I have a question I've been wondering about for some time. It's a little bit of a moral dilemma of sorts.
Let's say you are approached by a potential client. This client has an existing static website and wants to convert to using Wordpress as a CMS. The client is pretty set on using Wordpress because of what he has read and wants you to design a new theme, install the site on the server, and maybe install some plugins for him.
Someone unfamiliar with websites or using Wordpress as a CMS might not know a few critical details. Such as the fact that Wordpress has to be updated whenever updates are released or it can possibly be vulnerable to hackers. Or the fact that plugins can possibly be hacked such as with the TimThumb plugin.
I had been in the habit of checking every day for Wordpress updates then for a period of four or five days I neglected to check when one had been released and my hosting account was hacked. The hacker uploaded some IRC scripts or something to the server and my host suspended the account until I contacted them to fix the situation. Even though I have no direct evidence Wordpress was the method the hackers used to gain access to my folders, I am pretty confident it was as I have had no problems since. Wordpress has to be checked every day almost to see if updates are available. A website owner using Wordpress has to babysit it.
Do you tell your potential client this even though he did not ask? If you tell him, you could turn him off on using Wordpress and lose a sale, a sale you might really need to make. On the other hand, it is pretty important information that any website owner using Wordpress (or any other CMS) should know. Does a developer have the moral obligation to make sure his potential client knows all the important information before proceeding? Not from a legal standpoint so much as a moral one.
What would you do?
Well, it's probably better to mention it beforehand than have to say something after the site has been hacked. But given what you've said, I would use such information to convince the client to use a better CMS that is more secure and needs less updating.
You should know what you are talking about before giving advice. Any website can be hacked, even a static one, especially if it's on a shared server. Anyone using a static website these days cannot use their website to its potential. The problem is not so much with the CMS, it's the 3rd party extensions, the server, and passwords that are too soft.
In my opinion there are only two ways of doing business the right way and the right way. The only way to build sustainable business relationships is by building trust between both parties. In every relationship there will be multiple sales and the onle in which you lost the least is the good relationship.
It is always required that you tell your customer what is right and good for his business because the longer he stays in business so will you
I guess you should approach him politely. Then give good ideas and outcomes when using CMS. Get his interest on the topic. Then gradually introduce what you want to offer him. By that you prospect would not get intimidated by you
Server security is the responsibility of the web host. Choosing a strong password is the responsibility of the website owner. Both of those are beyond the control of the person who designs a site using Wordpress. I'm referring not to those possible weaknesses, but to any possible vulnerability that could be in the CMS code such as Wordpress. And there have been quite a few.
I think the answer is somewhere in the middle.
You need to advocate for your client, and give them the information that they need to make good decisions. However, you are also expert in the field and they are not, so you need to be wise about what recommendations you give them and why.
It would be very appropriate to inform your client that wordpress sites need a bit of maintenance and to be updated from time to time. You should walk them through what this usually means, the perils of over customization vs. ease update, etc.
But, you also need to be understanding of the client perspective. Wordpress is incredibly popular for a reason, which is that it's free/easy and works well. Like most things that are very popular, it's the target of many exploits but whether that is a real business risk is not up to you - it's up to them. If your client is handling sensitive data, or has valuable transactions going through their server then maybe wordpress isn't a secure enough choice. But if your client would like the value/price/ease/popularity/familiarly of wordpress even with some of the shortcomings, that is fine, too.
I host my corporate site on wordpress and guess what, I got hacked last year and it was down for 3 days before I noticed. A little embarrassing, but only a little and I'm still on wordpress. It wasn't that big a deal, and my business is still profitable and humming along. I am not willing to invest in a 100% secure website, it's not worth it to me or for x million others.
It's also true that the server hardness makes a difference, and really all the popular CMS's are vulnerable to some degree.
This topic is now archived. It is frozen and cannot be changed in any way.