As a long time developer who has been part of building many sites on Python and Django, I had to select a platform for my own site, and I chose WordPress.
WordPress has disadvantages when it comes to security:
- WordPress is built in PHP, which does not have the protections against security risks like SQL injection that come out of the box with a platform like Django. WordPress itself is trusted by millions of users, but when an update comes out, you need to be watchful in case it’s a security patch.
- WordPress has many plugins, which could have security vulnerabilities, and there are occasional high profile reports of risks through plugins – for example, Zero-day in popular WordPress plugin exploited in the wild to take over sites.
- WordPress plugins have been sold before to bad actors who have added malicious features, resulting in the malware being installed on upgrade by users of the previously good plugin.
- WordPress is very easy to set up, but many sites are deployed and not maintained, so they end up running with old versions that are not updated.
- Many WordPress sites are set up using FTP uploads on shared hosting servers, which are much less secure than a properly managed server with secure file transfer protocols.
Nevertheless, WordPress has a rich ecosystem of themes and plugins, enabling one to set up a site in a matter of hours, and this functionality makes it the top CMS in the world, with a 50-60% market share, powering 32% of the Internet…
For any company wanting to run a high traffic site, with custom functionality maintained by a development team, with integrations into third party systems, Django is an excellent choice and I will continue to recommend it.
However for a relatively low traffic site, which will be monitored and maintained daily, deployed on a secure server, WordPress does the job at a very low budget.
How I maintain WordPress:
- Virtual server at Digital Ocean, running Ubuntu Linux, with security updates installed ASAP
- Separate WordPress instance as a testing or staging site, to test out updates to WordPress and to plugins before installing the updates on the live site
- Tested backups
- SSL certificate from LetsEncrypt
- File transfers via ssh or sftp
- Monitoring via Pingdom