You will find that at Moore Creative, we are dedicated and perhaps even devoted to using DNN as our Applicaiton Development Platform for creating website solutions. There are a number of reasons for this choice but from a Security standpoint, and it is not our choice alone.
In 2012, DNN was chosen as the official CMS platform by the US Department of Defense for all public-facing websites. Today, those sites include the official websites for the Department of Defense (www.defense.gov) the U.S. Air Force (www.af.mil), the U.S. Navy (www.navy.mil), the U.S. Marine Corps (www.marines.mil), and the Joint Chiefs of Staff (www.jcs.mil) With over 4.5 million visitors per week, the DoD sites under his oversight are some of the most popular government sites on the internet.
However, because of the popularity of WordPress, we regularly discuss with new clients the pros and cons of working with different CMS systems and address the issues that we see within choosing WordPress as the system for business websites. One good article which introduces the points of the conversation can be found on the DNN website:
About WordPress Security Issues
The main element is that WordPress has a high level of security problems and is a high volume target of hacking actions. The analogy often presented is that with "such a large target on its back" WordPress suffers a higher volume of attacks and attack attempts. This can often mean that a majority of the traffic accessing a small company's WordPress site can be hackers and bots attempting attacks and testing for vulnerabilities. The traffic can be more than customer and legitimate traffic!
Here are a few articles to help explain the issue and understand the sheer volume of malicious actions leveled against WordPress sites as a course of common operation.
To help keep a WordPress site more protected, we recommend utilizing several different tools which help add layers of security and maintenance/protection.
WordFence - $99/annually
WordFence operates as both an external service and a plugin installed within WordPress. This allows the plugin to perform internal and external scans and audits over the site to help block, fix or alert about security vulnerabilities as they are detected and as new ones become known. It is a security requirement for us hosting a WordPress site.
CloudFlare – Free Version OR $20/month
CloudFlare is a CDN service with added security features of DDoS protection and threat detection/filtering as well as optimization and speed/performance benefits.
The free version provides basic protection and is a basic requirement if we’re going to be hosting a WordPress site, the paid version adds additional functions and SSL support.
While I would like to have the paid version in place for every site, most clients don’t want to pay the additional $20/month in hosting, so we setup the free version for them most often. We do get the most important security benefits from the free version.
Additional Plugins and Security Lockdown
Additionally, when inheriting a WP website for maintenance and hosting, we will begin the hosting setup with a lockdown of known security issues and settings. This setup process takes a couple of hours and, depending on the current setup, may include the installation of additional security-focused plugings such as WordFence, BackupBuddy, iThemes Security and others… for many of these, we maintain a universal license which allows us to use them across all client sites. For ones with a specific license cost, we will confirm with you before installing.
Here is a list of a few security plugins that we review and consider when evaluating the WP site
Once we see the site running, we’ll provide a list of the updates made, and new installations. We’ll also need to review with you a few features of WP to confirm whether you will be using them or if they can be disabled. Comments from the public is one example of features which can be disabled to lower security footprint if commenting is never desired on the site.
Conclusion: Do we support Word Press websites?
Yes. While we will not recommend building a new website within WordPress for our clients, we often inherit existing WordPress websites and provide both hosting as well as security updates and maintenance on WordPress sites. The steps for site transfer and new security audit and lockdown are often the first times that security has been considered for these sites and once locked down, many go years between security/hacking actions. Because of backup, cleanup and seucirty policies in place, these sites can often be recovered quickly and restored after security is restored.