October 7, 2019
Are WordPress Sites Secure? Here’s the Honest Truth
Talk of WordPress’s security vulnerabilities is everywhere. But like many rumors, they contain a molehill of truth and a mountain of fiction.
Some of the most common questions I get as a developer are around WordPress security. They come from a place of real fear, stoked by anecdotal horror stories and even more damning statistics. In 2018, WordPress accounted for 90% of all hacked cms sites. Yikes.
So, how does WordPress continue to emerge from battle as the reigning champion of content management systems? Here’s the honest truth: If deployed and maintained properly, WordPress sites are just as secure as any other content management system.
Yes, you read that right. Let’s start by putting some things into perspective.
WordPress is targeted more often because there are simply more WordPress sites to target.
WordPress is a giant, owning 61% of the market share and constituting 34.6% of all websites known to use a CMS, according to W3Techs. Joomla and Drupal are a distant 2nd and 3rd in usage, constituting 2.8% and 1.7% of sites, respectively.
Looking at potential WordPress security issues from a purely volumetric standpoint is unfair. It’s a bit like comparing the record of a football team who has five opposing teams in their league, versus one who has 500.
WordPress vs. Drupal security has been a particular topic of interest for many weighing CMS’s. Drupal may have marginally better internal security structures, but once you understand WordPress’s largest vulnerabilities and the simple steps you need to take to avoid potential threats, you have more or less leveled the playing field. WordPress’s core is still one of the best and most secure you can use.
What are WordPress’s biggest security vulnerabilities?
For a CMS to be “hacked,” there needs to be some proverbial “open door” that a threat can penetrate. WordPress 5.0 has made some significant improvements to both its security and usability, but there are still some potential doors that can be attacked.
By and large, 3rd party plugins are the #1 offender of WordPress security vulnerabilities. And that makes sense: The majority of WordPress plugins are not developed by WordPress themselves.
Still, the lesson here isn’t one of hopeless vulnerability. There’s always a possibility to be attacked, but there are a number of simple things you can do to help prevent these attacks from ever happening.
How Do You Secure Your WordPress Site?
The two types of attacks that I see most frequently are distributed denial-of-service attacks (DDOS) and brute force attacks.
In layman’s terms, a DDOS attack is an attempt to disrupt your normal flow of site visitors by overwhelming your site with additional traffic. The goal of these attacks is to overload your server and disallow normal site visitors from accessing your content.
A brute force attack is more about gaining entry to your CMS in order to effect change or steal data. With this type of attack, a malicious agent will use a computer programmed to continuously attempt to log in to your CMS by trying different password variations.
Protecting your WordPress site against these and other common types of attack starts with a solid foundation and ongoing site maintenance. Here are some things you can do to secure your WordPress site.
Use a reputable, proper hosting platform
If you do nothing else from a security perspective, choose a solid hosting partner. Cheaper does not mean better in this case (and if you’re wary about spending the few extra dollars, think about the revenue you’d lose should something happen to your site).
We build the majority of our sites on Pantheon, a high performance hosting platform with top-of-the line security measures and support. WP Engine is another tier one platform that is hugely popular and confidently secure. CNET boils down how to choose the right hosting platform in three words: speed, support, and security.
Although there’s always a possibility to be attacked, choosing proper hosting platform will protect you through most vulnerable situations. So choose wisely.
If you don’t choose a top tier hosting platform, install a security firewall
Many lower-end hosting platforms don’t offer the level of support and security sites with moderate-to-high traffic need to stay safe. These platforms may work fine for some small sites. But for larger, more trafficked web properties hosted on a low cost platforms like GoDaddy, for instance, you will want to install some type of security firewall to stay protected.
Sucuri firewall, which actively fixes and prevents hacks on your WordPress site, is our top choice in added protection. Global Edge Security, a product of WP Engine, is also a great choice if you are hosting your site on WP Engine.
Choose reputable plugins and keep them up to date
Remember how we talked about plugins being WordPress’s biggest security vulnerability? Well, they really are. For obvious reasons, you need to keep them top-of-mind when thinking about the security of your site.
Thankfully, ensuring plugins don’t become wide open doors to online threats is simply a matter of choosing reputable, highly-rated plugins, and making sure they are constantly updated. For example, installing popular plugins like Yoast or WooCommerce is unlikely to cause you problems, but installing one by an unknown, un-reviewed 3rd party developer might lead to trouble. Common sense, I know. This is simply a topic too important not to cover fully.
Follow these three important techniques for keeping your WordPress site safe, and you should feel comfortable and confident using this CMS to its full potential. After all, WordPress is a powerful tool that didn’t become the largest content management system in the world for nothing.
One last note: As we handoff websites to our clients, we have found it absolutely essential to complete a training regiment so they know how to navigate their new backend and avoid things that would compromise its security. If you’re concerned about WordPress security, I think you might find it useful too. Check out these 6 critical components for WordPress training for a glimpse at what these trainings should cover.