In recent years, over a million of the more than 60 million WordPress sites worldwide have been hit by high profile security breaches including the famous malware Spectre. Some WordPress security experts estimate that over 90,000 cyber attacks per minute attack WordPress sites of all kinds.
Statistics like these cause both new and longstanding users to worry about whether a WordPress website is secure from attacks—and a safe platform for hosting their business and personal sites. But WordPress itself is only one element in a larger ecosystem of entities that affect the safety and security of WordPress-powered sites. The key question may not be whether WordPress is secure, but rather how users can take the lead in securing their WordPress sites against hacking and other kinds of cyber attacks.
WordPress Security Has Multiple Layers
When users ask whether WordPress is secure, they’re most likely referring to the WordPress Core itself—the free, open source software package that can be downloaded and installed in any hosting environment. But, the WordPress core code doesn’t exist in isolation. Numerous other entities interact with WordPress, and each of these can have an impact on the security of a WordPress site. In that way, WordPress stands at the center of a dynamic ecosystem that also includes:
- Web hosting providers
- Third-party plugin and theme developers
- WordPress site owners and administrators
Security threats to a WordPress site can come through any of these or a combination of them.
Securing the WordPress Core
The core WordPress code is open source software with a general use license, which means that, in theory, any user can modify the code and use or share it in any way they choose. To users unfamiliar with the WordPress community, this makes it appear that WordPress is massively vulnerable to hacking, identity theft, and a variety of other kinds of cyber attacks.
But, although it may seem that WordPress itself can be altered at will by anyone with a wish to infect it with malware or compromise it in other ways, that’s not the case. The WordPress organization’s team of core developers are ultimately responsible for keeping the core code stable and secure—and that includes vetting any proposed changes and constantly working to fix any vulnerabilities with patches and interim updates.
As soon as a security issue becomes known, the development team steps in to repair it and notify all WordPress users that an updated version is available. Although there’s no guarantee that WordPress itself is completely secure, any security problems that do appear are generally resolved by downloading the latest version of the software.
Web Hosting and WordPress Security
In order to run, self-hosted WordPress sites need a reliable WordPress hosting provider, and that provider also plays a role in keeping users’ sites secure, whether they’re powered by WordPress or by some other content management system.
Hosting providers are responsible for maintaining the security of the company’s servers against cyber attacks and providing hosting packages with a variety of security options to meet the varying needs of users, such as Virtual Private Server (VPS) hosting, which can help to prevent “infections” from one site on a shared server to others. Some hosting providers also offer secure WordPress hosting packages dedicated specifically to WordPress sites with an eye to addressing the security concerns that are most likely to affect the system.
Security With Themes and Plugins
Along with the core code, themes and plugins make WordPress sites work—but they can also open the way for security risks. Themes define the appearance of a WordPress site, and hundreds of them are available from the WordPress theme directory that comes with every WordPress install, with thousands more available in both free and paid forms from developers and designers around the world.
Like themes, plugins expand on the functionality of the WordPress core code. These small pieces of code can be added to just about any WordPress site to extend its functionality in ways that go far beyond its original intended use of blogging. WordPress secure Plugins are also available from the WordPress Plugin Directory in the WordPress install, and more are constantly being created for specific uses by a worldwide community of developers.
Both themes and plugins can pose security risks, though. Although WordPress developers scrutinize all the plugins and themes submitted for inclusion in the directories to be sure that the code is clean and secure, the same can’t always be said for plugins and themes that are either purchased or downloaded for free from third-party developers.
Plugins and themes that are added to a WordPress site can carry corrupted code or malware that can affect an entire site and potentially other sites it links to. Developers and designers are responsible for making sure that their products can be safely integrated into any compatible WordPress site, but that may not be true for plugins or themes from unfamiliar sources, especially those that are free or that haven’t been updated or maintained in a while.
Users Can Keep Sites Secure
Each member of the WordPress ecosystem has a role to play in keeping WordPress sites secure. But WordPress experts and cybersecurity specialists point out that of all these, WordPress users themselves have the most power—and responsibility—for protecting the security of their WordPress sites. By being proactive and prudent to secure your WordPress, site owners and administrators can dramatically reduce the risk of cyber attacks and security issues of all kinds by following recommended best practices for maintaining site security, including:
- Promptly installing recommended updates for WordPress, plugins, and themes.
- Choosing strong passwords and usernames to deter login attempts—especially for your site’s Admin login.
- Buying and installing supported, regularly maintained plugins and themes.
- Managing administrator access to the site and limiting access to a few users.
- Deleting unused, outdated plugins, themes, and files.
- Backing up the site regularly.
- Installing an SSL certificate to add a layer of encryption to all transactions.
- Installing WordPress security plugins on the site.
The security of a WordPress site can be compromised from multiple directions. Some aspects of your site’s security may rest in the hands of the WordPress core team, your hosting provider, and the creators of the themes and plugins you install on your site. But site owners and administrators are the ultimate guardians of their WordPress sites—and that depends on making wise choices in managing your site and dealing with other members of the WordPress ecosystem.