WordPress – is it really secure?

Over the years there has been a lot of talk about security, in specific the security of one of the most popular CMS’ (Content Management Systems) out there; WordPress.

According to WordPress.org, WordPress is used worldwide on millions of websites. Whether small companies just starting out, or Fortune500 companies, they rely on WordPress to deliver their content to their online market. This being said, many still do not trust the platform from a security perspective.

WordPress has been given a bad name in the past, because of site breaches and security exploitations. But to be fair, the organization provides the core platform for free. It’s in the end, up to the developer / company to keep the website secure.

A Little History

WordPress by default is just as secure as any other web platform or coding. It is built on a program language called PHP, which powers not only websites but also many custom applications for computers, administration, etc. PHP is a well-established language that has been around for many years. It just like WordPress is Open Source, which means anyone may use it under the GPLv2 (General Public License version 2).

The WordPress core is developed and maintained by a team of programmers, that are constantly looking for ways to improve security, usability and stability in WordPress itself. There are two “versions” or “flavors” of WordPress. One being WordPress.org which is available to anyone for free, the only requirements is you need your own hosting / domain name to run it. There is also the WordPress.com (Automatic) which is a paid subscription service that hosts a locked down copy of WordPress. Based on your plan you can do various things to the install such as change themes, installing plugins, etc. WordPress.org is a standalone install, where you can, if you wanted / needed to, gain access to the core files.

So, How Secure Is WordPress?

WordPress is as secure as you or your developer make it. I can’t stress this enough. Just like a computer, the application is as secure as the person who implemented it. There are many factors that come into play when it comes to security and WordPress; unfairly, WordPress itself has gotten a bad name because of mistakes, and common mistakes that people make.

Keeping Your WordPress Site Secure – Updates

Updates, just like on a computer are released periodically for WordPress, themes as well as plugins on your website. These updates usually contain newer features, bug fixes and security patches to keep your website running smooth and efficient. Plugins, in specific can cause many issues with a website, especially if not kept up to date, this is one of the main reasons for a website being compromised. This is because frequently plugin authors find bugs that could open up back doors to your website. Once discovered they patch the problem and release an update.

Themes as well as core WordPress files are also updated on a regular basis, WordPress will notify you of theme and Core updates when they are available. It is always best to keep your website up to date when you can to reduce the risk of it becoming compromised.

Keeping Your WordPress Site Secure – SSL

An SSL certification prevents the connection between your website and its visitor from being intercepted. This provides a secure connection that is trusted between your site and a CA (certificate authority). Using an SSL also now factors into search rankings, as the website is seen to be more reliable as the connection can be validated.

The SSL secures your website because it assures that you are working on the website that you intended to work on, some common techniques to compromise a website as to intercept the actual connection well information is being processed, such as providing credit card information in a payment form. The SSL will first validate that it is communicating with the server that has the exact same certificate that it has.

Once validated it allows the connection to proceed. If there is a miscommunication or the certificates information does not validate against the CA, the connection will fail and you will receive a warning that the connection is not trusted and caution should be taken.

In order to be compliant with most payment processors, as well as PCI standards (Payment Card Industry) an SSL is required when you obtain financial or personal information on your website. Failing to do so could result in lawsuits or damages to your websites reputation.

Keeping Your WordPress Website Secure – Malware Scanning / Online Firewall

Malware scanning and online firewalls provide front line defense for your website. They ensure that the core files of your website are secure and safe to use, this gives users the peace of mind that their information is safe, as well as you the peace of mind that something else is looking out for your website.

Services such as McAfee Secure Site monitor and scan your website and provide public validation that the site has been tested for malware, and is safe to use. This is popular on large E-Commerce websites that store confidential information on their servers.

Plugins such as WordFence provide this as well as firewall protection for your website. They block known hacks and intrusion attempts, as well do regular scans of your website for vulnerabilities such as outdated plugins and themes, abandoned plugins, or known snippets and plugins to cause issues. It will then provide a report of recommended fixes to ensue your website is secure.

Keeping Your WordPress Website Secure – Plugins

I wanted to specifically mention plugins again in its own category, because there is one problem with them, well, not all of them, but some. Plugins that are maintained by a company or team of developers are great, they add awesome functionality to a website as well as are monitored and patched.

The problem being, sometimes the developer will abandon a plugin. WordPress when you go to install a plugin will notify you that a plugin is no longer maintained because the developer has not provided updates in the last few years. What this means is that if a known vulnerability is found in that plugin, and no one is maintaining it, your site could be at risk. When choosing to install a plugin think of it as if you were giving the keys to your home to a stranger. You are handing over your keys to the plugin author, or at least their application that they developed. These scripts and code snippets have the ultimate access to your website, because they run alongside of your core files. Anyone that finds a way to compromise those can find a way into your website.

The intention of this post was not to scare, but to inform, there are many great features out there, and you just need to do some heavy research into them, or ask someone who knows. There has never and will never be anything close to 100% security within the world of technology, but we can make it much tougher to break for the bad guys.

If you ever have any questions about the security of your website, we can help, get in touch with DrakeCo and we will be by your side in the cyber battle of security.


Submit a Comment


We are your partners in online business, not just your contractors. Your businesses success is our celebration, our accomplishment and most importantly our goal.

DrakeCo strives to work with you and your business to maximize its return in investment online, designing the ideal strategies to maximize reach within your market, we strive to work with clients on a long-term basis to continue to advance and simplify their online business.

Follow DrakeCo