Are WordPress sites secure?
(updated on 17 October 2022)
WordPress has a bad reputation. But does the reputation reflects the reality? Not sure in WordPress case. The answer is more complex than yes or no. This is also why people come to quick conclusion about a complex question.
Yes WordPress is easy to use, and yes, it can be as safe as you want or as insecure for as long as you don’t take preventive action.
Is WordPress less secure than other CMS?
WordPress is not less secure than other CMS. But because it powers 30 to 40% of the websites across the world it obviously get more hacked than others.
When an online solution to power a website or manager web hosting become popular and has a vast base of users, hackers focus on it. Because there are more users, there are more probabilities of finding breaches and therefore hackers spend more energy and time trying to put down and infect WordPress websites.
So WordPress seems to be weak from a safety point of view, but it’s not true compare to other solutions. It’s just that it attracts so much users that any minor breach is immediately exploited. Fortunately, WordPress is also getting stronger day after day because the developer team is patching and improving the WordPress constantly. You’ll see major updates landing quite often. This is always a good sign when a project is updated regularly.
However WordPress philosophy is to give a chance to any developer to improve the CMS capabilities. The two main ways to extend WordPress features are by creating plugins and themes.
Even if most of these plugins and themes are reviewed by the WordPress team to join the official WordPress repository, it doesn’t mean they are 100% safe.
One of the main weakness with WordPress and the ecosystem are “things” you add to the WordPress core. Anything not developed by WordPress itself is potentialy a risk. You have to trust these new pieces anyway if you want to extend and adapt WordPress to your needs. And this is what make it so powerful.
The WordPress core is safe if it’s recent
The WordPress core is what runs the logic of the CMS. It comes when you install WordPress for the first time, along with few default themes and two default plugins. Like operating systems, the core need to be updated. Sometimes the updates are small (fixing small bugs), other times the updates are critical: correcting a breach or potential risk.
Action to stay safe with WordPress core:
- Stay up to date
- That’s it! 🥳
The themes and their risks
Themes are an essential part of your WordPress. They define the visual aspect, color customization and layout, between others. But they may introduce a risk if they are not properly developed and let a back door open to hacker. These back doors are never intentional, and they can become a danger while the WordPress is updating, but not the theme. It create discrepencies and can lead to breaches over time. It can also be a mistake in basic security recommendations that leads to potential hacks.
Actions to mitigate risks with themes:
- use WordPress default themes
- use themes coming from recognized, well known marketplace
- keep your theme up to date
- limit use of raw HTML code in your theme
The plugins, the biggest danger
Plugins are the piece of the puzzle that you’ll use the most along with the WordPress core. Even if some of them have thousands of up votes it happens that they get hack and opens a breach on millions of websites. Smaller plugins are not necessarily less at risk, they just not trigger as much attention from hackers.
Actions to minize plugin risks:
- use plugins from the official WordPress Plugin Repository
- update your plugins everyday or turn on the automatic update
- use plugins coming from trustworthy marketplace
- read reviews and do research about it before deciding to use it
- plugin with extensive documentation and good support are recommended
The users, the usual suspects
We tend to say that human mistakes are easiest to catch and exploit. For example, if you choose “admin” for username or use “password or “123456” for password, you’ll increase the possibility to get hacked.
Not customizing default information of your website, like authentication data is a no-no in the security world. Always spend some time to properly set your information, it’s time well spent.
Actions to secure your login information:
- update immediately your username and password
- do not use the same password twice
- help new users to set proper and strong password
Web hosting: the forgotten one
This one is not related to WordPress. But a web hosting company that is not serious or not up to date can lead to huge security concern. The same goes for a poorely setup web host. If you mess around with your hosting configuration you can accidentaly open doors to hackers.
For this reason, you should trust a web host that friends, colleagues or trustworthy people would recommend you. As for anything else online, read reviews, compare offers and assess what is the right host for you. You maybe don’t need to a big solution for thousands of visitors as soon as you launch your website. However you need a server that can scale quickly if you need it one day.
Actions to choose and identify a secure web host:
- read independant reviews
- check what they say about security and how they mitigate the risk
- check the web host forums and check how many incidents are reported by clients
- take free trial offers to evaluate the hosting solution (when they offer it)
- check for hidden fees
WordPress sites are not unsecure. Users who install them make them unsecure! If you keep WordPress core up to date, along with theme, plugins you should be fine. Never use default or easy to guess password and username. Keep updatin them.
One extra step for a safe experience with WordPress is to pick a strong reliable web host. You need to read reviews, read documentation, compare offers to pick the right tools for your WordPress website. It requires time and effort, but it totally worths it.