How secure is WordPress?

How secure is WordPress?

With WordPress now powering 28% (at the time of writing) of all websites on the internet, the platform has established itself as undoubtedly the most popular content management system available today.  From small hobbyist / personal websites to massive corporates: it seems everyone now is choosing WordPress.

But the public feeling isn’t entirely positive. Look past the eager adopters and you’ll undoubtedly hear naysayers warning about WordPress’s lack of security. Fairly or unfairly, WordPress seems to have picked up an unwanted reputation for not being safe.

Should we be listening? How secure is WordPress?

Here are some of the truths and myths surrounding the real picture of WordPress’s security.


No website is ever 100% secure – TRUTH

The simple reality is that absolutely no computer system (and that includes a website) is ever 100% secure and the reality is that at some point during every businesses online presence they will experience some form of hacking.  Hackers are a determined bunch and will always find a way through eventually if it is worth their while. This may be directly against your website, or against your web host.



It doesn’t matter. No-one would bother hacking a website as small as mine – MYTH

Sadly, nothing could be further from the truth. While some hacks focus on the big players (partly for status rather than reward), the vast majority of hacks are performed on small websites, just like yours. Why? Because they’re easy to access, can be attacked en masse, and are an easy way to gain server power and / or access – which is what the hackers really want.

Hackers will commonly target thousands of small websites with one of the following common aims:

  • To gain access to your underlying hosting to send spam email. Millions Billions of emails are sent every day, 90% of which are spam and sent from websites/servers like yours.
  • To place links to other sites within your pages to increase the Google ranking of the hacker’s own
  • To program your site to attack another website, or force your visitors to install malware.


WordPress is a goldmine – TRUTH

The fact that WordPress is so popular makes it a potential goldmine for hackers and spammers. As a hacker, you want to inflict maximum damage with minimal effort. Why focus your efforts on finding weaknesses in rarely-used content management systems when you could focus on WordPress and potentially have 25% of the world’s websites at your mercy?


WordPress simply isn’t secure enough and should be avoided – MYTH

So why bother with WordPress at all? After reading this far, you’re probably feeling that WordPress isn’t worth the risk and another content management system might be a safer bet.

But hold fire. It’s true that WordPress isn’t 100% secure, but neither will any other system you choose.

By dismissing WordPress altogether, you miss out on the reason why 28% of all website owners now use it. The WordPress core system is one of the best designed and coded content management systems the web has ever seen – many would argue the best. The WordPress team continually test the system, identify new threats quickly, and roll out easily installed updates regularly. Not to mention the flexibility and optimisation possibilities when it comes to site content, search engine optimisation and conversion tracking.

When you start to compare it to other systems, you realise that it’s not integral security that’s the problem, simply that the threat to it is a bit bigger. And from everything we can see, the WordPress team are tackling this as proactively and skilfully as is possible.


WordPress is just like any other system; it takes ongoing work to keep it as secure as possible – TRUTH

Whatever content management system you use, whether it’s WordPress or something else, you need to give your website constant care and attention.

We have covered the topic of why WordPress maintenance is important before. But here are some of the most common issues to think about, that apply to your WordPress website or any other system.

Installing third party plugins, extensions and themes from unknown developers

One of the appeals of a system like WordPress is that you can extend it with thousands of themes, plugins, and additional functionality. The problem is, anyone can make a WordPress theme or plugin, and they aren’t automatically secure, and of course the skill level / intention of the developer is not always consistent. Therefore, the more you add to your website, the greater the chance a risky or unsafe piece of code will be introduced.

Not installing the latest updates

Security problems are found all the time. Developers then promptly fix them and release updates. It’s obvious, then, that you should apply these updates to your website as soon as they’re released. Hackers will often have tools which can scan the internet for websites that have not applied specific updates, making your website an easy target.

The potential risk here is that as you update, some of your functionality breaks as code becomes older. This is why it is dangerous to simply hit the “update all” button and hope for the best.

Using weak passwords

It is surprising to think that in 2017, the most commonly used passwords are still ‘123456’, ‘password’ and ‘12345678’ and the most common username is ‘admin’.

Don’t make it easy for a hacker to guess your WordPress account credentials. As a minimum, use six random characters with two numbers and two special characters. Yes, you may need to write it down, but a hacker is much more likely to hack your computer remotely than break into your office!

Not using security plugins or software

Well-respected WordPress security plugins can help protect your website from common attacks. One of the most well-known is Wordfence, which can detect malicious changes to your website code and other common exploitations. Don’t rely completely on these, however. They won’t do everything.

Not having a disaster recovery plan

Many websites still do not have an established backup routine. If your web hosting provider does not provide daily offsite backup, then it’s worth considering a new provider. Hacking does happen; mistakes happen. It’s vital to have a strong backup and maintenance plan in place.


In conclusion

WordPress probably does attract more attention from hackers and spammers than any other system, but that’s not because the system is poorly designed, merely it is more attractive prospect for them.

It is simple and possible to improve the security of WordPress, like any other system. The key is never to think of your website as a completed task – there are always updates, checks, and enhancements that need to be performed to keep your website as secure as possible.

WordPress is a top-notch platform, one we’re happy to use and recommend. While its popularity may attract unwanted attention, it’s widely used for good reason, and can undoubtedly deliver first-class websites.