Is WordPress Secure?

One of the most common questions about WordPress is, "is it secure?" Many get the impression that it's not, mostly from reading scare-tactic headlines. Let's look at the facts, and answer the question, "is WordPress secure?"


WordPress attracts more hacking attempts than other platforms because of its popularity. It powers about 23% of all websites, and about 60% of websites with CMSs (content management systems). Because of its market share, it's a target, similar to Windows.

Because of its market share, news sites love to make a big deal when vulnerabilities are discovered. Thus, people tend to hear more about WordPress vulnerabilities than vulnerabilities in other platforms.

WordPress core

WordPress core is the set of files that makes up the WordPress software. This is the base of WordPress, to which you add plugins and themes. WordPress core has a good security record over the past few years. When vulnerabilities are found, they're patched quickly. According to Secunia, WordPress 4.x (the current major version starting September 4, 2014) has no unpatched advisories.

Plugins and themes

It's one of WordPress' strengths that anyone can write plugins and themes, but unfortunately not all developers are security-conscious or maintain their code over time. That means that many security issues are the result of vulnerabilities in third-party plugins and themes. In November 2014 WP White Security analyzed the WPScan Vulnerability database to determine that WordPress plugins accounted for 54% of the global WordPress vulnerabilities count (2,407). WordPress themes accounted for 14.3%.

The WordPress Security Whitepaper says,

Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.


WordPress sites can be compromised through the host they're running on. The WordPress Security Whitepaper says,

Though WordPress core software provides many provisions for operating a secure web application … the configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure.

WordPress Security Team

There's a WordPress Security Team that monitors and responds to security threats to WordPress core, as well as plugins and themes hosted on The WordPress Security Whitepaper says,

The WordPress Security Team is made up of approximately 25 experts including lead developers and security researchers … The team consults with well-­known and trusted security researchers and hosting companies.

User behavior

As is generally true with software, many security vulnerabilities are due to humans, not the software itself. This applies to WordPress too. In their post Is WordPress Secure?, WP White Security says,

WordPress users do not keep their WordPress, WordPress plugins and themes up to date. … Therefore the problem is not WordPress as such, or the plugins, but most of the users.

In research conducted in September 2013, WP White Security found that of 40,000+ WordPress sites in the Alexa Top 1 Million, more than 70% were potentially vulnerable to hacker attacks because they were running outdated versions of WordPress core. They simply hadn't bothered to update. And that's just looking at core; who knows how many vulnerabilities may have been in the outdated plugins and themes on those sites!

As of WordPress 3.7, WordPress supports automatic background updates of core. However, not everyone has this enabled, and by default, it's only for core; plugins and themes still need to be manually updated.

Conclusion: WordPress core is secure

Security need not be a reason for deciding against WordPress. We've seen that WordPress core is considered secure, but that there may be vulnerabilities in third-party plugins and themes, and in hosting. So, you want to make sure that your site is both developed and maintained by a company that understands WordPress.

WordPress security is one reason we offer our WordPress Maintenance Service, the easiest way to keep your site updated, backed up, and secure. Contact us to have your WordPress site maintained!


Featured image by David Goehring

Filed Under: 

Want tips to rocket-boost your website?

Simply sign up.

4 comments on “Is WordPress Secure?”

Leave a Reply

Your email address will not be published. Required fields are marked *

Ready to Blast Off?

Let's talk.

Contact OptimWise