Is WordPress secure? Here’s what research shows By Will Wisser Posted on June 19, 2019 2 min read 0 14,579 WordPress CMS (Content Management System) has been around for about 15 years. Today, it is used by about 34% websites out there. Because of such high popularity, the WordPress platform has repeatedly become the hackers’ target. WordPress is often criticized for the absence of appropriate security. But is it really prone to cyberattacks, as people commonly say? You may be asking yourself such a question: ”If this platform so insecure, why such big sites and names like Microsoft and The New York Times use it?” The biggest and world-renowned businesses use WordPress to manage their main sites. History Initially, WordPress was an easy-to-use and free platform for bloggers. Today, it has already become a full-fledged CMS. The existence of an enormous ecosystem of themes, plugins, and other services lets anyone create and customize his own website. In fact, it is not essential to be a tech genius to work with WordPress. It is a great advantage when comparing competing platforms. Yes, we can find some disadvantages too. Webmasters without security experience create sites that are filled with security holes. Even worse, inexperienced developers create vulnerable plugins and themes. As a result, statistics show that most cases of WordPress hacking that we read about in the news are not due to vulnerabilities of the engine itself. In a cross host review of over 20 companies, Aussie Hosting showed that outdated plugins were the most common source of WordPress hacks. Comprising of over 60% of all WordPress issues. Users are repeatedly warned about new updates that need to be installed. Sad, but this does not help. In addition, a lot of attacks are successful because webmasters use weak login credentials. Yes, sure, this does not necessarily mean that the core WordPress engine is perfect from the security point of view. Researchers discover some security issues in the main engine code too. At the same time, we should note that the team of developers resolves these vulnerabilities quite quickly and releases the necessary patches in time. If vulnerabilities are addressed and patched quickly, there is almost nothing to worry about. Each software contains a number of vulnerabilities. Do you remember the days when Microsoft Internet Information Services had to be updated two, three times a week? WordPress developers are constantly trying to be proactive and safeguard us the users from malware and hacker attacks. The WordPress community has learned from its mistakes. During the past few years, the development process has substantially improved. WordPress and the security of its ecosystem WordPress ecosystem has completely changed recently. The WordPress dev team is closely cooperating and working hand in hand with cybersecurity experts. Such an approach makes it possible to be sure the code is secured, protected, and the identified vulnerabilities are quickly addressed. Several security features were introduced. Some of them are tips to use stronger passwords and recommendations to change the default admin account. These features are useful assistants that make the web platform more secure. WordPress Foundation members check plugins and themes added to the official repository. Old plugins that have not seen updates for months are marked accordingly for people to see them. In some cases, vulnerable plugins get turned off, this lets the user know that vulnerable components are installed and needed to be monitored. Premium plugins and other services The initial concept of offering all things related to WordPress for free has gone away. Website owners understand that they cannot live without professional plugins and should invest money into new premium plugins and themes. These factors have led to the introduction of commercial software tools that, in their turn, help maintain a more secure environment and raise security awareness within the community. Several years ago, asking money for the plugin was simply unthinkable. Today, there are thousands of paid plugins. Free plugins are not bad, but developers lack the necessary resources to properly support free plugins. Paid plugins allow developers to spend money on product development and security research. This way, we all receive safer products that are more reliable in terms of security. Is WordPress secure? The most important question sounds like this: “Should I use WordPress for my business or personal project?” And the answer is definitely: “Yes.” You do not have to worry about the “weaknesses” of the WordPress engine. It is a myth. Plenty of time has passed since serious attacks like Timthumb and RevSlider and now this CMS is much more seriously protected. If you have experience with website building, problems with WordPress engine management should not arise. If there is no such experience, we strongly recommend that you study this issue or invite experts to help secure your site. There are several basic rules. If you observe them, there is almost nothing to be afraid of: Use hacking-resistant credentials. Activate multi-factor authentication. Keep your software up-to-date. We mean your web server, the OS which you use, the computer hardware, and each installed software. Install plugins from trusted developers that have a good Uninstall outdated plugins or themes that you do not use on a daily Conclusion Even though our article superficially touches the security problem of WordPress, it is enough to be sure that the WordPress engine is often completely unfairly attributed as being insecure. WordPress is a flexible platform that can be customized according to your specific needs, you just have to get a little bit better acquainted with it.