A Bank Website on WordPress

There’s a thread on Quora asking “I am powering a bank’s website using WordPress. What security measures should I take?” The answers have mostly been ignorant junk along the lines of “Oh NOES WP is INSECURE! let me take my money out of that bank”, so I wrote one myself, which I’ve copied below.

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

In terms of security, there are a two simple points:

  1. Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
  2. Use strong passwords for all user accounts. For extra credit you could enable a 2-factor plugin, use Jetpack’s WordPress.com login system, or restrict logged-in users to a certain IP range (like behind a VPN).

If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up. Most modern WP hosts handle this (and updates) for you, and of course you could always run your site on WordPress.com VIP alongside some of the top sites in the world. If you use any non-core third party code, no harm in having a security firm audit the source as well (an advantage of using open source).

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ. WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software. It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

If you wanted any help on this feel free to reach out to Automattic as well, we have a decade of experience now dealing with high-risk, high-scale deployments, and also addressing the sort of uninformed FUD you see in this thread.

If you’ve developed a major bank site in WordPress leave a link in the comments.

32 thoughts on “A Bank Website on WordPress

  1. Here, in Spain, it seems large companies are starting to use and trust WordPress to build small sites for marketing campaigns or corporate blogs. The main problem that agencies are facing is that big organizations use to sign very expensive IT contracts to get a website using a custom and complex CMS. Is like they’re scared about this free thing called WordPress.

    In my company, we have developed WordPress sites for a national bank, a very important clothing brand and also a big Business School. Sometimes is hard to convince each IT team from these big companies that WordPress is secure. Normally they run infinite security stress tests and always the problems come from plugins or from the theme where code doesn’t escape things 🙂

  2. Any platform is vulnerable if not properly secured and up to date. I guess the problem with WordPress is that so many people are using it and SO MANY are not securing it properly. It’s a very accessible system (easy to install, huge number of plugins) so obviously you’ve got more people playing around with, without having the slightest clue of what they are doing.

    Aside from that, a popular product will always attract more bad guys.

  3. And should I add one more point to the security tips.
    Always have a solid developer support in place. There are tons of trusted WP security teams who could guarantee something close to restful sleep for you and your customers.

  4. I think the response from Quora user Oscar Gonzalez, was spot on.

    “I am a WP evangelist and 99% of the time and I think it is doable with WP. However, I second Leonid S. Knyshov. Not because WP is bad inherently, but because if you’re asking how to do that here, in Quora, you probably don’t have the resources to do it right no matter what answer we give you.”

    The issue isn’t whether WordPress is a appropriate platform for building a banking site — it is — but whether or not the person asking the question can muster the expertise and resources to do it successfully.

  5. I guess the most secure route would be to use WordPress to generate a static site. It does rule out the possibility of blog comments, but that will not be a problem for many websites.

  6. When I worked with the digital channels on the Resurs Bank in Sweden we chosed WordPress in 2011-2012.

    The security issue we had up early, but it’s worse with systems that are sold where we as buyers do not have a clue about the security flaws that exist. WordPress openness makes that we can analyze and when it shows up deficiencies corrected promptly. It does not happen on more expensive systems.

    When it comes to the internet bank, when the customer is logged in, so it is safer with a system that been fixed as often as wordpress. It’s more an API session with underlying systems. So again, it’s not WordPress that will be a problem here.

    Banks has proven track record of safety on the Web server side. Especially for those services where customers log in. Here in Sweden we have several good security solutions for the customer’s part.

    So no, WordPress works great for banks. Too bad no more hanging on, but it’s only a matter of time.

    I would build a new web solution for a bank today, well then I choose WordPress without blinking. It is hugely affordable solution. Customers’ money should not be wasted on CMS solutions that cost huge sums. If I can build a more modern and better future proof solution for a tenth of the total for other CMS systems, it is the way to go.

    I blogged about it in Swedish here.

  7. Great post Matt and good point about how WordPress is open source. If the bank had specialist developers, they could make WordPress security even better. WordPress.com VIP is also an option of course.

    Out of curiosity what Facebook site uses WordPress.com VIP?


  8. There are many corporations banks included that use custom content management systems that have been in place for years and are full of security bugs.

    An obvious advantage that WordPress has over the custom cms is that it is probed, proded and tested by thousands of developers and security professionals. There are bugs in core and plugins but they are found and fixed.

    WordPress like any system requires good management to ensure it is secure and kept secure. This is where updates, strong passwords, SSL etc come in.

  9. We have.

    We’ve developed everything from a high-end secure and auto-scaling hosting environment to a multi-lingual WordPress installation that can work with content deployment as part of a content release system. Certain laws here in Europe require that you must always be able to go back to the state of the site – as a whole – at any given moment if a financial authority requires this. We’ve built a history and preview mechanism for this. We’ve basically enabled time-travel in WordPress.

    The UX of WordPress, is only a small part of the equation. You mention two points with regards to security, but in our experience security is by far the largest concern. It seeps through in every single aspect of how WordPress is used and implemented, forcing secure passwords is a very small part of this. You basically need to run a locked down installation on the production server to meet the security and compliancy requirements dictated by central banks and other authorities.

    1. That’s why I said “make sure you stay up-to-date for everything in your stack as well from the OS on up.” It’s true that WordPress is only a small part of it, but that was what the question was about. 🙂

    2. We also had to build something to solve the “we need to see what the site looked like at any point in time in the past 7 years” problem, was fun. Basically runs a flat html mirror of the whole site everytime anything changes, those are then browsable through the wp-admin, works pretty well; we’ll be open sourcing it at some point hopefully.

      Just like with any other part of the stack, if you don’t know what you are doing you are likely to miss security related things. But if you know what you’re doing then WordPress is hardly the weakest point.

      1. runs a flat html mirror of the whole site everytime anything changes, those are then browsable through the wp-admin

        It’d be awesome to see this go open source =)

        …also, somehow reading your comment brought this to front of mind: http://amberlink.org/

  10. We built and recently launch a custom theme for Lake City Bank (http://lakecitybank.com) based in Indianapolis.

    In addition to strong passwords and keeping the software up to date, I suggest that high quality hosting is an important security factor. We worked with WP Engine to set up the hosting for Lake City Bank.

  11. I’ve had great success using WordPress for a local credit union’s website https://www.bankcfcu.org that we run on a dedicated server to also provide ancillary enterprise applications. Credit unions are perfect candidates for using WordPress as their base brochure site, as most utilize hosted applications built for the credit union industry that are more affordable for these smaller banking institutions.

  12. Well. I also have developed from small sites to web applications using WordPress. And we can’t just say that its insecure. I think in WordPress its more easy to secure your site as Matt mentioned that we can use 2 factor authentication. Keep up the good work Matt

  13. I personally built number of sites on WP. Now, this time I am working on a serious level eCommerce site on WordPress. I don’t see any reason why I shouldn’t! Our new site would be up by next week though 🙂

  14. It’s not WordPress that I don’t trust, it’s the plugins. If a bank could run their system solely off of WordPress, incorporating their own secure plugins developed from the same team, then I don’t see the problem with a WordPress bank.

Comments are closed.