Wordpress running on windows web servers

I am being asked to install plugins in our Server 2008 R2 web servers to allow WordPress to run on them. I am not familiar with these plugins and am concerned about allowing open source software to run in my Windows network. Do you have any experience / thoughts on this?
Who is Participating?
Dan McFaddenConnect With a Mentor Systems EngineerCommented:
I have run several open source CMS's on Windows servers running 2008 R2, 2012 and 2012 R2.  I have yet to have had an issue with these systems.

MySQL on windows server runs fine.  I have used in it production for web servers and as a backend storage system for an open source email system.  MySQL has a wide support base on all OS platforms.  Deploying it on a Windows server is no more scary than deploying MSSQL on a windows server.  Check out MariaDB as a drop-in MySQL alternative.

PHP, also has a widely supported OS base and is a mature scripting language for web-based systems.  Again, no reason to fear deploying it.  No more scary than deploying a ASP.NET based system.

You will have to deploy Fast-CGI on IIS in order to efficiently use PHP.  This plugin is from Microsoft, so it is not 3rd party or Open Source.  No fear...

As for Wordpress... as stated above, it is one of the most widely deployed CMS's on the planet.  As with all other software, there will always exist the possibility of vulnerabilities.  In order to address the risk associated with using any software (Open or Closed source) you have balance the needs of your users with the paranoia of being a Sys Admin.

Address those risks by:

1. maintaining the patch levels of the server OS
2. maintain the patch level of the database system
3. maintain the patch level of the CMS
4. try to avoid using default installation configurations
4. utilize best practices in hardening the deployment of:
 4a. the server OS
 4b. the db system
 4c. the web server software (IIS, Apache, NGix, etc.)
 4d. any add-ons required of the web app
5. be attentive to security and vulnerability alerts for your setup
6. monitor the appropriate logs (events, http, ftp, smtp, syslog, etc.)
7. develop a baseline usage pattern
8. watch for spikes in usage
9. know you servers and the software installed on them!

Being concerned about utilizing open source is the same as being concerned about using closed source.  Its a SysAdmin's job to be semi-paranoid and protective of the servers being managed.

Being afraid of using (limiting the use of) the appropriate software for the necessary job is at best silly and at worst limiting your ability to provide valuable support to your end-users needs.

Every OS has its place or fills a need.  This is valid for CMSs, DB systems, messaging systems, scripting or programming languages.

Jason C. LevineNo oneCommented:
WordPress is run by something like 25% of all sites on the web, so I'm not sure what exactly concerns you.  Clearly, a huge chunk of people have gotten over whatever it is.

WordPress needs PHP and MySQL configured on IIS and works fine.  As far as concerns about open source software, I assume you mean security concerns but closed-source has its own share of issues too.  So to be perfectly safe, you could always use smoke signals? :)

On second thought, those are subject to the man-in-the-middle attack.
ICantSeeAuthor Commented:
I thank you for your response but do not agree with your analogy.

Another way to look at it would be....

O.K.... I already have to be concerned with closed source vulnerabilities. Lets bring open source in so that we can double our concerns.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Jason C. LevineConnect With a Mentor No oneCommented:
Well, if security and open-source are your concerns, nothing I say here will probably convince you.  So ultimately you are going to go where your gut tells you to go and there's absolutely nothing wrong with taking a pass on open source stuff if you're not comfortable with it.

Having worked on both sides, I say that vulnerabilities are vulnerabilities. With open-source at least you know what they are and can work with the communities to stay up to date and secure.  WordPress, PHP, and MySQL are all stable, mature platforms with proven track records and enormous communities who rely on those things to make their living.  So there is a highly-motivated population helping with security concerns. Not all open-source projects have that advantage, so the smaller you go the fewer people are looking at it.  This is relevant to WordPress in terms of themes and plugins which are community contributed and do not always have to meet the same standards as the core.  

But security issues will persist no matter what choice you make.  So if you are at all unsure, stick with the devil you know.
David Johnson, CD, MVPOwnerCommented:
Wordpress like Windows are major targets .. what you must do is keep the plugins up to date (I'm referring to Wordpress add-ons)
Jason C. LevineNo oneCommented:
Great answer, Dan.
ICantSeeAuthor Commented:
Awesome answers. I had taken your advice and implemented the plug-ins with the knowledge of how to protect and maintain them. Thank you.

Sorry I forgot to mark the question as answered.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.