How secure is WordPress as a Content Management System?

10 May 2019


You may have heard WordPress of having a poor reputation when it comes to security. It’s an extremely popular CMS (content management system) powering approximately 30% of the entire web and because of this popularity, when a successful attack or vulnerability becomes apparent it’s big news.

Two main reasons why news of these attacks are not representative of WordPress being a secure CMS:

1. The open system behind plugin and theme development for WordPress.

The majority of vulnerabilities you hear about in WordPress are actually to do with themes and plugins and generally have nothing to do with the core. That’s why it’s best to limit the amount of plugins used on a site (not just for speed, but security), and only use well-maintained plugins that are regularly updated.We also never use WordPress themes – all of our sites are coded from scratch.

2. Not updating the WordPress core

Another major issue that concerns site security is not updating the WordPress core – especially after any sort of security patch has been released. By not keeping up-to-date, you’re more vulnerable to an attack – the same goes for any piece of software!A few years back, WordPress (in 3.7) introduced automatic updates which has massively helped this problem – this automatically adds security patches to your WordPress installation as soon as they’re released. This is providing your WordPress version is greater than 3.7 (yes, we still come across websites that are below this version!).This being said, it’s still important to work with a WordPress agency that will keep plugins up-to-date and perform any major WordPress updates seamlessly.

Because of WordPress’ popularity, theres a high chance any vulnerabilities are found by the community before any hackers have had a chance to exploit it. Once these security risks have been found, the hundreds of developers supporting WordPress will work to release a patch via an system update.

How we secure our WordPress websites?

  • Keep the number of plugins to a minimum and make sure those installed plugins (well maintained ones) are kept up-to-date.
  • Install an SSL certificate.
  • Ensure user accounts have strong passwords – the suggested passwords WordPress generate upon creating a user are good. If not, use a tool like a Secure Password Generator.
  • Only give user accounts access to what they need.
  • ModSecurity is installed on all of our servers with updated our security rules weekly, thus protecting our customers from the most common attacks.
  • NEVER use admin as a login username – this easily blocks a lot of brute force and other attacks by doing this.

Additional security measures

  • Restrict the WordPress admin area to whitelisted IP addresses only (this means that people using your network are allowed to access the backend of the site).
  • Utilising a Web Application Firewall like Cloudflare or Sucuri – Cloudflare actually can improve the performance as well.
  • Two-Factor Authentication.

With the correct hardening of the core system, proactive maintenance and hosting environment, it’s our belief that WordPress can be as secure as any CMS available out there.

Contact us today for WordPress development!

Back to news & views