Is WordPress secure enough for my website? An overview of WordPress security, truths, and myths

Wordpress security

David Rushton

Head of Digital

Posted on February 1, 2016

Powering 25% of all websites on the internet, WordPress is undoubtedly the most popular content management system available today.  From small hobbyist websites to massive corporate sites such as BBC America and Xerox: it seems everyone now is using WordPress.

But the public feeling isn’t entirely positive. Look past the eager adopters and you’ll undoubtedly hear naysayers warning about WordPress’s lack of security. Fairly or unfairly, WordPress seems to have picked up an unwanted reputation for not being safe.

Should we be listening?

Let’s unravel some of the truths and myths surrounding the real picture of WordPress’s security.

No website is ever 100% secure – TRUTH

The bottom line is that absolutely no computer system (and that includes a website) is ever 100% secure, despite claims made to the contrary. If a website or system hasn’t been hacked yet, it simply means no-one’s interested in it or they haven’t worked out a way to hack it yet. Hackers are a determined bunch and will always find a way through eventually if it is worth their while.

WordPress is a honeypot – TRUTH

The fact that WordPress is so popular makes it a potential goldmine for hackers and spammers. As a hacker, you want to inflict maximum damage with minimal effort. Why focus your efforts on finding weaknesses in rarely-used content management systems when you could focus on WordPress and potentially have 25% of the world’s websites at your mercy?

It doesn’t matter. A website as small as mine won’t be hacked anyway – MYTH

Unfortunately, nothing could be further from the truth. While some hacks focus on the ‘big guys’, the vast majority of hacks are performed on small websites, just like yours. Hackers will commonly target thousands of small websites with one of the following common aims:

  • To gain access to your underlying hosting to send spam email. Billions of emails are sent every day, 90% of which are spam and sent from websites/servers like yours.
  • To place links to other sites within your pages to increase the Google ranking of the hacker’s own
  • To program your site to attack another website, or force your visitors to install malware.

WordPress simply isn’t secure enough and should be avoided – MYTH

After reading this far, you’re likely left feeling that WordPress isn’t worth the risk and another content management system might be a safer bet.

But hold fire. It’s true that WordPress isn’t 100% secure, but remember that no other system you choose will be either.

By dismissing WordPress altogether, you miss out on the reason why 25% of websites now use it. The WordPress core system is one of the best designed and coded content management systems the web has ever seen – many would argue the best. The WordPress team continually test the system, identify new threats quickly, and roll out easily installed updates regularly.

When you start to compare it to other systems, you realise that it’s not integral security that’s the problem, simply that the threat to it is bigger. And from everything we can see, the WordPress team are tackling this as proactively and skilfully as is possible.

WordPress is just like any other system; it takes ongoing work to keep it as secure as possible – TRUTH

Whatever content management system you use, whether it’s WordPress or something else, you need to give your website constant care and attention.

Here are some of the most common issues to think about, that apply to your WordPress install or any other system.

Installing third party plugins, extensions and themes from unknown developers

One of the appeals of a system like WordPress is that you can extend it with thousands of themes, plugins, and additional functionality. The problem is, anyone can make a WordPress theme or plugin, and they aren’t automatically secure. The more you add to your website, the greater the chance a risky or unsafe piece of code will be introduced.

One way to reduce the probability of this occurring is only to use plugins or themes which have commercial support, a large number of users and are actively maintained or updated. Developers of such themes and plugins will normally have a good security testing and fixing process.

Not installing the latest updates

Security problems are found all the time. Developers then promptly fix them and release updates. It’s obvious, then, that you should apply these updates to your website as soon as they’re released. Hackers will often have tools which can scan the internet for websites that have not applied specific updates, making your website an easy target.

Using weak passwords

It is surprising to think that in 2016, the most commonly used passwords are still ‘123456’, ‘password’ and ‘12345678’. Don’t make it easy for a hacker to guess your WordPress password. As a minimum, use six random characters with two numbers and two special characters – a good example is ‘bVFz8U@%Rx’. Yes, you may need to write it down, but a hacker is much more likely to hack your computer remotely than break into your office!

Not using security plugins or software

Well-respected WordPress security plugins can help protect your website from common attacks. One of the most well-known is Wordfence, which can detect malicious changes to your website code and other common exploitations. Don’t rely completely on these, however. They won’t do everything.

Not having a disaster recovery plan

Many websites still do not have an established backup routine. If your web hosting provider does not provide daily offsite backup, then it’s worth considering a new provider. Hacking does happen; mistakes happen. It’s vital to have a strong backup system in place.

Our verdict

WordPress probably does attract more attention from hackers and spammers than any other system, but that’s not because the system is poorly designed.

Across the internet, there are many, many mistakes made within the coding and hosting of websites and content management systems, but these are not exclusive to WordPress or down to a fundamental problem with its core system. Hackers may target WordPress vulnerabilities because it gives them a far greater pool of websites to infiltrate, and the freedom of WordPress’s third party plug-in system may increase the risk of picking up insecure code.

It is simple and possible to improve the security of WordPress, like any other system. The key is never to think of your website as a completed task – there are always updates, checks, and enhancements that need to be performed to keep your website as secure as possible.

WordPress is a top-notch platform, one we’re happy to use and recommend. While its popularity may attract unwanted attention, it’s widely used for good reason, and can undoubtedly deliver first-class websites.