How do I technically prove that WordPress is secure?

One of my clients forces me to do their project without WordPress. But WordPress is the best for his requirements.

What he said is, WordPress is unsecure because WordPress is open source and everyone knows the code. So hacking chance is higher than with a custom website. That is the only thing he does not like about WordPress.

How do I prove that WordPress is secure even code is open for everyone?

Solutions Collecting From Web of "How do I technically prove that WordPress is secure?"

Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that’s one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software.

The crucial thing in code security is not whether it’s open or not, but whether it’s well maintained. WordPress has an active community that is constantly alert on security matters. Follow the guidelines. Ask yourself how alert the authors of a rival cms are.

That said, security is a constant threat. There are no proofs or guarantees.

“Isn’t Cassandra, the engine that runs Facebook, open source?” That question ought to put them at ease.

Cassandra is used by Apple and Netflix too, and it’s open source. Further you could cite all the major sites that use WordPress. “If it’s good enough for them it’s probably good enough for you.”

The point, as the other answer notes, is that how the software is made and updated is completely irrelevant to security. More important is how frequently it gets updated and how easy it is to update your specific sites. In my opinion WordPress is pretty good at this.

Since this is a general question, it is not smart to provide in-detail answers. It would be better to show some interesting examples.

The other people do serious tests. Take Docker WordPress unit for example 1 2

They say WordPress is secure, but PHP is not secure, yet. So even if you have Perfect WordPress (setup by the book) the problems may be on the other side.

I belong to a country, where I faced the similar situations many times. But I faced ’em with my active WP sites, and their sound histories. The rumor was actually true, when everybody became developers and developed WordPress’ things without understanding how WordPress handles things by itself. So things developed, and hackers got way through their buggy code. The rumor strengthened with a huge collapse with Joomla sites, that time. Sometimes it happened because of some cheap servers, where server security were bad.

Anyway, I questioned myself whether I know the answer for you and I find myself empty. So I consulted some articles, and quoting from some of ’em and adding my points/understandings too:

  • Ask what security guarantees your [client] wants from a piece of software and then ask whether the software delivers that.[source]
  • Every piece of software has to be evaluated before we buy — it’s utter nonsense. Only security-enforcing functions need security evaluation.[source]
  • License does not dictate code quality.[source]

My [lame] points:

  • WordPress, like other Open Source, is open source, so if it is vulnerable to security threats, it would collapse a long ago. It’s still flourished since 2003.
  • WordPress updates itself automatically with security patches after version 3.7. If your custom code searches for latest security threats, bugs in your code by [a small group of coders’] known ways, and updates constantly, then still you are behind WordPress, because WordPress security is maintained by a huge group of people around the globe [and is better than a small group].
  • And @cjbj already made the point, obscurity doesn’t make thing secure.

Mayeenul Islam – thats no lame point you make regarding Open Source. If we consider that Microsoft – one of the world’s largest software and system’s developers and producers is also one of the worlds most invaded systems – having ‘closed down code’ is in no way more secure than having a code base watched over by hundreds if not thousands of developers and users.

To my recall, the biggest failings in security tend not to be down to software but implementation. WordPress out of the box is as secure as it can be – but people still choose stupidly easy to guess password – or none at all, or run services without HTTPS etc. All of which you can do on a home grown system and be just as insecure.

Having as secure as system as possible starts way ahead of software and platform choice, it starts with implementation, policy, making sure that you know what you are after. Then choose a platform that has consistently plugged its leaks and holes and above all – is open about informing its client and development community about these issues. If we know there is an issue – we can plan and patch accordingly, if the reverse is true – we end up having to wipe-clean and rebuild.

I recall holes in Windows that were discovered to go way back to 3.1 and were known about and left because they were regarded as ‘obscured’.

Open Source solutions are not perfect, but by their very definition it is far easier to find, spot, report and correct flaws.

The original question – how do you prove that a system is secure – you cannot – no system ever has been or ever will be secure. The moment such a claim is made every hacker in the world has a case to prove in taking it down. It is far more sensible and honest to understand that we make things as secure as we can, and develop operations and means of working with systems that promote a sense of secure usage.

Technically you can explain about WP, according to what you know. You should read this topic to increase your knowledge about security:

https://wordpress.stackexchange.com/questions/245051/security-with-wordpress-how-to-secure-website/245052#245052