90% of all hacked sites run on WordPress. So, Is wordpress secure?

There’s no second thought about WordPress being the best platform for blogging. Won’t be wrong to say that it’s the best platform for blogging. 33% of the web is powered by WordPress, that’s way over a quarter of all websites that are live on the web. While it’s so popular, bad guys always have an eye on high-traffic websites/blogs to either demand ransom or simply hijack the data. So, Is WordPress Secure? Not exactly.

90% of all the sites that were hacked run on WordPress. But here’s good news. There are so many ways by which you can keep your wordpress safe & mitigate the security of your wordpress blog. Sure, the core wordpress software is highly secure as hundreds of developers audit it regularly.

But that’s a generic audit. Once you install & set up wordpress, you begin customizing it as per your need. That’s where the vulnerabilities start getting in. There’s a lot you can (and you should) do to up the wordpress security level for your blog.

If you are serious to secure wordpress, this guide has a lot to offer. Doesn’t matter if you’re a pro-tecchy or not, the takeaways from this guide will keep your wordpress blog safe.

Before we get into the core part of the guide, let me build a foreground first.

Why WordPress security is important?

Say you own a com website that runs down a large portion of your potential audience. You don’t wanna wake up to a hacked website. You don’t wanna lose everything overnight, which you’ve taken years to build. The web is an open space and with increasing tools & extensions it’s even easier to push malicious programs that can steal sensitive information, hijack payments & even worse, erase your website from existence.

Not only the website owners who’re at risk, but even the visitors are also at the same threat. In 2016, Google warned its 50+ million users about the malicious websites they’ve been visiting. Furthermore, Google blacklists over 20,000 websites for malicious activity & over 50,000 websites for phishing every week.

Even if you’re not intending to harm the users, hackers might harm. Hackers can push malicious content on your website & Google might not know about this. Resulting in blacklisting your website for no reason. By the time you figure out the actual problem, you’d end up getting a lot of damage.

Just like physical stores have security guards for safeguarding the store, your online business also deserves security guards. This is why wordpress security is important.

Isn’t core WordPress secure?

When it comes to wordpress security, most users refer to the wordpress core. The answer to that question is yes. The wordpress core is secure. Also, it wouldn’t be an exaggeration even if I declare wordpress core as 100% secure. Anything in isolation is safest, but that is not what it’s meant for. Just like a ship is safe at the shore, but is it made for that? Not!

So where does the problem arise?

When you start customizing wordpress. When you start installing plugins, themes, customized code, and whatnot. But that’s what wordpress is about. Isn’t it? You & I love wordpress for the customizations we can do.

This takes us to the next section.

How to secure the WordPress core?

If you don’t already know, WordPress is open-source software. This means anyone can alter the code at the core and alter it anyway. But the wordpress community is on their toes to keep the core away from the bad guys. Developers across the globe participate in keeping the core safe. So what goes into your hosting for installation is secure.

Furthermore, the developer community keeps updating the security issues with patch updates & major updates come with major security updates. Once you install it, it’s on you to keep your wordpress secure. Don’t worry. I’ve covered everything you’ll need to secure your WordPress website/blog here.

To know how to keep your website safe, one should know what makes it unsafe. So let’s have a look at the vulnerabilities that cause these problems.

How WordPress sites get hacked? (Data-Packed list)

Data says, there are 60 million wordpress websites and there are over 90,000 cyber-attacks per minute across the globe. This changes the direction of debate against the scope of this guide. So, what makes the site less secure? Let’s find out right away.

1. Outdated WordPress core software

A report shared by Sucuri, says that out of all the websites that were hacked, 39.3% of websites were running outdated WordPress core software at the time of the attack. Furthermore, this rate has gone down from 61% in 2016.

Also, in a survey conducted by the WPScan Vulnerabilities Database, almost 74% of all the vulnerabilities they logged in the survey are in the wordpress core. To make this survey relevant & more interesting, most versions of these 74% vulnerabilities were running wordpress 3.x version.

Despite this, only 62% of wordpress websites have the latest versions running on the server. Having the latest versions you can do away with a lot of vulnerabilities.

Takeaway: The wordpress community keeps updating the bug fixes & close all the attack points to make the wordpress core more and more secure. You will be notified on the dashboard whenever there’s a security or major update in the wordpress core software. You won’t know what vulnerabilities your core software has, updating to the latest version will do a lot of harm to the hacker’s intentions.

2. Outdated plugins/themes

I love the vast buffet of plugins wordpress has to offer. You love it too. At the time of writing this guide, there are over 54,000 plugins. Sure, the plugins extend the functionality of your website/blog but it is one of the most effective ways to phish an attack on websites using that plugin. The same goes for the themes you use for the website/blog.

If the plugins are the infinity stones, hackers are Thanos. This combination can destroy your hard work in a snip, just like that. The plugin developer has a real tough job to keep the security bar high so that their plugin & themes do not get attacked. The main reason why plugins & themes are the best way to attack wordpress websites are as follows:

There’s more to it…

A survey from Wordfence shows that almost 60% of websites that were hacked attributed to outdated plugins.

Takeaway: Keep your plugins updated. Plugins/themes with vulnerabilities are as unsafe as giving direct access to your admin dashboard to hackers. The plugin/theme files can directly access the sensitive files on the web hosting server. Hackers can inject anything they want via vulnerable plugins/themes. So better update the plugins from the official developer or the official wordpress marketplace.

3. Compromised credentials

This is your responsibility to keep the credentials safe. A large percentage of unauthorized access accounts for compromised credentials of FTP & admin dashboards.

In the image above, you can notice that 16% of hacked sites accounted for brute force attacks. It doesn’t matter how secure your blog is, once an intruder gets hold of the credentials everything is accessible by the intruder. Sure, WordPress generates a highly secure password, but it’s your take to keep that password secure and beyond the reach of the bad guys.

Takeaway: Use password managers like 1password. You can even limit login attempts to ensure the bad guys do not walk right through the login page. If you take security seriously, I’d recommend Kinsta, it’s the best-managed wordpress solution for many online businesses. Furthermore, you can even use 2-factor authentication to keep it more secure. Use this plugin by mini-orange to enable 2-factor authentication.

Additionally, if you have to choose between FTP & SSH (SSH file transfer protocol), consider SSH over FTP anytime. Here’s the difference between the two.

4. Supply chain attacks

Things have changed recently in the cyber world. With more and more plugins trafficking the webstore, it’s easy for the attackers to brute force an attack. Here’s how supply chain attacks means & works:

  1. Purchase a premium plugin from the wordpress plugin directory
  2. Add the backdoor in the plugin’s code
  3. Once the people update the plugin, they have the backdoor installed on their servers.

For further detailed reads, follow this article from Wordfence. While such attacks are not so widespread, but still they’re significant.

Furthermore, the wordpress.org community is upfront and removes such plugins immediately without any notice to the developer. This makes the surface safe for us to use, but it takes time to find such plugins so having a good hosting provider would be the best workaround in this case.

Takeaway: While security is a big threat to your blog, you cannot predict an attack at any cost. However, you can use a security plugin mammoth, Wordfence. This is a pro-security plugin that does the heavy lifting on security grounds. Furthermore, this plugin also alerts you if any plugin is removed from the plugin directory on wordpress.org. This will keep you updated on whether or not you should use those plugins.

5. Poor/Outdated technology used by the web hosting provider

Let’s admit. Not all beginners are serious about their blog. Therefore, they look for the cheapest hosting provider for their blog. It’s cheap for a reason. It has the least bit of security & hence it’s not worth opting for. The hosting provider plays a major role in making or breaking your blog.

If your pocket permits, I’d recommend Kinsta and if not, Bluehost is the best hosting provider. Don’t trust my words, trust the wordpress community that has rated Bluehost as the best hosting provider for beginners. Most of the hosting providers haven’t upgraded to PHP 7. See the image below, only 33% of hosting providers have PHP 7 installed on their servers.

Takeaway: Considering the vulnerabilities in PHP 5, it’s always better to upgrade to PHP 7. Ask your hosting provider if they have version 7 installed for your blog. If not, ask them to do it right away. If they don’t, it’s time to switch to a technologically upgraded hosting provider. To convince you even further, support for PHP 5.6 has expired in 2018. And like the version upgrades, the current ones will also lose support.

Who keeps WordPress secure?

To be brutally honest, no one is responsible to keep your WordPress secure. Since the software is open-source, it is the whole community that’s responsible for governing everything that happens. The community members are upfront to check the plugins & themes that come to the marketplace.

Furthermore, the core wordpress security team has 50 members that include lead developers & security analysts. To further understand the functioning of wordpress security, here’s a 48-minute long talk by Aaron Campbell in WordCamp Europe 2017.

One thing the core team doesn’t do(actually cannot do) is reviewing the themes & plugins that get into the wordpress verse. There are 54000 plugins & hundreds of thousands of themes for wordpress. It’s humanly impossible for the core team to review this huge chunk of code. It simply will take forever to review, and the team will be unable to do what they actually should i.e. release new wordpress updates. However, you can consider going through reviews before installing plugins and/or themes. But, relying on reviews might not be helpful. People might not technically review it or review it from a security standpoint.

Can the best practices make your WordPress secure?

No matter how well wordpress works on security, it’s never gonna be safe if you don’t follow wordpress security best practices, it’s never gonna be safe. While the wordpress core is secure but most of the attacks are because of webmasters failing to follow fundamental security practices.

I am working on a detailed post on best practices for wordpress security, but for now, here are a few best practices that you should follow right away:

  • Keep plugins & themes up to date including the core wordpress software.
  • Follow wordpress security news. This will teach to defend against similar attacks. At least, not commit mistakes similar to the hacked websites.
  • Be very choosy while you install plugins & themes. I will be doing an audit of all the plugins & themes I use. You should too.
  • Consider SFTP over FTP, it’s way more secure.
  • Install SSL certificates. An SSL certificate encrypts all the communication that happens on your blog. SSL certificates are expensive. Each certificate costs almost the same as hosting fees for a couple of years. But the good news is, Bluehost provides a free SSL certificate (and a domain too) if you opt for shared hosting. Alternatively, if you intend to opt for managed wordpress, opt for Kinsta. It’s way ahead of its competitors.
  • Use strong passwords for wordpress login & FTP/SFTP servers. Use 2FA if available. Furthermore, limit login attempts without fail. Here’s a plugin that can do this for you.

These are just a handful of ways you can keep your wordpress secure. I’m working on a bag full of ways. I’ll be rolling it out soon.


A question is floating around in my head while I worked on this piece.

What about other CMSs. Are they more secure than WordPress?

I hear this question a lot of times. Either direct or comes across such questions on Quora & Reddit. The most asked question is the difference between wordpress.com & wordpress.org. Security is one of the most concerning points by the people who ask this question.

This section is for them.

Let me be very frank…

No CMS is 100% secure. Security online is a myth. Anything that’s on the web, is hackable. So is WordPress, and every other CMS. To be fair with all the CMSs, let me show you a graph, where the x-axis is the life of a CMS & the y-axis is the number of security breaches the software had.

WordPress is in the maturity phase. As you can see, the maturity phase does have a considerably high-security breach rate, but it’s way under control. Sure, other CMSs are feature-packed, but WordPress (especially self-hosted WordPress) is way ahead.

Okay, this time a nerdy question.

Aren’t static websites safer? Are they immune to hacks or cyber attacks?

By static website, I mean a website build from scratch using pure HTML & CSS with PHP involved. This eliminates all rooms for an attacker to attack. Since wordpress runs on PHP, the attackers inject malicious code that written in PHP.

Therefore a static is way safer than a PHP stuffed website/blog like on wordpress. But the problem is, it’s a static website. Apart from showing static information, it will do nothing else. No interactive homepages, no signup forms, no comment section.

Zero functionality

It would be a synonym for static websites. This itself rules out static websites. Just in this regard, functionality is above security. Furthermore, applications like Apache & Nginx also have had security breaches(vulnerabilities) in the past. So eliminating exploitable applications won’t fix the security issues, creative & preventive actions will.

If you peep around, you’d also ask about cloud services.

Let me tell you, they’re not secured too. In 2012, the leading cloud commenting service, Disqus reported a security breach that exposed 17.5 million user’s data. Cloudflare also got burnt in this fire, when Cloudflare systems were compromised and exposed sensitive data. Cloud services attract a lot of hacker’s attention because the system owners have all their eggs in one basket.

WordPress security tips & best practices

Now that you’re aware of the reasons why WordPress gets hacked, let me share how you can keep your WordPress safe.

#1 Get your WordPress hosted on a good web hosting company

I had hosted all my blogs on Bluehost, but I have recently switched to Siteground. One of many reasons is the fact that the whole ecosystem of Siteground is on the Google Cloud Platform. It’s a little expensive than Bluehost, but it’s worth it. If you’re just starting out, I’d recommendBluehost.

GCP is an enterprise-level cloud computing-based platform with top hosting features like security, speed, and uptime. Even Bluehost had 99.9% uptime, but the siteground has a highly updated PHP version for your WordPress.

PHP version plays a major role in keeping your WordPress secured. Outdated PHP version running on your web hosting servers, clashes with updated PHP version of the plugins & themes you have installed for your blog.

It’s always good to invest in quality web hosting that always keeps the PHP version up to date. Saving money right now will be expensive later.

#2 Update themes & plugins updated

There have been so many instances where WordPress websites/blogs were hacked because of non-updated themes & plugins. Each update in plugins has security loopholes sealed. Therefore it is very important to keep the plugins up to date.

It’s better to delete unwanted plugins & themes.

Final thoughts: Is WordPress secure?

After reading this long, it’s evident that you have this question. I too had this until I realized my significance in keeping my blogs safe & sound. WordPress is backed by thousands of people and hence it is one of the best places (if not “the” best) to have your blog on.

If you follow the best practices, you can stay miles away from cyber attacks that can cost you your fortune. If you are just starting, consider security as a priority. Invest in good web hosting, inquire about plugins & themes thoroughly, keep the environment up to date. This will save a lot of money, & most importantly your time.

About the question

Is WordPress Secure? That depends on you! How safe you keep it.

Enjoyed reading this? Share the joy with others.