WordPress Security: Is WordPress as secure as other CMSes?

Understanding the importance of WordPress Security

WordPress security is an important, timely topic, with good reason. In a 2023 report, it was shown that 45.8% of the internet was powered by WordPress. Its share grows roughly 12% every year. Clearly, while there is a lot of trust for the platform, this also means that security is all the more important.

But is WordPress secure? Clients ask us this all the time, despite the fact that it’s known as one of the most secure Content Management Systems (CMSes) available. And it’s not surprising: there is a lot of misinformation out there.

Take this statistic from Wordfence’s 2023 report: “WPScan recorded 1779 new vulnerabilities across WordPress plugins, themes, and core in the first half of 2022. In 2022, WPScan recorded 1,425 new vulnerabilities across WordPress plugins, themes, and core. This surpassed the number of reported vulnerabilities in all of 2021.”

It might feel natural to read this as a deficiency in WordPress’s security. However, it should be looked at more as the outcome of a growing commitment to security. Security professionals are constantly working alongside the platform’s ecosystem on securing WordPress. It is an ongoing process, and Crucible’s work as an agency is part of that ecosystem. We are constantly working to ensure the security of our clients’ websites.

This guide will show that WordPress is about as secure as any platform that exists. We will answer the question: “Is WordPress secure?” We’ll highlight some common vulnerabilities, and provide some tips for ensuring the security of your site.

Contents

  1. Why WordPress security is so important to site owners
  2. Is WordPress secure?
  3. Common WordPress security threats
  4. Securing WordPress sites
  5. WordPress security plugins
  6. Conclusion

 

Why WordPress security is so important to site owners

Firstly, we should understand why securing WordPress is so important. Though most of our clients approach us with security squarely on their list of requirements, not all do. There are three main risk factors which clients are concerned about when choosing a CMS:

  • Risk to income. If the client’s site has a transaction function, such as an ecommerce store, then the risk is obvious.  It’s clear that the site being down will cause an impact on income, and if financial information is being input, risking compromising this could lead to lost earnings. However, if the site also acts as a lead-generation source, then any outage may also impact new business.
  • Risk to data. Websites collect various types of customer data, varying in sensitivity. All of this is the responsibility of the website owner to manage, and there are consequences for losing this. Particularly since the introduction of GDPR, there can be costly consequences when customer data gets into the wrong hands.
  • Risk to reputation. An organisation’s website is the way that many companies communicate with their audience. Through their website they convey their brand’s values and personality. If the website becomes compromised or goes down entirely, this will cause damage to reputation.

If any of these risks feel relevant to your organisation, it’s very important to consider security in detail during your discovery process with your agency. If you’re looking for a more in-depth guide to help you to cover all bases across your project, it might be worth checking out our guide to running website projects.

Depending on who you are, and your website requirements, security might mean different things. Take our clients in Higher Education, who work in a space where data security is markedly important. For these clients, we have worked to the highest standards of security, because there is often sensitive customer data being processed through the website. Take a look at some of the case studies below:

Is WordPress secure?

The reality is that no CMS is 100% secure. A system which is operated by many users, all over the world, will always have risks. The only secure computer in the world is one which is never turned on!

One thing that makes WordPress different to many other platforms is that it is not centrally-managed by a single security team. It is managed through a network of developers and an ecosystem of plugins. The functionality of a WordPress website is managed completely by the website owners and developers, and security is no different. When Crucible builds and maintains a website, we are responsible for its security.

This can be seen as a risk or as a broad positive. When a platform’s security is centrally-managed, this means that the vulnerabilities it faces affect everyone on the platform. In the past, there have been some key examples.  Shopify suffered data losses which compromised the data of its merchants, for example. And a vulnerability in Wix allowed any hacker to take over any website and its content completely.

If WordPress is kept maintained, 96% of all vulnerabilities identified in 2022 have since been fully patched. 90% of vulnerabilities on the WordPress platform come from outdated plugins, and 6% from outdated themes. Only around 4% of all vulnerabilities identified are determined as resulting from core functionalities, and these are constantly being mitigated by the WordPress team. The fact is that that your WordPress site is only as secure as it is well maintained.

 

Common WordPress Security Threats

Improper site security and maintenance may lead to malware infections. These can compromise sensitive data, or turn the website into platforms for distributing malicious content. Malware can enter the site through outdated plugins or themes, as well as through unauthorised user access.

Other security threats

Some other security threats, not specifically linked to outdated versions of plugins or themes, are:

  • Brute force attacks. These are one of the most prevalent threats to WordPress sites. In these attacks, hackers use automated scripts to repeatedly try different username and password combinations until they gain unauthorised access.
  • Credential stuffing attacks. These exploit previously leaked or stolen login credentials from other websites. Hackers use automated tools to try these credentials on WordPress sites, hoping to find matching combinations.

The outcome of both of these types of attacks would be that someone you don’t know has access to your website. Clearly, the risks of this are huge. In the next section, we will take you through some of the steps you and your web developers can take to secure your WordPress site.

 

Securing WordPress websites

Below is a checklist for the kinds of things that we ensure in order to keep our WordPress websites as secure as possible. We recommend you do all of these if you aren’t already!

  1. Ensuring Plugins and Themes are up to date. As we have shown, the vast majority of vulnerabilities come from outdated software. With that in mind, we update all of the plugins which are in use on the site, as well as its theme and WordPress version whenever possible.
  2. Strong passwords and two-factor authentication. These will protect against brute force attacks. Make sure that your passwords are strong, of a good length with special characters, numbers, and both lower-case and capitals. Two-factor authentication can be enabled in WordPress, and makes it much harder for brute-force attackers to gain access. You should also regularly change all user passwords for your CMS.
  3. SSL/HTTPS. This encrypts data between the server and the browser, and is configured at server level. It prevents attacks, but also improves your SEO rankings.
  4. Limiting Login Attempts. This stops brute force attacks, by limiting the amount of time that a certain computer can attempt to login to the site.
  5. Take regular back-ups. In case of data loss, or the site going down, this can help to quickly restore your site. Usually, we have back-ups taken every 24 hours, which can be restored at a moment’s notice.

 

WordPress security plugins

WordPress security plugins are hugely beneficial to WordPress developers and site owners. They introduce a range of functionalities, ranging from site scanning to user access.

Wordfence

Wordpress security plugins like Wordfence can help to keep your website secure.

WordPress security plugins like Wordfence can help to keep your WordPress website secure.

Wordfence offers a comprehensive list of comprehensive security features. It has a Web Application Firewall (WAF), which prevents malicious traffic getting to the site. Furthermore, it offers real-time malware scanning. So, should any vulnerabilities arise, it will alert you immediately. This will allow your development team to take action promptly. Its login security measures are also powerful, allowing you to force two-factor authentication, and block brute force attacks.

The drawback to Wordfence is that it lives on the server that hosts the website. This means that it draws from the same resources as your website, and if it has to defend against a DDoS Attack then the site may slow down.

Sucuri

Wordpress plugins like Sucuri can help to protect your WordPress website

Another plugin called Sucuri  can help to protect your website.

Sucuri offers many of the same features as Wordfence, but with one key difference. It is a cloud-based system, which means that it is not drawing from the same server resources as your website. This means that it can filter out malicious traffic before it even hits the site. In the case of a DDoS attack, for example, this means that no impact will be had on the website or server, it all takes place in the cloud.

For this reason, Sucuri is understood to be more of an “enterprise” solution. It is more costly, but in instances where clients’ websites are repeatedly the target of attacks, it is also more powerful.

Understanding the right approach for you

There are many security plugins for WordPress available on the market. It’s our job to help you find the right one, based on your specific requirements and context.

 

Conclusion

In this post, we’ve taken you through some of the reasons people ask whether WordPress is secure. We’ve examined some of the vulnerabilities which occur, and the tactics for securing WordPress.

Staying on top of WordPress security is extremely important. That’s why it’s at the top of the agenda for many of the clients that come to us.

If you want to discuss the security of your site, please get in touch.