Exploring the potential security concerns behind WordPress websites, along with ten actionable tips to securing your version of WordPress. WordPress is a secure content management system but it can be vulnerable due to third-party integrations. Over half of websites on the internet are built on WordPress making it a popular target for threat actors. The basic "core" of WP is secure but black hat coders can find vulnerabilities in plug-ins. It Comes Up a Lot... Are WordPress Websites Secure? : Yes. : Yes, but it’s nuanced… Short Answer Long Answer Let’s get a quick disclaimer out of the way up front: We’re primarily a WordPress shop over at Skellator. Our own site is built on it. It’s not the only content management system (CMS) we’re fluent in or have managed, but we often recommend it — preferring it for its flexibility, open-source nature, and ease-of-use for client hand-off. This gives customers a comfortable level of control in-house while not feeling hand-cuffed to an agency for small changes (this is an issue some agencies intentionally create — but that’s a rant for another time). We often get asked some variation of “ ” It’s a fair question, and the answer typically comes with a “yes, but…”. So, let’s dig into that. Based on volume, websites built on WordPress experience more threat events than other systems, is WordPress secure? do but… Not All WordPress Sites Are Created or Managed Equally Over are built on the WordPress framework, spanning organizations massive and small. By nature of being the most adopted content management system, it’s bound to be the most targeted CMS by threat actors. Hackers love the spray-and-pray method, so it makes sense to focus on software that’s running around every corner (that’s just math, yo). half of the websites on the internet WordPress “core,” the basic out-of-the-box CMS framework, is incredibly secure — being backed by a massive and world-class team of security professionals focused exclusively on WP security. Assuming your web manager is keeping your versions on the latest and greatest, there’s very little native security threat to your WordPress instance, but… The Double-Edged Sword of Open-Source WordPress is one of the largest pieces of open-source software on the internet, meaning the core code-base is published for the world to see and contribute to. This makes it incredibly easy to build features and plug-ins, but also makes it easier for blackhat coders to find and expose vulnerabilities. All popular open-source software comes complete with this conundrum, making it critical to stay up-to-date on core versions and updates. By nature of encouraging open-source innovation through helpful plug-ins and beautiful themes, you’re ultimately only secure as your weakest third-party integration. In fact, virtually all security breaches to WordPress-based websites come through vulnerabilities found in plug-ins, making it critical to properly vet the developers and their release notes before introducing the code to your site. A wise web manager will only install plug-ins that are compatible and tested with your (latest) version of WP core, preferably ones with a voluminous history of secure installation, and always apply their updates when available. We highly recommend you do this in a staging environment, as updates can occasionally break functionality, and you should test them before deploying to production (if you discover an update that breaks your website, alert the developer and remain vigilant in production to any vulnerabilities). Here are some best-practice security tips to keeping your WordPress website safe… 10 Tips to Secure Your WordPress Website Regularly update the WordPress core, plugins, and themes to ensure security vulnerabilities are patched. If you’re running a lean site, even consider performing this automatically whenever updates are available. Keep software up-to-date: Enable SSL so visitors can securely connect to your website, preferably using a hosting provider who takes their own security seriously (we like WPEngine, but there are plenty of great… and not so great… choices). Encrypt your traffic: Only use plugins and themes from trusted sources, and carefully evaluate them before installation. Also be mindful of “tag-along plug-ins” and the integrations that allow them. These are integrations that install additional plug-ins as “dependencies,” which are often not necessary and bloat your load times while introducing potential security threats (lookin’ at you, MonsterInsights). Carefully vet the plug-ins you allow: Install and configure a reputable security plugin to monitor activity and provide alerts to potentially nefarious activity, such as Wordfence or iThemes Security, to add an extra layer of protection. Use a reputable security plugin: Don’t just give every backend user admin access (more common than you think). Consider restricting access using IP blocking or two-factor authentication. Limit access to the admin area: Implement strong and unique passwords for all user accounts, encouraging / enforcing regular updates to credentials. Enforce strong passwords: Limit the number of login attempts to prevent brute-force attacks, shutting down login access after several failed attempts. Limit login attempts: Take regular point-in-time snapshots of your website enabling you to restore it quickly in the event of a security breach. Regularly backup your website: Disable the file editor in the WordPress dashboard to prevent unauthorized code changes by users with non-admin access. Disable non-admin file editing: If you aren’t allowing auto-updating of core / plug-ins (plenty of reasons for this), make it a habit to check-in regularly, weekly at a minimum, to view and test updates that need deployed. Stay vigilant and check your dashboard often: In a nutshell, a WordPress website is as secure as you build and maintain it. The people screaming about security issues aren’t technically , but they’re also not painting a complete picture. Keeping the core framework and all properly-vetted plug-ins up to date, as well as following the tips above, will keep you as reasonably free from threats as any other CMS. wrong The type of customers who ask us this question are usually the type who take security seriously in the first place… and we’re confident if it’s top-of-mind, you can also feel confident in your WordPress build remaining secure. Also published . here

The writer has or has previously had a business relationship with companies mentioned in this article.

Death to the "Demo" CTA!

Design and Dev for Tech Brands

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Is WordPress a 'Secure' CMS?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Death to the "Demo" CTA!

10 Open-source Headless CMS to Supercharge Your Development in 2022

10 Best Practices for WordPress Plugin Development

3 Evolutions of CMS (Traditional 👉 Headless 👉 Serverless)

Hacker Noon Product Update 2019-2020

Death to the "Demo" CTA!

10 Open-source Headless CMS to Supercharge Your Development in 2022

10 Best Practices for WordPress Plugin Development

3 Evolutions of CMS (Traditional 👉 Headless 👉 Serverless)

Hacker Noon Product Update 2019-2020

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps