One of the services I provide is managed WordPress websites, and a common negative comment I hear from people is about WordPress security, claiming “WordPress is not secure.”. More often than not these words of misplaced warning come from other web designers or IT guys who clearly have not done their research, and really should know better. The obvious major drawback of this information is that clients then become fearful of potentially falling victim to malicious behaviour. But the truth is, WordPress core is one of the most secure publishing and web development platforms you can choose to develop a site on.
What most people don’t realize, is that WordPress is not a set it and forget it system
WordPress security isn’t about setting and forgetting. Rather, it’s about taking every measure you can to harden your website to prevent it from being hacked. It’s not just up to WordPress to implement security for you either. Using WordPress, as with any off the shelf CMS, means YOU are responsible for your website maintenance, including security. This actually true of ANY website, especially bespoke built websites, which are the most likely to have gaping security holes since they will have never been maintained or updated.
While WordPress already does a lot to harden its core, there’s a shared responsibility between you, your hosting infrastructure, and WordPress to be vigilant about enforcing security best practices, or hire someone like me to do it for you.
So, if you are rejecting WordPress due to WordPress security concerns, let me enlighten you with a few reasons to convince you that WordPress is actually more bullet proof than you might realize.
The No.1 culprit of a hacked WordPress website is due to an outdated extension or outdated core caused by poor or non-existent maintenance.
Hacking is newsworthy
WordPress wasn’t always as secure as it is now. Back in 2009, when WordPress was on the brink of massive popularity, the CMS contained a number of security vectors that were exploited and
picked up by the news. The platform received extreme criticism, in which was really the community’s way of saying that WordPress needed to up its game and become more bulletproof.
These security concerns were addressed in version 2.8, following a string of security patches to strengthen the WordPress codebase. While security was on the shaky end then, today WordPress is quite secure. Yet, because WordPress makes up such a huge chunk of the internet (28 percent and rising; 1.2 billion downloads) if a hacker is scouring the web to cause trouble, there’s at least a quarter chance they’ll land on a WordPress website.
As such, these security exploits are publicized when any high-profile attack occurs. This gives WordPress a reputation for being less secure than comparable CMSs, like Drupal and Joomla. However, this is completely inaccurate.
The reality is, WordPress is secure enough for millions of end users and a number of Fortune 500 companies to trust their online business with.
Other popular CMS’s like Drupal and Joomla aren’t targeted as much, simply because they aren’t as widely used as WordPress. While WordPress powers over half (52 percent) of all CMSs on the web, Drupal powers a mere two percent and Joomla only six percent of the CMS market. So, when WordPress does get hacked, it’s commonly covered by media outlets and the news. But what many people don’t realize brings us to the next point.
Most security exploits are a result of an outdated component.
Most security attacks on WordPress occur through an outdated theme, plugin, or through WordPress core. Of all the high profile exploits in recent years, each attack has targeted vulnerabilities that
could have been avoided with a simple update. Therefore, it is not the fault of WordPress when these breaches occur, it is the fault of the website owner not properly maintaining their website.
It’s your duty to update plugins, themes, and WordPress core accordingly.
While so called managed WordPress hosting providers like WP Engine or GoDaddy may run automatic updates to the WordPress core for you, they do not update all your plugins and themes to ensure they contain the latest security patches, this is still down to you, so the term “Managed WordPress” is obviously rather misleading to many website owners, who are unwittingly under the impressions that EVERYTHING is being managed, which is not the case. Just to be clear, the managed WordPress solution I provide, does include everything.
If you do not have someone like me managing your site and are managing your own website, then It is also up to you to familiarize and educate yourself regarding plugin and theme best practices. While free plugins and themes are awesome, when browsing the plugin repository, make sure the plugin/theme has been updated recently and works with the latest version of WordPress. If you activate a plugin/theme that’s more than a year old, you could be potentially opening up a portal for hackers because the extension will most likely not have been patched with the latest security update.
Premium plugins and themes are less likely to contain security vulnerabilities because they are monitored and updated more regularly. That’s one benefit of paying for a premium component
— you won’t have to worry about the author going astray and neglecting to keep the theme/plugin up to par with the latest security standards. However, do not try to pirate premium themes and
plugins; this is a bad idea because they most likely won’t contain the latest security scripts.
There are many security vendors working quickly to detect and patch vulnerabilities.
In terms of security, no system is perfect. According to WordPress.org, “Security is about risk reduction, not risk elimination, and risk will never be zero.”
This is true not just for WordPress, but for any system. That’s why, in addition to the WordPress core team, many third-party security providers work endlessly to detect and fix vulnerabilities.
The open source nature of WordPress means that anyone can contribute to detecting security vulnerabilities, meaning faster fixes. For instance, you might have heard about a recent WordPress security breach through the REST API (introduced in version 4.7.0) where 1.5 million-plus pages running that specific version were defaced. Various security vendors detected the vulnerability and immediately reported it to WordPress to build an update.
If your enterprise site contains highly sensitive information, or you are just worried about this happening to you, there’s no way it could have as long as you invest in managed services that automatically run WordPress updates for you. I was notified of this breach as soon as it was made public and immediately started issuing patches across all my client sites so that nobody was affected.
So Just remember…
WordPress is as secure as you want it to be.
It’s your duty to take additional measures to harden the security of the WordPress site you’ve built. With the help of managed hosting and service providers like myself, security is taken to the next level. To avoid a treacherous site invasion, there are some additional security measures you can (and should) take to harden the security of your WordPress site. The hosting I use for WordPress includes web application firewalls, intrusion detection, brute force protection, malware scanning and more.
Enforce Strong Passwords
This is the most basic of security measures you should be taking. If a hacker decides to run a brute-force automated script, an easy to guess password will make it more accessible for them to crack the code. Instead, use a strong password generator to make sure your password is secure enough. You can also use a plugin like Force Strong Passwords to enforce strong passwords for other users on your site or with WordPress Multisite. By default, I always use strong randomly generated passwords on all client sites.
Use 2FA (Two-Factor Authentication)
Enabling 2FA adds an extra layer of security to your login credentials. 2FA works by requiring a second factor of information that only you can give, like a code sent to your phone to verify your
activity on a specific computer.
Use SSL For Data Security
SSL (secure sockets layer) encrypts all information submitted to your site. This means hackers won’t be able to see or intercept the data your users share on your site (like credit card info). While WordPress doesn’t come with automatic SSL, most hosting providers offer SSL and many now offer Let’s Encrypt.
Since Google has started issuing “Not Secure” warnings for pages not secured with HTTPS, it’s now important to make this transition to HTTPS if you haven’t already in order to avoid your clients seeing this warning message. Therefore I now enable SSL on all client sites by default.