One of the most common questions about WordPress is, "is it secure?" Many get the impression that it's not, mostly from reading scare-tactic headlines. Let's look at the facts, and answer the question, "is WordPress secure?"
WordPress attracts more hacking attempts than other platforms because of its popularity. It powers about 23% of all websites, and about 60% of websites with CMSs (content management systems). Because of its market share, it's a target, similar to Windows.
Because of its market share, news sites love to make a big deal when vulnerabilities are discovered. Thus, people tend to hear more about WordPress vulnerabilities than vulnerabilities in other platforms.
WordPress core is the set of files that makes up the WordPress software. This is the base of WordPress, to which you add plugins and themes. WordPress core has a good security record over the past few years. When vulnerabilities are found, they're patched quickly. According to Secunia, WordPress 4.x (the current major version starting September 4, 2014) has no unpatched advisories.
It's one of WordPress' strengths that anyone can write plugins and themes, but unfortunately not all developers are security-conscious or maintain their code over time. That means that many security issues are the result of vulnerabilities in third-party plugins and themes. In November 2014 WP White Security analyzed the WPScan Vulnerability database to determine that WordPress plugins accounted for 54% of the global WordPress vulnerabilities count (2,407). WordPress themes accounted for 14.3%.
The WordPress Security Whitepaper says,
Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.
WordPress sites can be compromised through the host they're running on. The WordPress Security Whitepaper says,
Though WordPress core software provides many provisions for operating a secure web application … the configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure.
There's a WordPress Security Team that monitors and responds to security threats to WordPress core, as well as plugins and themes hosted on WordPress.org. The WordPress Security Whitepaper says,
The WordPress Security Team is made up of approximately 25 experts including lead developers and security researchers … The team consults with well-known and trusted security researchers and hosting companies.
As is generally true with software, many security vulnerabilities are due to humans, not the software itself. This applies to WordPress too. In their post Is WordPress Secure?, WP White Security says,
WordPress users do not keep their WordPress, WordPress plugins and themes up to date. … Therefore the problem is not WordPress as such, or the plugins, but most of the users.
In research conducted in September 2013, WP White Security found that of 40,000+ WordPress sites in the Alexa Top 1 Million, more than 70% were potentially vulnerable to hacker attacks because they were running outdated versions of WordPress core. They simply hadn't bothered to update. And that's just looking at core; who knows how many vulnerabilities may have been in the outdated plugins and themes on those sites!
As of WordPress 3.7, WordPress supports automatic background updates of core. However, not everyone has this enabled, and by default, it's only for core; plugins and themes still need to be manually updated.
Security need not be a reason for deciding against WordPress. We've seen that WordPress core is considered secure, but that there may be vulnerabilities in third-party plugins and themes, and in hosting. So, you want to make sure that your site is both developed and maintained by a company that understands WordPress.
WordPress security is one reason we offer our WordPress Maintenance Service, the easiest way to keep your site updated, backed up, and secure. Contact us to have your WordPress site maintained!
Featured image by David Goehring
Yes, this is really informative post. I believe that wordpress is secure, what we want to do is keep update our wordpress, keep update our plugin, dont install unused plugin. Some hackers steal the information from bad plugin. Please also check our article at http://windowswebhostingreview.com/wordpress-hosting-tips-is-your-wordpress-site-being-attacked-by-hackers/.
Some of Security Tips I found on Cloudways where CTO Pere Hospital talks about some serious issue on WordPress Security: http://www.cloudways.com/blog/learn-about-wordpress-security-with-pere-hospital/
As described here: https://www.rosehosting.com/blog/how-to-easily-secure-and-protect-your-wordpress-website/ , I think that it is most important to keep your WordPress installation up to date by upgrading whenever a new version comes out.
Yes, one of the most common reasons for WordPress sites being hacked is by running outdated software. For more on that subject, check out our post Why update WordPress, plugins, and themes?