WordPress is by far the most popular content management system in the world. At the time of writing, it powers almost 36% of the top 10 million websites and has over 63% of the CMS market. (W3Techs) With this in mind, is WordPress really secure?
Is WordPress Less Secure Than Other Website Building Software?
WordPress is open source software, which means that it is publicly available for others to modify and share. Every once in a while a client will ask us, “Doesn’t WordPress have a reputation for being hacked?”
The truth is WordPress’ core software itself is very secure. When you’re the most popular guy on the block, you become a target. That is because, if successful, the hacker will do damage to more websites than if they targeted something less popular.
The WordPress security team focuses on keeping WordPress safe. The team assesses potential threats, develops new technologies, identifies bugs and make fixes.
Does WordPress Get a Bad Rap?
The security challenges that come into play are generally not with the core software. Here are three primary ways hackers get into your site:
- The developer uses a theme or plugin with a vulnerability.
- The site owner does not keep software up-to-date.
- A weak login password is used.
1. Avoid Themes and Plugins with Vulnerabilities
Where to get WordPress themes and why
Themes provide the design, and individual designers and developers create the themes. There are several theme marketplaces, some more reputable than others.
We recommend sourcing themes directly from the WordPress Directory, the official site for WordPress Themes. According to their website, “Every theme in this directory is reviewed by a dedicated team and tested against wide range of rules, all of which are ensuring secure and pleasant experience for theme user.”
If you simply can’t find anything you like in the directory, there are other vendors. Many of the free themes in the official directory have a commercial or ‘pro’ version available with more features and customization options. The most important thing to do when looking outside the official directory is to make sure the theme is being actively developed and supported. Otherwise, any vulnerabilities that are discovered will not be fixed and your site will be at risk.
For more about this subject, read our blog post Choosing a WordPress Theme.
Where to get WordPress plugins and why
Plugins give a website its functionality. Examples of this functionality include event calendars, search engine optimization and contact forms. There are more than 55,000 free WordPress plugins in the WordPress plugin repository, so it’s a fairly safe bet that you will be able to find a plugin that fits your need.
As is true for themes, individual developers create plugins, then sell or give them away. Therefore, developers need to be careful about the source of the plugins they choose.
As with themes, we recommend sourcing plugins from the official WordPress plugin repository. In order for a developer to have their plugin accepted into the repository, they must adhere to very strict coding and security standards. All the plugins offered here are free, although many developers also offer paid versions that provide more powerful features.
2. Keep Software Up-to-Date
Just like the software on your computer, keep the software running your website up to date. Websites are constantly under attack from hackers, whose typical goal is to take control of server resources or to install malware delivery systems. Protect your site and your visitors by keeping the website software updated.
We have had clients come to us with websites where the developer told them not to apply software updates because the site would break. This is never a satisfactory alternative! If your website updates can not be applied, something is terribly wrong. Having a website and not applying the appropriate updates puts your computers and the computers of anyone visiting your website at risk.
3. Have a Strong Password
A strong password is the first line of defense against hackers. It must be strong, long and unique. Your password should be your secret. Don’t share it.
WordPress is Secure
When we first opened our business in the 2000s, we carefully considered what software we would use to build our websites. We researched and tried several options. We chose WordPress.
In all this time, no website that we built has been hacked. We believe strongly in the underlying core software and the WordPress theme and plugin directories. Learn more about our Website Design and Development Services. For more information call us at (518) 392-0846 or email [email protected].