As free and freely available software that has helped millions of individuals and enterprises easily establish a presence on the web, WordPress has a reputation for being well-designed and reliable.
However, its massive popularity is also its security weakness. When a software application is used by a large and unsophisticated (in the IT sense) community, it attracts the interest of hackers who see easy opportunities to prey on the users.
As an IT professional, you may dismiss the idea of using WordPress yourself. The problem however is that other employees in your organisation may think differently.
WordPress is also easy for the uninitiated to use, and sales, marketing, product support and other departments may not even think of telling the IT department that they now have their own WordPress site running in the cloud “somewhere”.
That means risks of uncontrolled data transfer and storage, with additional risks of security issues such as plugin vulnerabilities or even cross-site scripting (where hackers use the WordPress site to infect visitors’ devices).
An outright ban on such WordPress sites may not be feasible. Users can still set their own sites via their own PCs or mobiles, then use them for company purposes and data, and you might be none the wiser.
The alternative is to increase awareness and education of the possible issues. Explanations of the need to keep any plugins up to date, use secure passwords, set WordPress configurations correctly, use secure hosting, and back up data properly may be a start.
An offer to help users ensure that all these things are done may be better. Making an IT department sponsored solution available and helping users migrate their sites over to it may the best solution of all. That way, users get the benefits of WordPress without undue risk to the organisation, and IT scores points for meeting a real business need.