That’s the word from long time tech expert and contributing ZDNet editor, Larry Seltzer (@lseltzer), writing that unmanaged WordPress is not worth the risk or trouble.

For some time WordPress, the popular blogging platform, has been one of the major attack target platforms on the web. A compromised site can deliver malware to users and be used to sell illicit goods, among other nefarious uses. Some users are better-protected against these attacks than others and I would argue that managed WordPress hosting is the only way to go, unless you plan to keep a close eye on the WordPress security scene and actively manage your own site.

This is yet another example of a general truism of security: You’re better off, to the extent possible, to hire an expert to do your security work for you. Doing security is a major part of what managed WordPress hosting services do.

Organizations, law firms included, wishing to lead with thought leadership for business development, are regular users of WordPress. The larger organizations and law firms with good tech teams are very capable of setting up WordPress sites and blogs.

Ironically, the thing that attracts them to WordPress is what can get them and their organization in trouble – ease of use and flexibility through countless plugins.

The end result of this situation is that if you get careless or promiscuous with your WordPress plugins, it’s not unlikely that a vulnerability will emerge in one of them. You may not know, but attackers will.

A managed service will be far more on top of these things than you are likely to. A really strict managed service like WordPress.com will prevent many, and probably close to all, such attacks by limiting the plugins and themes you can use and rapidly updating what they support.

Even guys like Larry Seltzer, a widely recognized technology analyst and consultant, are no longer setting up and managing WordPress in hosting environments they manage.

I used to run my own web servers and host them manage every stupid little detail of them. I gave that up long ago just because I thought I was wasting my time, but security is an even bigger imperative. Many WordPress sites belong to people who don’t know jack about computers, let along web site administration. These users are much better off with a WordPress environment in which their options are limited, but their safety protected.

LexBlog’s single biggest investment now is ongoing development of a expert-managed WordPress hosting environment where we can update WordPress and select plugins on a proactive basis for law firms and professional service firms blogging and publishing to demonstrate their expertise.

We believe it will be of significant value to law firms and other professional firms who do not wish to assume the risk of a self managed WordPress hosting environment on their servers or on servers operated by a third party without dedicated WordPress expertise.

  • jeffatrackaid

    Great point. I would like to add a couple of things about management …

    Don’t confuse server management with web site (WordPress) management.

    I’ve seen some people get confused by this.

    While hosting companies may manage your web server, they rarely touch your sites.

    This is why I urge businesses without in-house expertise to only hire a web development company that will provide ongoing support. Second, I recommend that you require the use of a common WP framework or very popular theme. This will make it easier to find another developer should you need to. Lastly, limit the use of plugins. Every plugin requires additional management.

    If you must do this in house, then consider using tools like ManageWP or Sucuri for added security.

    Lastly, never put confidential information on the same server as your WP site. That is just asking for trouble.