacks than rivals is probably best summed up by Jeff Chandler of Weblog Tools Collection:
If Trend Micro wanted to give their statement validity, they would have explained that WordPress is the most popular publishing platform in use across the web and because of that large market share, it is a big target for malicious users.
If Trend Micro feels that WordPress is insecure, they might want to consider switching to an alternative platform before denouncing the software publicly.
