WordPress is not secure. Or is it?

WordPress-Related Vulnerabilities Tripled in 2018, Bleeping Computer reports. Now there’s a frightening headline if your website is running on WordPress! But let’s take a closer look.

Why is WordPress being targeted?

It’s all about the numbers. As of this writing, WordPress powers 32% of websites across the globe. Joomla, Drupal, Squarespace, and Wix pale in comparison, with only 1 to 3% market share each. It’s easy to see that a hacker has a much larger chance of success when he can configure a bot to attack a much higher number of websites.

On top of that, WordPress is open source software. This means that the code it is built with is open for all to see. Anyone can inspect it or change it on their own system. This is different from proprietary software like Microsoft Office, where only the software developers at Microsoft can view and change the program code. This opens the project up to greater collaboration and expansion through themes, plugins, or your own custom code, but also leaves the code free to inspection by those with more nefarious motives.

Furthermore, WordPress can be expanded and enhanced with themes and plugins. A theme is what changes the way your website is displayed to your visitors. Plugins add functionality to your website: if you need an e-commerce website, you could add a plugin for that. If you want to add a photo gallery, you could add a plugin for that. Some themes and plugins are released for free through the WordPress repositories. Others are available for a fee through the designers’ or developers’ own website or online marketplaces like Envato sites Code Canyon or Theme Forest. These plugins and themes don’t necessarily come with any type of warranty or guarantee of safety or security for your website, though good developers stand behind their products and provide support as required. When you install a plugin or a theme without inspecting the code yourself, you are trusting the developer or designer to have done their due diligence to make sure their themes or plugins are secure and don’t contain any vulnerabilities. The more plugins you install, the more you multiply your chances of letting an as-yet undetected vulnerability slip through, so it’s important to be sure you trust the ones you install, and important to use plugins or themes where developers are actively updating and supporting their products.

Should you be afraid to use WordPress for your website?

Not at all. The reason so many websites use WordPress is that it is easy to use and has a high level of flexibility. WordPress’s stated goal is to “democratize publishing,” and they have certainly accomplished that. Instead of abandoning WordPress, implement security measures to protect your website and your visitors. The truth is that any website at all can be a target for hackers if it has a security vulnerability, whether it is run on WordPress, Joomla, Drupal, or is custom-coded. Also, since there are so many websites and people using WordPress, there are that many more people keeping an eye out on security. The community is large and talented, and interested in keeping WordPress websites secure.

I have a small site with a limited audience. Do I really need to worry?

Worry, no. Take the proper precautions, yes. The size and reach of your website is not a factor in whether or not your website will be hacked. If your website is online, you need to protect it and your visitors.

make WordPress secure
Keep your WordPress website secure from predators.

How can you mitigate the risks?

There are steps you can take to keep your website safe.

  1. Protect your devices.
    First things first, make sure your computer, tablet, and phone are protected. Use virus scans, firewalls, and spyware protection. Use strong passwords. Use password managers.
  2. Backup, backup, backup.
    Back up your files and your database. And make sure that backup is off-site – do not store it on the same server where your website is located. That way if something does happen, you can still restore your website.
  3. Keep your WordPress software, plugins, and themes updated.
    This is one of the best things you can do to keep your website safe. When security fixes come out, don’t waste time – update.
  4. Do not ever used “nulled” plugins or themes.
    Some websites provide “free” plugins and themes that are actually pirated copies of plugins and themes you would normally have to purchase. This may not be technically illegal due to the GPL license, but whether it is illegal or not, using them is a risky practice for your website. Sites that offer these types of plugins and themes may add their own code into the products, which allows them to add hidden links, or worse, onto your website. These types of websites are inherently less trustworthy than a web development agency that stands behind its product. Kinsta explains more reasons to avoid nulled plugins and themes.
  5. Use SSL.
    If your website isn’t using SSL yet, make that change today. Seeing the padlock & https:// in the address bar reassures your visitors that you care about their security.
  6. Protect your website with a firewall.
    Wordfence and Sucuri are two well-known, trustworthy services that can provide this for you.
  7. Set up regular scanning services.
    Both Wordfence and Sucuri also perform this service. They can alert you when any files change on your website.
  8. Audit your website users on a regular basis.
    If someone has left your organization, remove that person’s access to your website. Adhere to the “least permissions” philosophy – give each user the lowest possible permissions they need to perform any website-related duties they are responsible for.
  9. Educate yourself.
    Learn about phishing schemes, which can be one of the top ways a hacker can find his way into your website.
  10. Use a host that offers a secure version of PHP.
    PHP is the programming language WordPress runs on. If your host doesn’t, keep contacting them and asking them to provide a more recent version until they do it.

WordPress is not secure” is one of those
easy-to-parrot myths, like “Macs don’t get viruses.”
Don’t believe it – but do take precautions
to keep your website and your visitors safe.


Want to take the headache out of keeping your site secure?
Ask RED about our
hassle-free security packages.


Like it? Share it!


Alisa Cognard

Alisa was one of the first team members to join Red Earth Design, Inc. in early 2004. From data entry, she progressed to MySQL database manipulation and PHP coding. Alisa is responsible for all kinds of odds and ends: installing new websites, adding features to them, programming databases, PHP coding, website troubleshooting, website security, and organizational tasks for Red Earth Design.

Leave a Reply

Your email address will not be published. Required fields are marked *