Cybersecurity is a hot topic these days, as it should be: 30,000 new websites are successfully hacked every day, and spending to protect against online threats is in the hundreds of billions. And no website is immune — these attacks affect individuals, small businesses, and giant corporations alike.
Websites that use WordPress as their CMS are a favorite target for hackers. In 2019, 94% of successful cyberattacks against CMS-powered websites targeted WordPress sites. Even when considering WordPress’ 60% share of the CMS market, nine out of 10 attacks is still quite high.
These stats might make you question whether using WordPress as your CMS is a good idea. You might wonder, is WordPress actually safe to use?
How strong is your website? Grade it using HubSpot’s free Website Grader.
In short, yes. But I want to dig a bit deeper into this question, so you can understand what makes WordPress vulnerable to security problems, how to avoid them, and ultimately feel more confident about your CMS choice.
Is WordPress secure?
WordPress is secure, as long as publishers take website security seriously and follow best practices. Best practices include using safe plugins and themes, keeping responsible login procedures, using security plugins to monitor your site, and updating regularly.
Let’s break down a WordPress website’s security into its main components: WordPress core (the source files that control basic WordPress functionality), plugins, and themes. Doing this will help us understand WordPress safety as a whole.
Is WordPress Core Secure?
Short answer: Yes, WordPress core is safe when kept updated to the latest version. But there are additional steps users can take to harden WordPress core on their website.
Longer answer: Unlike themes and plugins, there’s only one WordPress core, and it’s maintained by a world-class security team. WordPress stays on top of vulnerabilities in their software and releases security updates to patch their core files. Whenever WordPress releases an update, install it as soon as you can, since the issues each update solves are public knowledge.
Also, there are additional measures on your end to keep WordPress functioning at its safest. These include:
- Protecting your login with strong passwords. Additional features like two-factor authentication and plugins to limit login attempts and add captchas are also worth looking into.
- Installing a WordPress security plugin that can scan your site for malware, and running scans of your website on a regular basis.
- Enabling SSL so visitors can securely connect to your site.
- Hosting your website with a secure provider.
For a full list of best practices, you can take to protect WordPress core, see our Ultimate WordPress Security Checklist.
Are WordPress Plugins Secure?
Short answer: Not always. Use only reputable, legitimate plugins, and update them when necessary.
Longer answer: If core files are the heart of WordPress, plugins are…well, basically everything else. They make WordPress infinitely customizable and flexible. The issue is that plugins are made by third parties, and not all are guaranteed to be properly maintained, or even safe in the first place. As a result, plugins are one of the most popular gateways hackers use to enter WordPress-powered websites.
Don’t get me wrong, plugins are necessary for anything beyond the functionality of WordPress core. But, like you wouldn’t download a sketchy file from a sketchier website, be very careful where you source your plugins. We recommend sticking to the WordPress plugin directory and weighing popularity, maintenance frequency, and user reviews in your plugin choices.
Also, even a reputable plugin is still unsafe if not kept up to date. Install updates for your plugins as soon as possible, and stay informed about what developers are fixing and improving.
Are WordPress Themes Secure?
Short answer: Not always. Use a theme that meets WordPress’ standards, and update it when necessary.
Longer answer: Many themes are made by third parties, and thus not regulated or approved by WordPress. Don’t just install a theme because you like that look, as important as that is. Your theme also needs to meet the WordPress standards for code. To ensure this, choose your theme from the official WordPress theme directory or try one that we recommend. You can also check the safety of any WordPress site (including your own) by pasting the website URL into W3C’s validator.
Finally, I said it before, and I said it again, and I’ll say it once more: Update! Outdated themes are another easy opportunity for unwarranted access to your site’s backend.
The Truth About Cybersecurity
One more thing you should know: In an ideal world, knowing the risks and putting the right systems in place would eliminate the chances of being hacked. But being secure is not the same as being immune.
Perfect security is impossible no matter which CMS you decide on, and there will always be risks to hosting content online. The best thing you can do is reduce the risk of attacks. Again, if you take security seriously, you’ll be in great shape. By questioning WordPress’ security in the first place, it shows that you probably already do.