Having a professional WordPress website created
Written by Finn Ruijter, 14 July 2021

WordPress suitable for government websites

Dozens of government websites are susceptible to hacks, Trouw reported last month. Because what turns out? The administrators’ login page is publicly accessible, posing a security risk. A hack of the Hof van Twente municipality made that painfully clear.

What are government agencies doing wrong? Should WordPress be completely banned now? As WordPress specialists with a strong focus on digital security, we explain in clear words what happened and how to do better. You will discover that WordPress is still a safe and reliable choice for government agencies, provided the necessary best practices are followed.

History of WordPress

WordPress is a content management system (CMS) originally designed for bloggers. It allowed them to easily and quickly share their experiences and thoughts with the world. This open-source CMS was constantly evolving, with additional features winning over new users. It didn’t take long for small businesses, medium-sized businesses and then multinationals to start using WordPress. Government agencies were not long behind.

Why the government uses WordPress

Today, 40% of all websites on the Internet run on WordPress. Its scalability and multiple features make this CMS a versatile solution for all kinds of organizations. Government agencies are also increasingly choosing WordPress, and it’s understandable why.

  • Search engine friendly
    First and foremost, WordPress is SEO-friendly. Google loves this CMS and gives WordPress sites good rankings. Of course, as a website owner, you have to lend a hand with that by using Yoast SEO correctly, for example.
  • Managing together
    In a large organization like a government agency, several people are responsible for publishing content. With WordPress, you easily create accounts for administrators and give them exactly the rights that fit their role.

    For example, there is the role of writer. Allows someone to prepare posts but not publish them. Or the role of author. Who can publish his or her own posts, but cannot publish or modify those of others. The administrator can click all the options in the dashboard and add new users.

  • Scalable
    A site created in WordPress is easily scalable, such as by adding new pages or creating a version in a different language. If the Internet agency has developed this functionality, you can often do it yourself.

    It is also easy with WordPress to create a whole network of identical or similar sites. This is ideal for institutions with multiple locations or offices, each of which wants its own site. WordPress Multisite allows you to manage it from a central dashboard with a single login.

  • Faster development
    Further development of a WordPress site is often easier than for a traditional website or a site developed with another CMS. This simultaneously makes it faster and therefore more economical.
  • Safe
    WordPress is open-source and is constantly updated. With that said, it is important to check and install those updates quickly. There are also other ways you can keep security at a high level. There are numerous additional options that let you, for example, set a limit on the number of login attempts, block certain IP addresses and filter spam responses. A professional server solution also plays an important role.

But is WordPress really secure?

WordPress is an open-source system. That open-source means that the source code is publicly available. Thousands of programmers from around the world check and verify code for vulnerabilities. This makes the chance of error extremely small.

So what went wrong?

According to Allegiance, the problem was in the publicly accessible administrator pages. By default for WordPress sites, these can be called up by typing /wp-admin after the domain.

But even though anyone can open such a login page, it does not mean that any random person can log in. You still need a username and password for that. What these hackers did is combine as many common usernames and passwords as possible, on good luck. That resulted in a volley at the Hof van Twente municipality, where officials with the weak password “Welkom2020” had access.

The article points us to a disturbing fact: that government websites are nowhere near utilizing WordPress’s capabilities. Couple this with an easy-to-guess password, and this CMS can (falsely) give the impression of being insecure.

Here’s how to prevent WordPress hacks

Thus, a public login page allows malicious actors to test passwords. But by setting a limit on the number of attempts, creating a strong password and using two-factor authentication (2FA), no one can get in there. Optionally, you can still hide this admin page by choosing an alternate URL.

Engage WordPress specialists

You can easily avoid many of the above if you know what you are doing. Of course, you can also outsource this to WordPress experts like those at 2manydots. Together, we keep uninvited guests out.