Is WordPress a 'Secure' CMS?

Exploring the potential security concerns behind WordPress websites, along with ten actionable tips to securing your version of WordPress.

• WordPress is a secure content management system but it can be vulnerable due to third-party integrations.
• Over half of websites on the internet are built on WordPress making it a popular target for threat actors.
• The basic "core" of WP is secure but black hat coders can find vulnerabilities in plug-ins.

It Comes Up a Lot... Are WordPress Websites Secure?

Short Answer: Yes.
Long Answer: Yes, but it’s nuanced…

Let’s get a quick disclaimer out of the way up front: We’re primarily a WordPress shop over at Skellator. Our own site is built on it. It’s not the only content management system (CMS) we’re fluent in or have managed, but we often recommend it — preferring it for its flexibility, open-source nature, and ease-of-use for client hand-off. This gives customers a comfortable level of control in-house while not feeling hand-cuffed to an agency for small changes (this is an issue some agencies intentionally create — but that’s a rant for another time).

We often get asked some variation of “is WordPress secure?” It’s a fair question, and the answer typically comes with a “yes, but…”. So, let’s dig into that. Based on volume, websites built on WordPress do experience more threat events than other systems, but…

Not All WordPress Sites Are Created or Managed Equally

Over half of the websites on the internet are built on the WordPress framework, spanning organizations massive and small. By nature of being the most adopted content management system, it’s bound to be the most targeted CMS by threat actors. Hackers love the spray-and-pray method, so it makes sense to focus on software that’s running around every corner (that’s just math, yo).

WordPress “core,” the basic out-of-the-box CMS framework, is incredibly secure — being backed by a massive and world-class team of security professionals focused exclusively on WP security. Assuming your web manager is keeping your versions on the latest and greatest, there’s very little native security threat to your WordPress instance, but…

The Double-Edged Sword of Open-Source

WordPress is one of the largest pieces of open-source software on the internet, meaning the core code-base is published for the world to see and contribute to. This makes it incredibly easy to build features and plug-ins, but also makes it easier for blackhat coders to find and expose vulnerabilities. All popular open-source software comes complete with this conundrum, making it critical to stay up-to-date on core versions and updates.

By nature of encouraging open-source innovation through helpful plug-ins and beautiful themes, you’re ultimately only secure as your weakest third-party integration. In fact, virtually all security breaches to WordPress-based websites come through vulnerabilities found in plug-ins, making it critical to properly vet the developers and their release notes before introducing the code to your site.

A wise web manager will only install plug-ins that are compatible and tested with your (latest) version of WP core, preferably ones with a voluminous history of secure installation, and always apply their updates when available. We highly recommend you do this in a staging environment, as updates can occasionally break functionality, and you should test them before deploying to production (if you discover an update that breaks your website, alert the developer and remain vigilant in production to any vulnerabilities).

Here are some best-practice security tips to keeping your WordPress website safe…

10 Tips to Secure Your WordPress Website

1. Keep software up-to-date: Regularly update the WordPress core, plugins, and themes to ensure security vulnerabilities are patched. If you’re running a lean site, even consider performing this automatically whenever updates are available.
2. Encrypt your traffic: Enable SSL so visitors can securely connect to your website, preferably using a hosting provider who takes their own security seriously (we like WPEngine, but there are plenty of great… and not so great… choices).
3. Carefully vet the plug-ins you allow: Only use plugins and themes from trusted sources, and carefully evaluate them before installation. Also be mindful of “tag-along plug-ins” and the integrations that allow them. These are integrations that install additional plug-ins as “dependencies,” which are often not necessary and bloat your load times while introducing potential security threats (lookin’ at you, MonsterInsights).
4. Use a reputable security plugin: Install and configure a reputable security plugin to monitor activity and provide alerts to potentially nefarious activity, such as Wordfence or iThemes Security, to add an extra layer of protection.
5. Limit access to the admin area: Don’t just give every backend user admin access (more common than you think). Consider restricting access using IP blocking or two-factor authentication.
6. Enforce strong passwords: Implement strong and unique passwords for all user accounts, encouraging / enforcing regular updates to credentials.
7. Limit login attempts: Limit the number of login attempts to prevent brute-force attacks, shutting down login access after several failed attempts.
8. Regularly backup your website: Take regular point-in-time snapshots of your website enabling you to restore it quickly in the event of a security breach.
9. Disable non-admin file editing: Disable the file editor in the WordPress dashboard to prevent unauthorized code changes by users with non-admin access.
10. Stay vigilant and check your dashboard often: If you aren’t allowing auto-updating of core / plug-ins (plenty of reasons for this), make it a habit to check-in regularly, weekly at a minimum, to view and test updates that need deployed.

In a nutshell, a WordPress website is as secure as you build and maintain it. The people screaming about security issues aren’t technically wrong, but they’re also not painting a complete picture. Keeping the core framework and all properly-vetted plug-ins up to date, as well as following the tips above, will keep you as reasonably free from threats as any other CMS.

The type of customers who ask us this question are usually the type who take security seriously in the first place… and we’re confident if it’s top-of-mind, you can also feel confident in your WordPress build remaining secure.