Submit a enquiry






    Back to all posts

    Is WordPress secure?

    Guide
    by Iain Thomson Head of Projects

    It doesn’t matter if you’re running a website that’s little more than a flyer for your market stall or you’re a huge bank or online retailer – security should always be your number one priority. Hackers and bots are always sniffing out vulnerabilities and have a range of goals once they get access.

    It could simply be a way of inserting links to other websites to inflate their authority, but it could also be a way of stealing personal or customer information, destroying your business or blackmailing you into paying cash in return for control of your website.

    WordPress is the backbone of more than 200 million websites, so its security is a key concern. So if you’re looking to set up a WordPress website, you’ll no doubt be asking whether it’s secure. Here’s our take on the subject.

    The bad news

    First of all, there’s the bad news. Because of WordPress’s immense popularity, any vulnerabilities that can be found will affect millions of websites. Those with ill intent know this perfectly well, and are adept at exploiting them.

    One of the draws of WordPress is the number of plugins that are available to install quickly and easily. But again, this can cause issues.

    Plugins themselves can open up vulnerabilities, and not all plugin developers are as diligent as they should be, or quick to patch up risks as they are discovered. Added to this is the possibilities that vulnerabilities are not there through negligence, but by design – there’s nothing to stop hackers making plugins that look like legitimate tools but which are in fact designed to get inside your back end or your database and gain access to sensitive information.

    The good news

    We hope that the bad news hasn’t scared you off, because the good news is overwhelmingly positive. As with any open source software, as easy as it is for bad actors to seek out exploits, it is also easy for those who care about vulnerabilities for all the right reasons to sniff them out.

    To start, there’s a huge community of experts who dedicate millions of hours to seeking out issues on a voluntary basis. But it’s also worth remembering that WordPress is used by large corporations and government entities who take security very seriously, and devote substantial budgets to maintaining secure websites. In short, there are more of us than there are of them, and 99% of the time, vulnerabilities are detected and patched up when they are still theoretical, and have never actually been exploited in the real world.

    As long as you keep your version of WordPress up to date, you’re going to be one step ahead of the crooks, who thrive on websites running old versions of the platform. Using WordPress.com instead of .org might help if you’re unsure.

    As for plugins, it’s good practice to only use reputable developers who can be traced and who have a public profile. Look at the number of users of a plugin, which is easily found on the WordPress plugin directory. Also look at the ratings a plugin is given. A secure solution will always have better ratings.

    That’s not to say you should always reject a plugin because it only has 1000 users. It might be a niche plugin, or only recently developed, and if it’s right for you, it’s worth using. Just make sure you do your due diligence. Find out who has made it, what other plugins they are responsible for and whether they feel reputable enough to trust with your security. Seek professional help from a developer or online security expert if you’re in doubt. Alternatively, you can have a bespoke WordPress plugin developed for you, so you have complete oversight.

    And finally, always keep plugins up to date – most updates are security patches rather than performance or utility fixes.

    In conclusion

    So is WordPress safe? We’d say 100% yes, as long as you keep it and all your plugins up to date. The benefits greatly exceed the risks.