It’s no secret that websites are a favorite target for hackers. The ability to compromise a site through a plugin, unpatched security hole, contact form or a thousand other ways can open the door to a veritable online crime spree.
It’s also an unfortunate fact that WordPress sites are a favorite target for hackers. While this may give the impression that it’s due to poor security, much of it comes down to market share: as of this writing, 43 percent of the world’s websites run WordPress. If you only look at websites utilizing a content management system (CMS), that number jumps up to 65.3%. A hacked plugin can affect a wider range of targets using WordPress than other CMSes such as Drupal or Joomla.
But is WordPress actually secure? The short answer is: it depends on who’s using it.
While WordPress is a CMS, it, like most other websites, are a composite of several other services and pieces of software operating to create a cohesive (hopefully) website experience. There’s the core WordPress software, there are themes to help determine how the site looks, and there are plugins for added functionality. There are also a wide number of hosting services with differing levels of quality. And then there are users.
Here’s how the security for each of these parts breaks down:
- The CMS: WordPress is an open-source CMS platform and is regularly updated. Serious security vulnerabilities on it are relatively few and far between, largely owing to the fact that Automattic, the company that produces it, has roughly 1700 developers in its employ. Keeping WordPress itself up-to-date is a fairly simple process and is sufficient to keep it secure in and of itself.
- Themes and plugins: While Automattic releases and maintains several themes and plugins for WordPress, there are thousands produced by third-parties. This is where many of the potential security issues come into play. An update to WordPress doesn’t mean that plugins and themes will be updated, and vice-versa.
While there are several major plugin and theme developers that are constantly refining and updating their products, many are produced by companies with questionable coding practices, others are developed and released as a one-off, and many others are abandoned entirely. Most major news headlines about WordPress vulnerabilities actually involve those in poorly developed or unmaintained plugins.
Anyone prioritizing keeping their WordPress site secure needs to select plugins and themes carefully, check regularly for updates and check ratings and reviews for which ones are highly recommended and more likely to be vetted. The alternative is to enlist the aid of a well-established web development agency to assist and make recommendations as needed. (One springs to mind.)
- Web hosts: Hosting platforms are where WordPress sites are physically installed and can be very much of a mixed bag. Many offer low rates for hosting on shared servers with relatively minimal security, or with security offered as an add-on expense. At the higher end are more expensive solutions offering more amenities, higher capacities for traffic, and perhaps most relevant, significantly more powerful cybersecurity tools and protections.
As far as web hosting security is concerned, there is no “one size fits all” solution. A smaller business or organization with a website that functions as a billboard needn’t spend hundreds or thousands per month on best-in-class cybersecurity protections; this would be comparable to storing a bicycle in a bank vault instead of using a bike lock. At the same time, any web hosting solution should have at least a minimal level of security and customer support in the event of a cyber incident.
- Users: The human element is one of the most difficult factors to account for across all of cybersecurity, WordPress sites included. Shared accounts, poor password hygiene (reusing passwords, using “password” as a password, etc.), lack of attention to plugin and theme updates, etc. can all allow hackers an easy path to entry on even well-secured sites. Any website, especially one with multiple users or administrators, needs to have a policy in place requiring basic security best practices.
Rather than looking at the security of WordPress as a binary proposition, anyone with a website should consider the following questions and factors:
- What data is being stored on my site? Websites storing sensitive information, especially personally identifiable information on their users, need to take an extra level of precaution.
- How many people have access to my site? WordPress sites with multiple administrators or users with access to plugins, themes, content and data have a significantly larger attackable surface than a site with one administrator and should have an enforceable security and password policy.
- How essential is my website to my overall business? If your livelihood depends on your site running 24-7, consider the costs of a hacker-induced site shutdown for days, if not weeks, you should plan and budget for security accordingly.
How much time can I commit to my site’s security? Keeping an eye on a website, keeping it well-maintained and updated, and checking regularly for suspicious activity can be a time-consuming activity for a layperson. Consider using a dedicated team or agency (we offer a range of Service and Performance plans) to keep tabs on your website if your time is at a premium.