can you build Websites for banks with WordPress: Matt Mullenweg Explains

Posted on by

Is it possible to build a website for banks using WordPress? Should you use WordPress to build bank Websites. Building different type of websites is easy but can you build Websites for banks with WordPress. In this article i am going to share what WordPress experts has to say?

We have already published an in depth blog post that you can use WordPress to build more than 30 type of website. You can use WordPress to build any type of website, From a simple blog to a complex social networking website like Facebook.

Further read: Do You Know: You can build 35+ type of websites with WordPress

In this article we are going to share what expert and experienced WordPress developer has to say: WordPress for banking websites Yes or No.

It is possible to build Websites for banks with WordPress, but most expert developers says that you should use WordPress only for front end use.

Someone asked this question on Quora: I am powering a bank’s website using WordPress. What security measures should I take?

At the time of writing this article (Feb 2016), 34 people Answered this question. Most popular answer with 85,000+ views is written by Matt Mullenweg co-founder of WordPress and founder of Automatic. This answer was written in Apr 16, 2015.

Can you use WordPress to build Website for Banks : Matt Mullenweg replied

85.4k Views and 550+ up votes as of Feb 2016

Build Bank Website With WordPress
Build Bank Website With WordPress

I agree there’s probably not a ton of benefit to having the online banking / billpay / etc portion of a bank’s website on WordPress, however there is no reason you couldn’t run the front-end and marketing side of the site on WordPress, and in fact you’d be leveraging WordPress’ strength as a content management platform that is flexible, customizable, and easy to update and maintain.

In terms of security, there are a two simple points:

  1. Make sure you’re on the latest version of core and all the plugins you run, and update as soon as new version become available.
  2. Use strong passwords for all user accounts. For extra credit you could enable a 2-factor verification plugin, use Jetpack’s login system, or restrict logged-in users to a certain IP range (like behind a VPN).

Further Read: 30 Most popular Free WordPress plugins

If your host doesn’t handle it, make sure you stay up-to-date for everything in your stack as well from the OS on up.

Most modern WP hosts handle this (and updates) for you, and of course you could always run your site on VIP alongside some of the top sites in the world.

If you use any non-core third party code, no harm in having a security firm audit the source as well (an advantage of using open source).

For an example of a beautiful, responsive banking website built on WordPress, check out Gateway Bank of Mesa AZ.

WordPress is also trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald’s The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more.

As the most widely used CMS in the world, many people use and deploy the open source version of WordPress in a sub-optimal and insecure way, but the same could be said of Linux, Apache, MySQL, Node, Rails, Java, or any widely-used software.

It is possible and actually not that hard to run WordPress in a way that is secure enough for a bank, government site, media site, or anything.

If you wanted any help on this feel free to reach out to Automattic as well, we have a decade of experience now dealing with high-risk, high-scale deployments, and also addressing the sort of uninformed FUD you see in this thread.

Matt’s answer is Upvoted by some top developer including Yair Livne, Director of Product Management at Quora, David Cole Director of Design at Quora, Joel Lewenstein Product Designer at Quora.

Using WordPress to Build website for banks: What other developer says

After reading many answer i found that most WordPress developers don’t like the idea of using WordPress to build a website for Banks. There were many reasons. Let me share some other popular answers.

Leonid S. Knyshov, JavaScript developer mostly on Meteor wrote

51.4k Views and 200+ up votes as of Feb 2016

Building a system that has access to customer bank accounts on top of WordPress is just a spectacularly bad idea.

Please don’t do that. You can certainly run the bank’s blog on it on a physically separate system, but anything that touches customer logins should not be built on that platform.
WordPress consists of:

  • Core
  • Theme
  • Plugins

While core’s security receives a lot of attention, that is not enough. It is so large and so easy to extend incorrectly that attackers love exploiting it.

Further Read: How To Choose A Perfect Free Or Premium WordPress Theme

Most WordPress sites also use a WordPress theme and plugins. What most people don’t realize is that the theme always contains PHP code and not just presentation styling. There is insufficient attention paid to theme security with few exceptions.

WordPress plugins also receive insufficient attention for security with few exceptions.

As a result, an attacker can and will fingerprint and exploit your themes and plugins.

If you don’t wish to use themes and plugins, then you have no reason to use WordPress and can choose a framework known for its security.

Writing bank account access as WordPress plugins does not make sense.

Petr Chloupek views about Using WordPress for Banking Websites


I assume by website you mean really website, not an internet banking site. In that case these scenarios exists elsewhere. First of all there should be some people with real understanding of the computer security. You should talk to them.

You should strictly split the internet banking environment and your website environment (different networks). One definition of “security” is that the thing can’t be used to other intend than the one which it was designed for and that you can’t limit its functionality without authorization (like DOS attack).

This in general means that you should filter out people who want to overload the site and that you want to disallow unauthorized changes and you should be able to detect all changes.

You should be on https (obvious) with a valid certificate, behind the firewall, you should have automated security tests, you should control network traffic and you should control the system (be up to date, log both system changes and database changes to some other system).

Make the file system read-only if possible and limit rights of the user under which the web presentation runs. Cut out everything you don’t need (plugins etc).

Have procedures for any changes (limited set of people, one way of updating things, log everything). Do all this in coordination with the security experts, there are plenty details and it will take you years to know better than them.

Oscar Gonzalez, WordPress Expert


I am a WP evangelist and 99% of the time and I think it is doable with WP. However, I second Leonid S. Knyshov. Not because WP is bad inherently, but because if you’re asking how to do that here, in Quora, you probably don’t have the resources to do it right no matter what answer we give you.

If you are just building the front-facing, corporate site for the bank, then go for it. Follow all standard security practices. Lock down admin areas, strong usernames & passwords, get SSL certificates installed and minimize the use of plugins.

DO NOT place customer data or customer access here. The site should also be physically served from outside of the bank’s network; it should not be in the same server or internal network as any of the other bank’s systems.

A good place to start is by reviewing documentation and services from these guys: Sucuri Security

Further Read: How To Recover Hacked WordPress Website?

Financial and Health sites are very sensitive and regardless of the platform, need a team of people to execute them correctly.

Can you do it with WordPress? Sure, but you really need to get a strong security-oriented developer, or developer team involved, along with the network security part of the business, and business to be involved in this.


Quora: I am powering a bank’s website using WordPress. What security measures should I take?

What do you think

Now you have read what WordPress experts has to say? do you think it is a good idea to create websites for banks with WordPress.

5 responses on “can you build Websites for banks with WordPress: Matt Mullenweg Explains

    1. Tahir Taous Post author

      Learn WordPress and start writing articles about different WordPress topics, there are many sites that pay writers.

Leave a Reply

Your email address will not be published. Required fields are marked *