WordPress and Security: 5 Questions Answered
If you're running a website, there's a one in two chance that it's built with WordPress. That's according to the latest statistics from BuiltWith, which shows that WordPress is the CMS market leader. WordPress usage is increasing, too, by 7% in the first six months of 2015 alone.
One issue that makes people wary of WordPress is concern about security. After all, hackers are attacking websites at the rate of 30,000 a day and WordPress has suffered its share of threats. However, developers are constantly making the software better in everyway - especially when it comes to security. Here are 5 big questions we typically hear about WordPress security - and our answers to them.
1. Should I Worry About WordPress Security?
As long as you put protections in place to keep your WordPress installation secure, we believe that you do not need to fret about the security of your WordPress site. When it's setup correctly, WordPress is just as secure as any other website platform, which is why several banks (and we all know how security-conscious they are) use the CMS to run their sites.
Here's WordPress developer Matt Mullenweg 's take on it:
"WordPress is … trusted to run sites for some of the largest and most security-conscious organizations in the world, including Facebook, SAP, Glenn Greenwald's The Intercept, eBay, McAfee, Sophos, GNOME, Mozilla, MIT, Reuters, CNN, Google Ventures, NASA, and literally hundreds more."
2. How Do I Keep WordPress Secure?
One of the most important actions you can take is to keep your software up to date. If you're a regular WordPress user, it's easy to moan and groan because regular core software updates mean you're constantly checking that themes and plugins are still working, but these updates are one of your best protections.
The WordPress community keeps on top of security threats and developers are always improving the core software. As soon as a new security threat comes to light, it can be patched within days (sometimes within hours), locking the hackers out. And since version 3.7 WordPress has included automatic updates to core files, which means you no longer have to remember to install an update.
3. Where is WordPress Most Vulnerable?
One of the greatest strengths of WordPress as a CMS is also the factor that makes it most vulnerable: the ability to customize and extend the platform via themes and plugins. According to WP White Security 29% of WordPress hacks happen via themes and 22% occur because of plugins. How is this possible? With such a large community of developers, it's impossible to guarantee that every single plugin and theme is coded to the highest standards, and some may have vulnerabilities built in.
For example, at one time the TimThumb code which was used by many themes and plugins to handle image resizing was proven to have many areas that hackers could exploit. Current versions of the script are said to be safe to use.
4. How Can I Protect My Site?
If you want to ensure your site is ultra-protected, follow these helpful best-practices:
- Only install themes from trusted sources. Consider using premium themes. These may be more expensive, but they are usually well coded and less vulnerable.
- Or, use a website developer to create a custom theme. The less unnecessary code there is, the less there is for hackers to exploit.
- Limit the number of plugins you install. This is also good for site speed.
- Only install plugins from trusted sources. Check that they have been updated recently and that they work with the latest version of WordPress. This information is available on every plugin page on the WordPress.org site.
- Ask your website developer to recommend plugins you can use. Since developers work with hundreds of sites, they will know the best ones. Adept has included a list of recommended plugins in its white paper on WordPress security, available for download here.
5. What Should I Consider with Hosting?
The WordPress White Security paper cited above shows that 41% of WordPress hacks happen because of the hosting environment. It points out that:
"the configuration of the operating system and the underlying web server hosting the software [are] equally important to keep the WordPress applications secure."
You don't always have control over the hosting environment, especially if you're using shared hosting, but you can still take measures to guard against security vulnerabilities. Using a host who's an expert in WordPress is a good start.
In addition, check that your web host is actively protecting your site with malware scans and firewalls, and look after security yourself by using a WordPress security plugin that will:
- identify and protect your site against brute force attacks
- backup your site for quick recovery if you need it
- ensure that you use strong passwords (weak passwords are responsible for 8% of hacks)
The Adept team recommends iThemes Security Pro, which includes all these protections and tons more.
With the right approach to security, you can use WordPress as your CMS with complete peace of mind. To learn more, and get actionable tips and advice on securing WordPress, download Adept's white paper on WordPress security: WordPress - A Powerful, Flexible and Secure CMS.