The great WordPress Security Debate

The great WordPress Security Debate

secure wordpressI have written about a lot of things on this blog. Most of which focus on the way to position and market your organisation or brand. I have delved a little into the intricacies of SEO and the like but I have usually steered away from one burning issue that I have come up against again and again recently. That of WordPress Security! A burning issue that in my opinion is very much misunderstood.

I guess the origins of this myth are in the fact that WordPress is an open-source CMS; and as soon as you say open-source, people instantly get the idea that it is a synonym for “insecure”.

[Tweet “More than 70% of WordPress installations are vulnerable to hacker attacks.”]

The single biggest reason that stats such as this exist is because of the following based on 42,106 WordPress websites found in Alexa’s top 1 million websites list; according to a 2013 article on

  • 74 different versions of WordPress were identified.
  • 11 of these versions are invalid. For example version 6.6.6.
  • 18 websites had an invalid non existing version of WordPress.
  • 769 websites (1.82%) are still running a subversion of WordPress 2.0.
  • Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
  • 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
  • 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

There are many things that you can do to secure your site, the following is a short list of some of the things you can do:

  1. Before choosing or changing your hosting company; do some basic research; check forums etc. and see what other people, fellow bloggers and WordPress administrators think of the hosting provider you would like to use. Hosting providers can be the biggest culprits of a lack in security.
  2. Before installing a WordPress theme or plugin do some more research into the theme provider / developer and make sure that they often update their themes and are legit.
  3. Remove or rename the WordPress default administrator account. On your site – these are insecure and often have the simplest of passwords.
  4. Use strong passwords. By strong passwords I mean it should be at least 8 characters long, should contain both upper case and lower case letters, numbers and special characters such as !,&, ?
  5. Keep your WordPress, plugins, themes and any other software you use as up to date as possible by always using the latest available version and by always applying the latest security patches provided by the vendor. This is the most simplest and arguably most critical step in securing your site.
  6. Monitor the activity of your WordPress website and users with a security plugin such asWP Security Audit Log plugin. This plugin is similar to the Windows Event Log or Syslog on Linux/Unix; it logs all type of activity on your WordPress blog or website.

This is a great presentation I found very helpful in summarising and articulating some of the WordPress myths and Facts

In short – no site is 100% secure. Websites get hacked each and every day and some of those are WordPress sites; other CMS sites and others are hard-coded HTML sites. The fact of the matter is that there is not such thing as Hacker Proof. The trick is knowing how to ring-fence the attack and to best safeguard yourself.

One Reply to “The great WordPress Security Debate”

  1. Good article Jonathan. This is also true of most other ‘connected things’. If you download app’s for your smartphone without any proper research or don’t upgrade any of your devices, applications or Operating Systems then you are at risk. The connected world is an interesting place and the ‘Internet of Things’ are taking shape a little more everyday.

Leave a Reply