In 2019, 94% of the successful hacking attacks were targeted against WordPress sites. However, we can say that WordPress has the largest share in the CMS market (nearly 6o%), 9 out of 10 attacks is still high.
Does this mean WordPress is not secure?
And if WordPress is not secure, how come the CMS is so popular?
In this article, I will explore the question: Is WordPress Secure?
Every software ever made is subject to malicious attacks and data theft. It is impossible to build an ideal secure piece of software. The attacks are one thing, there are lots of bugs, functionality flows, and unintended issues in all the software.
There is a huge team of developers constantly working to keep WordPress secure. But the thing is WordPress does not work as an isolated unit.
The website owners use many plugins, themes, custom codes, and scripts to run their site.
So the first question is: Is the WordPress ecosystem secure?
The answer is:
WordPress ecosystem is enormous and very active. There are all types of people in it. Due to open source coding, anyone can read it, and explore it to find any vulnerabilities. If not WordPress, most of the themes and plugins are open source too, and hackers can easily read the code to seek out the weak points.
But that does not make the WordPress unsafe. WordPress ecosystem is like any other ecosystem when it comes to safety. The thing is it is massive, so everything is in large numbers here. Be it whitehat developers, or blackhat ones.
Now the question is: Is WordPress Secure?
I will divide the WordPress into 4 components, and tell you about the security concern of each one.
WordPress Core Security
Yes. We can say with certainty that the WordPress core is secure.
However, there are bugs and issues, but the team working behind WordPress is the best of the best.
There is only one WordPress core, and the experts maintain its security.
As the bugs arise, and the team finds issues, they patch it up and release the new version. The WP folks release upgrades a few times a year, and each one has more features (security and functionality).
You should always keep WordPress updated to the latest version.
As I mentioned, anyone can read the WordPress coding to find the vulnerabilities. The team patch the vulnerability as soon as they find it and release the new version. If you stay at the outdated version, hackers can find it and utilise it to steal your site.
Keep the WordPress core updated, and it will stay secure. Other things you can do from your end to keep the site safe are:
- Use a strong password for login.
- Implement two-factor authentication.
- Use a security plugin to harden the security of WordPress.
- Add an SSL certificate to load your site on secure HTTPS.
- Secure your login page by changing the login URL
WordPress Plugin Security
WordPress plugins are the most significant reason the WordPress site gets hacked. Nearly 80% of sites that get hacked are due to some plugin.
The WordPress CMS is popular due to the flexibility and ease of use due to the plugins. The plugins integrate with WordPress and typically create an exploitable door to the site.
Last year, a popular plugin Elementor had a bug that allowed the hackers to create a user account on the site. Elementor comes from a respectable team of developers, and a known plugin in community.
Most of the WP plugins are third-party, and there is no way to regulate them for the standard coding quality. Though, the plugin has to qualify to a certain level of quality to enter the WordPress official repository.
Still, it does not guarantee that the plugin is secure. Plugins are essential to work on WordPress, and there is no way around them.
It is safe to assume that no WordPress plugin is secure, but we can say that one plugin is more secure than the other.
You have to choose the plugins wisely and install only those that you need.
Some measure you can take to protect the site from exploitable plugin hacking:
- Always download the plugin from a reputable source.
- Try to avoid 3rd party, and install plugin only from the plugin directory
- Keep the plugin updated to the latest version
- Remove the inactive plugins and delete them
WordPress Theme Security
Similar to plugins, most of the WordPress theme is built by third-party sellers. WordPress themes are the second biggest reason WordPress gets hacked.
Third-party themes are not regulated or approved by WordPress. Anybody can build them and start selling. To get into the WordPress theme directory, themes have to pass the code quality site.
It is advised to download the theme from the directory instead of the third party. Again, it does not guarantee security, but directory themes are typically safer than the third-party ones.
Some measure you can take to prevent the theme hacking and protect your site:
- Downloading the theme from the established builder. Do not go for the new theme developer, as they don’t follow (or properly know) the WordPress guidelines, and make terribly coded products. The themes might be cheaper there, but they are not secure. It is better to download for free from the directory.
- Many sites provided expensive themes at no cost. They usually add a few codes and can make changes to your site via JSON. Never download the modded theme files.
- Keep the theme at the latest version, and update as soon as possible. Whenever theme developers find any bugs, errors that can be exploitable by the hackers, they patch it and release a version. A webmaster should update the theme asap.
WordPress Hosting Security
You can do everything correctly from your side, but WordPress is an amalgam of various parties working together to create a website.
One of them is a WordPress hosting provider. The WP is open source and has to be hosted on the servers so the site can go live.
There are plenty of WordPress hosting providers, claiming to be secure, fast and powerful.
The security depends on the type of hosting you are buying.
Shared Hosting: Many WordPress hosting shared the same server and IP. Each site has a limited amount of resources. If one site gets compromised, other sites get affected too. This is the least secure WordPress hosting.
Cloud Hosting: Cloud hosting is also shared hosting, but each site has its container. Each container has its own resources, and it is not shared with other sites. Cloud hosting is safe, secure and scalable.
Dedicated Hosting: Dedicated hosting means, a complete physical server dedicated to one WordPress site. It is a powerful and most secure way of hosting WordPress.
Measures before getting WordPress hosting:
- Check their security measures. How the hosting provider tackles the hacking attacks in case?
- Ask them about what will happen in case if the site gets hacked?
- Are there daily backups?
- Do hosting providers have proactive monitoring?
- How is live chat support?
The answer to ‘Is WordPress Secure?’ is No. There are too many parties involved, and no one can take the entire blame for security issues.
Even the site owner has to play an active role to keep the site secure, by having a strong password and updating the themes & plugins.
WordPress is not secure, and the risk of getting hacked is always there. We cannot eliminate it, but we can reduce it to the bare minimum.
Besides everything I suggested, I also advise you to have a backup plugin ready on your site and make daily backups. This way you can restore your site quickly if anything unfortunate happens.
If there are any questions and queries, leave them in the comments.