One of my friend who is RIA developer and do action scripting. He started a blog and worked on it, after some time he saw that his blog is hacked that was developed in WP and some text was written in it so he just went to FTP and deleted all files.
So all this seems that a WP sites probability for being hacked is more than site built in RoR or Django or CakePHP or kohana e.tc. Is it true? What was actually the reason of hacking? Is there really some security vulnerabilities in WP?
I am a PHP developer and also have developed many custom sites, and also have worked in WP and joomla e.t.c. but never heard any thing like that. If it is problem there then can SSL solve this problem? Confused that how that happened...
Please tell me if you have any idea so that I can understand it and get out of curiosity.
Wordpress is a relatively secure product. However as with anything nothing is 100% fool-proof. Unfortunately with widely-used products such as Wordpress once an exploit is found it is widely available on 0-day exploit sites and a lot of hackers will trawl the web to take advantage of this exploit.
However staff at Wordpress are very quick to patch these errors which is a plus. Also the installation of plugins coded by the non Wordpress team can be open to exploits and is the most common way a hacker finds his way in. If there is an issue an SSL certificate will not stop the site being hacked. Will just mean that an form data will be passed between locations with better encryption. I hope this helps.
Wordpress is moderately secure, but I just had two of my WP blogs hacked last week and had to rebuild. In the process I learned some helpful hints. Some of these hints are general for all sites, some specific to WP.
- Always upgrade to the most current stable version of WP. Older versions may have known exploits.
- There are several things you can do manually to secure your WP site, but instead use one or more of the established security plugins. Right now I am using both PBS (Bullet Proof Security) and WPD (Website Defender). Follow the guidance from these plugins; take some time to learn them well.
- Run Akismet (or similar) to minimize rogue spam posts.
- Turn off remote posting (ATOM and XML-RPC) unless you require it for your business model.
- Harden your admin PW (and don't call your admin account ADMIN).
- Don't install lots of experimental plugins onto your site to try them out. Create a sandbox site for this. Keep the installed plugins on your live site to a minimum.
Hope this helps.