WordPress can be hacked, is not secure; guilt by association.
It is true that WordPress developers strive to find and plug any leaks with the WordPress “Core”. Unfortunately the problem really isn’t with the latest release of WordPress; the problem is with any tertiary add-on or component that is used in conjunction with WordPress. Themes and Plugins are the biggest downfall of WordPress’s security.
Themes and plugins that you, as a user of WordPress use to customize your site with specific content or abilities are not policed or checked for security holes.
To put a plugin on the WordPress site all you have to do is request it then SVN / upload it to the wordpress.org repository. There isn’t any thing else. Joe Programmer can make a distinct functioning plugin that does something that users *might* want, however, unfortunately for that developer he overlooked some crucial parts of his code that let Joe Hacker come in and just make a mess of the end users site.
There isn’t any checks or balances code wise to determine if there’s any code problems. In the past that has also been how it is for the theme repository on wordpress.org as well. Until recently that is.
Well, let me just put a shout-out to the brand new Theme Review team volunteer’s who have recently been assembled.
The new, recent themes that have been added/updated to the wordpress.org repository undergo a very rigorous check by the theme review team. They’re checked for everything from bad coding, missing functionality of themes and even security issues. Unfortunately there are still a huge majority of old themes on the repository that could be problematic one way or another.
Some themes on the repository are so old they shouldn’t still be there. Their coding is outdated and do not make use of the functionality that WordPress currently has.
Which brings us back to plugins. There are some plugins on the wordpress.org plugin repository that were designed for WordPress ver. 2.0; With no ability to sort or separate those plugins that have been made for the current release of WordPress, the end user is gambling with the security and health of their blog.
That’s exactly what the end user is doing, they’re gambling on the usage of a plugin or theme that’s made for WordPress. At anytime, a Joe Malware can come around and inject a malware into your site. The blog owner’s users will then get screwed over by that malware and more then likely the user accounts on the blog will be all messed up, even worse things can be done to the site.
Is this WordPress’s fault? WordPress itself seems pretty solid security wise. However, that doesn’t stop it from being hacked if Joe User of WordPress adds a different theme or some plugins.
WordPress claims that themes and plugins made by anyone are under the same proprietary licensing as the WordPress core itself. With that in mind then without a doubt, WordPress is responsible for it not being secure.
What is WordPress doing to rectify the problem with itself being insecure? Almost nothing. I mean almost nothing because as of the inception of the theme-review team everything else tertiary to the WordPress core is still open to malicious intent.
To end the thought, make sure you read about the plugin or theme you’re adding to your site before adding it. One click of the activate button you could be in for a load of trouble.
For themes, the problem is the older themes that were never removed. There wasn’t a coding standard previous to the theme review team being created.
For the plugin repository, there needs to be some cleaning of old plugins, developers need to update them to keep them on the repository. To handle code quality; I’m thinking that there should be a ‘certified’ stamp on those plugins that have been checked out code/security wise. I am actually thinking about doing that for ComicPress/Easel users. Have a list of plugins that I’ve checked out personally.