Is WordPress Secure? The 2020 Analysis
You are starting a new business and want to launch a website and are looking for a robust Content Management System (CMS). Your friend suggests you WordPress as the obvious choice because of the availability of multitude themes and plug-ins and low effort basic installation. But your major concern is security. You ask, Is WordPress Secure?
Related blog – WordPress Security Practices – Step By Step Guide
The following infographic shows the hacking trends and the most compromised CMS.
But, before we get into answering the question of security we need to analyze the WordPress ecosystem. In this article we will talk about:
- What is WordPress made up of?
- Is WordPress secure?
- How WordPress sites get hacked?
- What can you do to make your site more secure?
What is WordPress made up of?
WordPress is made out of three different parts: The core, Plugins and, Themes.
But, whether it is the core, themes or plugins it is the responsibility of the developers to keep their product safe and free from vulnerabilities.
The WordPress Core Team
Given that WordPress powers over 25% of the websites on the internet, millions of eyes are looking for backdoors and vulnerabilities. The WordPress Core team understands this well and has hired a highly efficient security team. They work day and night to keep WordPress safe by implementing the latest security measures, neutralizing probable security threats, identifying bugs and releasing security update patches from time to time.
Themes and Plugins
One of the features that make WordPress the most popular CMS is the availability of a multitude of plugins and themes. While all these options are great for customizing your site, each extension opens a new gateway for a hacker. It is strongly advised to remove any plugin that is not updated regularly, and definitely the ones which are known to be compromised. An apt example of this would be the Yuzo Related Posts, the exploitation of which we saw not many days ago.
Related article- The Yuzo Related Posts Plugin Exploit in WordPress
As a website owner, the biggest burden of security lie on your shoulders. Creating a website and leaving it up for years with no upkeep and updates can make you more prone to attacks.
Also, the constant trade-off between budget and security and reluctance to use paid services when numerous free alternatives are available leaves the websites vulnerable. Monetized and up to date services reduce the risks involved as they have dedicated teams to serve the client’s need.
Returning to the question, Is WordPress Secure?
The answer is both, Yes and No!
The recent exploitation in WordPress plugins validates that WordPress is one of the leading website CMS getting compromised. It is no wonder that the most commonly used CMS is also the most commonly attacked CMS.
The majority of the compromises in WordPress can be attributed to improper deployment, vulnerabilities in extensions, configuration issues, and lack of maintenance by website owners. It should be differentiated here that the core of the CMS application is quite safe in this respect.
How do WordPress sites get hacked?
While the WordPress security Team is doing a great job in keeping the hackers at bay, but the negligence by website owners is putting their sites at risk and opening doors to malicious users
Out-of-date WordPress Core
For WordPress to be secure, it is important to keep the core application up to date. WordPress provides auto-updates in the default configuration, which means that when a security fix is released unless you’ve specifically configured your site to not update automatically, your site will update to the newest security fix.
In the WordPress REST API vulnerability from February 2017, hundreds of thousands of sites were defaced most of which were running an older version of WordPress.
Themes and Plugins
There are both free and paid themes and plugins available for WordPress. Paid services will often have a team behind it that maintains, updates and improves it regularly. Free themes and plugins are developed as hobby and security is not the first priority for such developers. The trade-off between budget and security leaves websites vulnerable. Using paid extendible and keeping them updated is important to minimize the risk of attack.
The WordPress security team is not responsible for updating the plugin but in cases where there is a severe plugin vulnerability, the WordPress security team have the ability to force plugin security updates.
Check out: The most exploited WordPress plug-ins 2018
Window of Vulnerability
The time duration between the discovery of a vulnerability and the deployment of security patch is called the window of vulnerability. To protect yourself during this time, you need a firewall that is being actively maintained by a security team and that includes real-time updates. However, finding the most suitable firewall according to the diverse needs of WordPress can be tricky. Astra can help you in making the right choices.
Compromised Login Credentials
WordPress is only as secure as the amount of effort that goes into it. Brute force attacks on WordPress accounted for ~16% of hacked sites, according to a survey. A brute force attack is a method of trial-and-error used to obtain information such as passwords. This attack exploits the frequent mistake of using a weak password.
It is always good to limit login attempts so you will be notified when someone is repeatedly attempting to access your website. Also, having a strong password made out of an unusual combination of letters, digits and special characters helps greatly. In addition, a 2-step authentication will improve security ten-fold.
What can you do to protect your website?
While it is impossible to make any website 100% secure, but with a few simple steps and precautions you can considerably minimize the risk of attacks and the nagging question “Is WordPress Secure?”
- Keep WordPress software and extensions up-to-date.
- Choose plug-ins and themes wisely
- Use strong authentication passwords and login credentials
- Limit the number of login attempts
- Use Captcha on your login page so all users need to pass the check before they are able to sign up or log in.
- Keep your local PC and network secure. Use up to date OS and antivirus software
- Enable web application firewall to block malicious traffic
There is no definitive answer to the question “Is WordPress Secure?” WordPress security depends on how much you invest in making it secure. Malicious hackers find new gateways to your website. For more tailored security practices for WordPress download our checklist & don’t forget to share it with your friends if you like it.