Vulnerabilities
Many security issues were uncovered in the software, particularly in 2007 and 2008. According to Secunia, WordPress in April 2009 had 7 unpatched security advisories (out of 32 total), with a maximum rating of "Less Critical". Secunia maintains an up-to-date list of WordPress vulnerabilities.
In January 2007, many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit. A separate vulnerability on one of the project site's web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.
In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software. In part to mitigate this problem, WordPress made updating the software a much easier, "one click" automated process in version 2.7 (released in December 2008). However, the irregular release cycle means admins still have to be on their toes, and the filesystem security settings, required to enable the update process, can be an additional risk.
In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress's security track record, citing problems with the application's architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems.
Individual installations of WordPress can be protected with security plugins such as Better WP Security, WP Security Scan and many others. Users can also protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins, renaming the default admin account, as well as editing the site's .htaccess file to prevent many types of SQL injection attacks and block unauthorized access to sensitive files.
Read more about this topic: WordPress