WordPress is the most deployed CMS in the world, so it is not a surprise that WordPress security issues are an important topic for WordPress site owners and future site owners. For people thinking of building a new website, we often hear there are real concerns about WordPress security. Hosted website builders such as Squarespace and the heavily advertised Wix among others present a simple alternative that pushes the responsibility for security to the vendor. Does that mean that these systems are more secure? No, it just means that they have not been successfully hacked yet. Hosted website solutions aggregate a large number of websites in one cloud or server farm. When the administrative services for those systems are penetrated, all of the websites under control of that service may be compromised. To believe that these services are impenetrable, when so many major institutions have been successfully hacked, is not reasonable, and neither is saying that they are more secure than WordPress.
Hosted WordPress places the responsibility for WordPress security on the site owner, and security of the web server on the host Internet Service Provider (ISP). For the site owner, the most substantial threats are of three types:
- Brute force attacks—This is the most common WordPress security issue. An automated bot tries literally thousands of user/password combinations, starting from the most common (“admin” and “123456”), then learning from each failed combination. By some estimates, brute force attacks comprise over 50% of all attacks on all websites, these are not specifically a WordPress security issue.
- Version exploitation—The hackers look for implementations of WordPress that have not been updated to the latest version and exploit known issues
- Plugin vulnerabilities—plugins that have not stayed up to date with current versions of WordPress (or are not updated by the site owner) can expose vulnerabilities. For attacks specific to WordPress sites, numbers suggest that plugin vulnerabilities account for at least half of all successful breaches.
For many years, WordPress took a very hands-off approach to WordPress security. Many articles were published on “hardening” WordPress, and some very capable WordPress security plugins were developed. Then, about five years ago at the urging of many influential people in the WordPress community, WordPress began installing features that encouraged site owners to keep good security habits. Among these are:
- Automatic updates were introduced in 2013. By default minor updates or important security updates were installed automatically. Major version updates required manual action. During that same year this article declared that 70% of all WordPress installs were vulnerable due to lack of version updates. New data for the number of outdated versions are not available.
- A strong password monitor was introduced in 2015. The monitor is very strict, and gives only a passing grade to what would be a very strong password in most other systems, however it does encourage stronger passwords, the best defense against brute force attacks.
- Notifications have been introduced to assist the site owner in keeping plugins and themes up to date. A small red button appears in the dashboard sidebar indicating that updates to themes and plugins are available. The updates page is arranged so that all plugins can be updated with two clicks.
- Plugins in the WordPress repository are subject to notices from WordPress when they appear in the results of the add new plugin search, informing the administrator that the plugin is out of date. New this year, a policy change has the notification showing how many versions behind the plugin is, as opposed to how many years/months it has been since the plugin was last updated. Older plugins do not appear on repository plugin searches, and very old plugins are ultimately removed from the repository.
With these changes, WordPress is actively aiding and encouraging good security habits, but does not necessarily insist on them, responsibility for site security still vests with a responsible and engaged admin/site owner. There are several areas where WordPress could do better:
- There is no mechanism for setting up an email alert to the admin of record when a plugin is two or three revisions out of date. Often the primary admin is not a content creator, and content creators may not know who to notify when they see an update alert on their dashboard, so these issues go unresolved.
- There is no native defense against repetitive login attempts. Many available WordPress security plugins such as Wordfence provide this capability in the free version, however, given the prevalence of brute force attacks, this enhancement should be considered.
- The WordPress version appears in the header of all blog pages. It gives hackers an indication of where the weaknesses are. While this feature can be helpful to developers, it is not essential and should be removed.
In the end, the answer to the question “is WordPress secure”, is “yes, if the site owner is committed to security”. The steps needed for effective WordPress security are no longer in the realm of the Developer, with current tools and plugins the non-technical site owner can do as well as anyone to keep a site secure. Every site owner should have their own WordPress security checklist that they exercise at least once a month.
Download our WordPress Security checklist
A set of step-by-step instructions along with helpful WordPress security tips.