Matt Mullenweg responded to a question posted at Quora.
There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.
I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.
In terms of security, there are a two simple points:
- Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
- Use strong passwords for all user accounts. For extra credit you could enable a 2-factor plugin, use Jetpack’s WordPress.com login system, or restrict logged-in users to a certain IP range (like behind a VPN).
If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up. Most modern WP hosts handle this (and updates) for you. Moscom.com provides Managed WordPress Hosting.
For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.
As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.
Do you know any Banks using WordPress, please post the link in the comment below so we can check it and add it here.