The truth about WordPress security …

Last updated on December 7th, 2022

If you’ve been developing websites recently it’s hard to miss what some people will say about using WordPress as your content management system: “It’s not secure”. Likewise, if you’ve been exploring getting a website built you may have encountered conflicting information about WordPress from a variety of sources. In this article, I’ll discuss the truth about the security of this content management system, the top reasons why WordPress sites become insecure, and how to maintain the security of your WordPress site once it’s live on the web.

What WordPress Is

It started out as a blogging platform back in 2003 – a long time ago by internet standards. When it first came out it was nothing like the modern version. Over the years the developers stuck with it and made steady improvements, which included transforming it from a simple blogging platform to a full content management system.

WordPress is used by 20% or more of the top 10 million websites and is still the most popular CMS in use today (source: Wikipedia).

WordPress is also what is known as Open Source software. In a nutshell, Open Source software is software in which the code is made available for distribution and changing. Open Source can be often be used to build other things. In the case of WordPress, it also opened the floodgates for other developers to program functionality add ons, called plugins, and create design layouts, called themes.

WordPress Out of The Box

In the last few years, I’ve seen WordPress come a long way in staying up on security. ALL software on the web is susceptible to security breaches such as hacking (just like ANY web host can be susceptible to security breaches and hacking). To believe otherwise means you’re living in a pre-internet fantasy world. The real kicker is how quickly developers discover and remedy issues. I have to say, WordPress itself is pretty on the ball with that these days and so are most of the top plugin developers. So where do most of the security issues with using WordPress stem from? Read on …

You Are The Weakest Link

So you’ve decided you need your website to have a content management system (or a shopping cart, or various other functionality that WordPress can provide). My next question is, “Are you willing to stay on top of maintenance, or pay someone else to?” I find that a large percentage of people have no idea that their website would need to be maintained beyond launching it and making some content updates. They do not know, especially in the case of WordPress, that maintenance is critical. Even if you had installed WordPress, used the default template that comes with it, and never installed a single plugin, you can not just leave your site unattended to on the open web. When WordPress pushes out a new update, it’s imperative that you click that update link in the admin area (WordPress will put a helpful message right at the top of your screen for you to do so). The bottom line is, the longer your site sits unmaintained on the web, the more your chances that it will be hacked go up.

In one way, WordPress is often considered DIY in that many web hosts offer an easy way to install it, there’s tons of pre-made design themes out there, and adding plugins is a fairly easy operation if you want additional functionality. But there are some pitfalls. While I’m sure there’s DIYers out there who are successfully maintaining their WordPress sites, I also bet that they’ve run into a problem or two while doing so. Maybe they’ve gotten the dreaded “white screen of death” and had to turn to the web in a blind panic to see how they can get their website back. Or maybe they’ve suddenly found their site was spitting out links to a site selling Viagra. In my experience with WordPress, it’s inexperience or neglect of maintenance that can lead to the most troubling of issues, including malware and hacks. Even if we have developed a custom WordPress site (custom = custom install with security in mind, custom coding your own WordPress theme, additional programming or custom plugin programming … basically much more advanced than the out of the box version) it can still be susceptible if someone chooses to not maintain the site or start adding plugins here and there against our advice.

What’s Wrong With Themes?

As a web designer/developer of course I’m going to make a good case for why a custom site does more for your business than a pre-designed solution. Working with a professional designer is an investment in your business and can ensure that your goals are met, your site fits your brand, and it connects with your target market. However, plenty of people are still going to go with themes. Some may not even know they are going with themes if they’re dealing with a developer who fails to mention that fact and simply uses one for the base of something they’re calling “custom”. I can’t tell you how many sites I’ve looked at where the person claimed they had a custom designed site and right in the page code is the name of a WordPress theme that is either free or available for purchase (for an average of about $60), with very little design modifications made.

I can see the appeal of using themes. They seem like an easy solution. They’re an easy way to get a website up, especially if you have no budget. The problem is, I’ve run into a lot of crummy coding that ranged from just plain bad to actually containing malware or other sketchy code. That can be avoided if you get your themes from a reputable source such as the WordPress.org site or some of the popular commercial theme developers that do a lot of testing and make sure their code is error free and up to date (as well as make sure they’re on top of theme updates when security vulnerabilities are found). If you go this route though, it’s usually on you to perform the updates as the developer releases them. Ignoring that would leave your site vulnerable.

The Problem With Plugins

Conceptually, plugins are pretty awesome. They’re an easy way to add additional features and functionality to your WordPress site. But there is a dark side to plugins – some have the potential to take down your entire website (“white screen of death”), and some offer a convenient way for a hacker to exploit your site for their own nefarious purposes.

In February of 2021, there were at least 22 vulnerabilities in plugins that affect some 2.5 million websites (source) .

Nothing is flawless or bulletproof when it comes to plugins, but maintenance is also of utmost importance. Not updating or leaving a plugin on a site (even a deactivated one) that has a vulnerability can poke a hole in even the most securely set up WordPress install. It’s also very important to thoroughly check out any plugin that you wish to install. This means checking out the plugin’s page on WordPress.org, checking the support forum, checking the date it was last updated (orphaned/not updated plugins are generally not advisable), asking your web developer, etc. We have our own testing server that we install plugins on before we ever recommend them to a client. But plenty of people don’t have that luxury and they find out too late that they’ve installed a bad one.

The Short List of Basic WordPress Security Tips

I’m not going to go into the more technical things that can be done while installing WordPress (that would take up a whole other article), except for if you are installing WordPress yourself, there are two things you must do during installation: change the table prefix from the default wp_ to something else (ex: something_) and change the user name to something other than Admin (the more complex the better). Now, on to the rest of the list …

• My number one advice? Go with the reputable and trusted web host. (My personal recommendation on hosts is: WordKeeper)
• Choose a difficult password (we recommend 16 characters) and change it frequently. NOTE: use a service such as strongpasswordgenerator.com.
• Make sure WordPress is not broadcasting what version you are running (which should be the latest one, regardless, but if you’re not on top of it, this is something hackers can search for and exploit). NOTE: there are plenty of tutorials out on the web on how to do this as well.
• Avoid themes from untrusted sources.
• Stay up on maintenance – update WordPress version, any themes, and plugins as soon as they’re available. If you don’t have time to do this, pay someone else to.
• Check plugins with Plugin Security Checker or use their paid service to alert you to security vulnerabilities with plugins.
• In general, keep plugins to a minimum and thoroughly check out any plugin you’re considering installing.
• Remove any unused/inactive plugins.
• Scan your site monthly using a plugin like Anti-Malware.
• It should go without saying, but make sure your own computer that you use to access the admin area of your site is free from malware.

Parting Thoughts

I hope I’ve illustrated the important points on how to keep your WordPress site running smoothly and tempered some of the insecurities with some realities. If you’re thinking of utilizing WordPress for your website, contact us. We would be happy to talk to you more about the benefits of going custom, and offer you a free estimate.

(Original article appeared on December 9, 2013 and has been updated on February 7, 2021 to include more/new information.)

Sherry Holub

I’m a creative problem-solver driven by the desire to see small businesses improve their image and succeed. I’ve got over 20 years experience and have worked with clients as large as Nike and as small as a local sole-proprietor. I’ve been an advocate for education, a member of prestigious design organizations, won awards, and been invited to judge design competitions. Over the years, I have also written blogs and articles for a number of online sites and print publications. I have a heavy background in art, photography, graphic design and thinking outside the box. When not working, you’ll find me getting outdoors, practicing Qi Gong, snowboarding, camping, collecting rocks, and driving around in a sweet 1970 Camaro.