Are WordPress Websites Secure?

Every year, CMOs, IT and agency folks like us are asked to deliver websites that are great looking, offer a great customer experience and accessibility, and ultimately drive business. Part of that process always includes the selection of a content management system (CMS) that will make the site easy to update and maintain but that also offers great security features because it’s a scary hacker-filled world out there. In the urban mythology of website content management systems, few myths seem to be as pervasive as the idea that somehow, sites built in the WordPress CMS are “not secure.”

In this edition of “Plain Talk,” we’ll get to the truth about WordPress website security and how you can build a secure site. We’ll discuss:

  1. Is WordPress just for blogging?
  2. Why is WordPress so popular?
  3. Is WordPress a secure CMS?
  4. Key factors in web security
  5. The right approach to a secure WordPress website

Is WordPress just a blogging CMS?

We needed to get that question out of the way first. No. WordPress is not just a blogging CMS. When it was launched in 2003, it was launched as a blogging platform, but in the 20 years since, it has become the most used CMS on the planet. In fact, while there are over 450 notable CMS products available in the world, in 2023, WordPress has been the system used by approximately 43% of all 810 million websites on the internet – this includes sites that don’t even use a CMS. Of those with a CMS, It’s actually 63%. To put this into comparison, WordPress is 10 times larger than its nearest competitor, Shopify, which has a market share of 6%.

So, how did WordPress go from a blogging platform 20 years ago to the most popular CMS today?

1. What users truly appreciate about WordPress is its user-friendly nature. We find that with just a few hours of training, nearly any regular office human can be trained to manage site content in the WordPress CMS. We’ve worked with many platforms, and WordPress is the only one that is this intuitive.

2. Excellent SEO features

3. Kings of content. Years before we saw it coming, WordPress knew that content would be king. The platform still offers some of the best available and easy-to-use features to highlight the content you work so hard to produce.

4. Cost-effectiveness when compared to other development stack options that IT professionals might consider. While these alternatives may be touted for their security features, they often come with their own set of drawbacks, such as complex usability, proprietary limitations, much higher implementation costs, challenges with sourcing “specialty” developers, increased hosting expenses, limited portability, and more.

5. WordPress also has one of the largest and most active communities of developers and testers, keeping it secure and rolling out regular patches. The community is made up of literally millions of developers from all over the globe. This gives site owners a huge amount of flexibility for reliable site customization.

A recent market share analysis of the top 1,000 brand websites that use a publicly available CMS revealed that WordPress holds the top position at 31%, with Adobe Experience Manager (AEM) coming in second at 16%. The major difference between these two systems is that WordPress is freely available, and access to AEM has an entry cost that starts in the six-figure range with ongoing costs, including hard-to-find staff resources that are typically in the top tier of salary requirements.

CMS market share for the top 1000 websites '22

But is WordPress secure?

There are nearly 348 million WordPress sites in the world for hackers to try to attack, but fortunately, WordPress sites can be highly impenetrable to hackers. It all comes down to how you plan and implement your security posture, prudent choices in third-party tools, the type of web hosting services you deploy and your rigor in testing it.

The simple fact is that unsecured code can be written in any programming language. This is the reason why online banking software development processes are lightyears more rigorous than those built by small businesses. The security posture required for one is totally different than the other. An unsecured web server can circumvent efforts to maintain securely coded websites, and this is why enterprises with sensitive data house their sites on dedicated server environments that not only protect the data from public visitors but also from physical exploits inside secure buildings. There’s a wide spectrum of requirements for a secure site, but a highly secure website is just as possible using WordPress in combination with the right hosting service and human administrators that follow good security practices as it is in any other platform.

On that note, and because it’s likely to be brought up by an IT expert, people in the industry sometimes argue that a proprietary custom system in .Net or Java or whatever underlying code language is more secure because it has a smaller attack surface and benefits from the rule of “security by obscurity” (meaning the less that’s known about the way the site operates under the hood to the general public the harder it is for a bad actor to exploit it), and this is true in the same way that a billionaire like Tony Stark (Iron Man) with unlimited resources could build a Ford Ranger that can withstand or avert a cruise missile attack.

The average corporate IT department on a budget can’t afford to build a proprietary site that performs well and is easy to use and maintain. The software development shops that offer “custom” products in such a niche market can’t do all of these things without fencing you into a product that costs more and more over time, and that’s hard to walk away from if you want to change. This means you may get trapped with a site that is expensive to operate and over time, does not work as well as much cheaper options.

So, if you want to build a secure website in WordPress (or another CMS), what are the considerations?

Here is a list of key factors in web security:

1. Regular Updates: Keep your website’s software, plugins, themes, and CMS up to date. Regular updates often include security patches that address known vulnerabilities. And because of the sheer number of WordPress sites and its open-source nature, security updates are more frequent than with other CMS options.

2. Strong Authentication: Implement strong authentication methods, like two-factor authentication (2FA), to add an extra layer of security for user logins.

3. Secure Hosting: Choose a reputable and secure web hosting provider. A secure hosting environment is essential for safeguarding your website’s data and functionality.

4. SSL Encryption: Use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption to ensure secure data transmission between your server and users’ browsers, indicated by the “https” in the URL.

5. Firewalls: Utilize web application firewalls (WAFs) to filter out malicious traffic, preventing common attacks like SQL injection and cross-site scripting.

6. User Permissions: Assign appropriate user roles and permissions to limit access to sensitive areas of your website. Regularly review and revoke unnecessary access.

7. Regular Backups: Perform regular backups of your website’s data and files. In case of a security breach, backups can help you restore your website to a secure state.

8. Vulnerability Scanning: Regularly scan your website for vulnerabilities using security tools to identify potential weaknesses and address them proactively.

9. Content Security Policies (CSP): Implement CSPs to control the sources from which your website can load scripts, reducing the risk of cross-site scripting (XSS) attacks.

10. Security Plugins: Depending on your CMS, use reputable security plugins that offer features like malware scanning, login attempt monitoring, and security hardening.

11. Secure Coding Practices: Follow secure coding practices to minimize the risk of introducing vulnerabilities in your codebase.

12. Regular Monitoring: Continuously monitor your website’s traffic and logs for any suspicious activity or unauthorized access.

13. Patch Management: Quickly apply security patches and updates as soon as they are released to address known vulnerabilities.

14. Employee Training: Educate your team about security best practices, including identifying phishing attempts and avoiding the download of malicious files.

15. Incident Response Plan: Have a plan in place for responding to security incidents, including steps to mitigate the impact, and communicate with users if necessary.

Every item on this list is achievable with a WordPress site hosted on a recommended hosting service. In fact, implementing everything on this list is considerably easier and exponentially less expensive to do with WordPress than any other CMS platform available. Extending WordPress to incorporate specific compliance/security requirements is also efficient through APIs to third-party services that supply things like HIPAA-compliant data storage, transaction processing, NFTs, etc.

The right approach to a secure WordPress website

As you prepare to build your own site, consider the following:

1. What are your security needs for the type of website you are building? These include but are not limited to:

a. Is it a brochure site?

b. Is it an e-commerce site?

c. Does it collect any sensitive data?

d. Do website admins need granular roles for access because of differences in technical capabilities?

e. What’s the net effect of a website outage or error on your business?

f. Does the site have compliance requirements?

g. Are there IT policy requirements?

h. Does the site require a single sign-on integrated with the company authentication system?

i. What types of integrations will the site require? CRM? ERP?

2. Create a scope of work that addresses these requirements with specific plans for mitigating risks.

3. Build the WordPress site’s theme on a codebase that has been upgraded over time to include best practices and common features.

4. Implement required content security policies and OWASP best practices.

5. Ensure security tools are in place and operational whether it’s a plugin or hand coded.

6. Test and mitigate risks.

7. Monitor the sites you build and be available to act quickly if unforeseen events happen.

8. Host the site on a hosting platform that ONLY caters to WordPress sites and is 100% focused on WordPress-specific security and reliability, with backups, top-tier support, monitoring, web application firewalls (WAF) and denial-of-service (DoS) mitigation capabilities, and fast recovery tools.

a. PriceWeber highly recommends WPEngine hosting services. They provide WordPress-specific hosting from small plans to enterprise-level dedicated servers that have built-in backup and recovery tools and can be hosted behind a WAF by Cloudflare that aggregates exploited information from all over the world (Global Edge Security by Cloudflare). Their hosting also comes with tools to manage all types of custom Content Security Policies (CSP), header rules and access controls by IP address, regions, and protocols.

It’s been a long time since WordPress was “just a blogging platform,” and today, the idea that a WordPress site is inherently less secure than any other kind of CMS is unfounded and regularly oversimplified. Every CMS, including WordPress, has faced security challenges in the past; security vulnerabilities are in no way exclusive to a specific platform. The level of security a website maintains is a result of careful planning, solid implementation of security measures, and continuous vigilance. WordPress has made substantial strides in bolstering its out-of-the-box security over the years, and like any software product, the way in which you implement it is just as important as choosing it when it comes to security. It’s really important to recognize that no platform, regardless of its reputation or cost, can guarantee absolute immunity from cyber threats. It’s simply not possible. However, a well-planned and implemented site in WordPress can be counted on to protect your interests.

As digital landscapes evolve, so too must software security practices, emphasizing planned, proactive measures to safeguard your online assets, regardless of the CMS platform chosen.

If you have any security questions or want to dive deeper into WordPress, we’d love to hear from you. Feel free to send us a message or give us a call at (502) 499-4209.

If you’re not already a subscriber to our Plain Talk newsletter, you can subscribe below.

Tyrus Christiana ,Senior Digital Director
Tyrus Christiana Senior Digital Director