Is WordPress really secure? Here’s all you need to know!

Preview image

WordPress is the most common way of building a website, as well as the most popular CMS (Content Management System) used today for Blogs and Websites worldwide. Hence, the common questions between all users: Is WordPress really secure? Here’s all you need to know!

Seeing that WordPress supports 60% of all CMS websites and 31% of all websites on the Internet, it became a frequent target of security exploits for cyber criminals such as hackers and spammers.

So how safe is it now?

You probably already heard that a substantial number of WordPress sites and e-Commerce sites get hacked every now and then… This fact causes users to worry about whether a WordPress website is a secure and safe platform to host their business and personal sites.

Feeling reluctant already? Well, you won’t be this disinclined once you hear what we have to say here: you might think that latest WordPress core software is the reason behind the vulnerability and security issues that are affecting your site, but this is far from the truth, WordPress website hacks frequently take place for a couple of reasons that can be easily prevented, and fixed very quickly, like keeping your website updated, creating strong passwords, etc. 

That is why the question “Is WordPress” secure requires a subtle approach. 

Today, we’ll show you how you can find and fix common WordPress vulnerabilities on your website by going through various angles:

  • Understand where the security vulnerabilities are though statistics on how WordPress sites actually get hacked 
  • Know the roles and responsibilities of securing to comprehend how the WordPress core team addresses security issues
  • Find out if WordPress is secure when you follow best practices, in order to guarantee the safety of your website

How are WordPress websites being hacked? (According to the Data)

Now that you are aware that many WordPress sites are hacked every year, you ask yourself many questions: How did it happen? Is it a global WordPress concern or is it a result of the webmaster’s actions?

Here is a list of reasons describing why most WordPress sites get hacked, according to the data that we have gathered:

  1. Outdated Core Software

This is a logical connection from Sucuri’s 2017 Hacked Website Report. After checking all the hacked WordPress sites, Sucuri stated that 39.3% were using out-of-date WordPress core software at the time of the incident.

Is WordPress really secure? Here’s all you need to know!, Is WordPress really secure? Here’s all you need to know!

Now you can instantly perceive a direct relationship between getting hacked and using outdated software. However, this is definitely an improvement compared to their 61% hacked websites report from 2016

According to the WPScan Vulnerability Database, 74% of the known vulnerabilities they monitored came were in the WordPress core software. 

But here’s the catch: the versions with the highest vulnerabilities are all way back in WordPress 3.X:

Is WordPress really secure? Here’s all you need to know!, Is WordPress really secure? Here’s all you need to know!

Unfortunately, only 62% of WordPress sites are running the latest version, which is why many sites still have cracks in their armor when facing those exploits:

Is WordPress really secure? Here’s all you need to know!, Is WordPress really secure? Here’s all you need to know!

Once again, you can clearly see the connection with the major WordPress REST API vulnerability from February 2017 where hundreds of thousands of sites were damaged.

The WordPress 4.7.1 version enclosed many vulnerabilities that were ultimately used to deface those sites. However, WordPress 4.7.2 was released to fix all of those vulnerabilities …

All the WordPress site owners who were quick in updating their version to WordPress 4.7.2, and therefore didn’t ignore the importance of automatic security reinforcements, were in the clear. But those who didn’t were not.

In conclusion: The WordPress Security Team is great at fixing issues in the WordPress core software in a fast way. Should you apply all security updates straightaway, it is highly unlikely that your site faces any issues due to core vulnerabilities. But if you don’t, your site becomes at risk as soon as an exploit gets unleashed.

  1. Outdated plugins or themes

One of the many amazing features of WordPress is its huge library of plugins and themes. With over 56,000 plugins on the WordPress directory, and thousands of additional premium ones scattered across the web, you now have a multitude of options to enhance the functionality of your website.

While these options are great for nourishing and expanding your site, each extension could represent a potential gateway for a malicious actor. And while most WordPress developers tend to follow code standards and updates quite closely, there are still a few potential issues:

A plugin or theme has a vulnerability, and that vulnerability could go undetected because it isn’t closely monitored as the WordPress core software.

The developer stops working on the extension, but people use it still.

The developer fixes the issue quickly, but people don’t update.

So how serious is the issue?

According to a survey by Wordfence regarding hacked website owners, over 60% of the website owners who figured out how the attacker compromised their website attributed their answer to a plugin or theme vulnerability.

Is WordPress really secure? Here’s all you need to know!, Is WordPress really secure? Here’s all you need to know!

On that note, Sucuri’s 2016 report also shows that 3 plugins alone were accounted for over 15% of the hacked websites they checked.

Is WordPress really secure? Here’s all you need to know!, Is WordPress really secure? Here’s all you need to know!

Here’s what happened in this scenario:

The vulnerabilities in those plugins had been fixed a long time ago, but the site owners just hadn’t updated those plugins to protect their site.

Conclusion: WordPress plugins and themes introduce a wildcard and might even compromise your site’s security.

However, the majority of this risk can be mitigated if you follow the best practices, keep your extensions updated, and install extensions from reliable sources only.

We also have to look into the GPL clubs you might see floating around the internet, allowing you to get any premium WordPress plugin or theme for just a couple of dollars. Although WordPress happens to be licensed under GPL, which is great, beware of these plugins, frequently referred to as “nulled plugins”.

When you buy plugins from GPL clubs, you are trusting a third-party to grab the latest updates from the developer, and you won’t be getting support most of the time.

That is why the safest way remains in getting plugin updates from the developer. After all, we do care about supporting developers and their hard work.

  1. Login vulnerabilities

Since WordPress doesn’t impose the use of strong passwords, it is your responsibility to create hard-to-guess login credentials.

Most of the time, a large percentage of hacks take place after dark actors of the web steal the WordPress login credentials or the login credentials for webmaster’s hosting or FTP accounts.

The Wordfence survey mentioned earlier, also states that brute force attacks accounted for 16% of hacked sites with password theft, phishing, workstation, and FTP accounts, all making a minimal, but obvious appearance.

Once a malicious attacker gets hold of the metaphorical key to unlock your front door, it wouldn’t matter how secure your WordPress site is anymore.

WordPress actually lowers the gravity of the situation substantially by automatically generating secure passwords, but it is the user’s responsibility to keep those passwords safe while using good strength passwords for hosting and FTP.

Conclusion: Taking simple steps to fortify your account with strong credentials can help you decrease threat potentials and prevent malicious hacks. Always use strong passwords for all WordPress accounts and limit login attempts to harden your WordPress security and avoid brute force attacks.

Add two-factor authentication(2FA) or two-step verification for hosting accounts, and never store your FTP password in plaintext (like some FTP programs do), Since it could potentially be intercepted by anyone sniffing the data.

For file transfer protocols, make sure to use SFTP (SSH File Transfer Protocol), instead of FTP. If your host only uses FTP, we advise you to inquire about SFTP support or simply switch to a host that supports SFTP. This ensures that no clear text passwords or file data are transferred, thanks to a private and safe data stream. 

  1. Supply chain attacks 

Lately, a recent emerging threat known as supply chain attacks, allows criminal cyber actors to exploit a trusted relationship between software vendors or authors and their customers, by infecting their websites through the following tactics: 

  • Purchase a previously high-quality plugin listed on WordPress.org
  • Add a backdoor into the plugin’s code
  • Wait for people to update their plugin and inject the backdoor afterward

If you want to know more, about this issue, you can check Wordfence for further details. While these forms of attacks are not very common, it becomes difficult to avoid them, since they are the consequences of an action you should be doing, like keeping a plugin updated.

Nevertheless, the WordPress.org team identifies these issues most of the time and addresses the threat quickly by removing the plugin from the WordPress directory.

Conclusion: While WordPress remains an attractive target for supply chain attacks, updating to the latest version is always recommended. Security plugins such as Wordfence can always help you to keep your eyes open and look out for the bad guys: They can alert you when a plugin is removed from WordPress.org, so that you address it quickly. Furthermore, a good backup plan can also allow you to roll back without any permanent damage.

  1. Poor hosting environment and outdated technology

Apart from the activity on your WordPress site, your hosting environment and the technologies that you use have an influence as well. For instance, a large portion of WordPress sites have fallen behind when it comes to supporting the latest PHP versions: only 33% are using PHP 7 or higher versions, despite the fact that they offer many security enhancements. 

Is WordPress really secure? Here’s all you need to know!, Is WordPress really secure? Here’s all you need to know!

PHP 5.6’s security is no longer being supported since the end of 2018. Moreover, earlier versions of PHP 5 haven’t even had security support for years.

In other words, using PHP 5.6 or any earlier version would expose you to the potential of unpatched PHP security vulnerabilities.

Despite this, an alarming 28% of WordPress websites are still using PHP versions under 5.6, which is a massive concern after the huge number of uncovered PHP vulnerabilities that have been revealed over the past few years.

Apart from granting you access to the latest technologies; implementing secure WordPress hosting can also automatically help you mitigate plenty of the other possible security vulnerabilities via:

  • Web application firewalls
  • Automatic updates for security releases
  • Two-factor authentication
  • Automatic backups

Conclusion: Using a secure hosting environment accompanied by recent versions of significant technologies like PHP will help you preserve the safety of your WordPress site.

So, who is responsible for keeping WordPress secure?

Now you ask yourself, who is mostly responsible for managing and combating all these issues?

Officially, this responsibility lies with the WordPress Security Team, nonetheless, individual developers and contributors from around the world also happen to play a big role in keeping WordPress secure.

The WordPress Security Team consists of “50 experts including lead developers and security researchers”, who also consult with security researchers and hosting companies. About 50% of these experts work at Automattic, while others work in web security. 

If you wish to take a closer look at the work of the WordPress Security Team, you can always check Aaron D. Campbell’s presentation from WordCamp Europe 2017.

In short, this is what the WordPress Security Team generally does:

  • Detect and patche bugs and potential issues using, partially, tools like HackerOne’s bug bounties 
  • Consult on all WordPress core releases

The WordPress Security Team believes in responsible disclosure, by immediately disclosing the issue of any potential vulnerabilities, after patching the bug and releasing the security fix. This is partially the reason why a lot of sites were defaced in 2017:  despite the fact that the security team had publicly disclosed the bug, they still hadn’t applied the update…

However, the WordPress Security Team does not check all the themes and plugins at WordPress.org, these are manually reviewed by volunteers. On the flipside, these reviews are not “a guarantee that they are free from security vulnerabilities”.

Finally – Will your WordPress site be secure if you follow best practices?

After reading all that have been said in this article, you will notice this general trend:

While no Content Management System (CMS) is totally secure, WordPress is geared with a quality security tool for the core software, and most of the hacks happen when webmasters fail to take website security seriously, by not following best practices.

Keep in mind the below…

  • Keep your core WordPress software, plugins, and themes updated. 
  • Pick your plugins and themes wisely and only install extensions from reliable developers/source. Beware of GPL clubs and nulled plugins/themes.
  • If you have a choice between FTP and SFTP, always go for SFTP.
  • Use strong passwords for WordPress, as well as your hosting and SFTP accounts (and two-factor authentication, if available).
  • Do not use “admin” for your username.
  • Keep your own computer free from viruses.
  • Use a TLS certificate (HTTPS), so all communication with your WordPress site (such as logging into your dashboard) is encrypted. 
  • Utilize SSH keys. This offers a more secure way of logging into a server and eliminates the need for a password.
  • Pick a host with a secure environment and use the latest technologies like PHP 7+.

Is WordPress really secure? Once you apply all of the above steps, WordPress can indeed be secure, and your site should be shielded from future attacks and remain 100% hack-free. Check our services and get in touch with one of our WordPress experts now to help you secure your WordPress.