You may have heard WordPress of having a poor reputation when it comes to security. It’s an extremely popular CMS (content management system) powering approximately 30% of the entire web and because of this popularity, when a successful attack or vulnerability becomes apparent it’s big news.
Two main reasons why news of these attacks are not representative of WordPress being a secure CMS:
The majority of vulnerabilities you hear about in WordPress are actually to do with themes and plugins and generally have nothing to do with the core. That’s why it’s best to limit the amount of plugins used on a site (not just for speed, but security), and only use well-maintained plugins that are regularly updated.We also never use WordPress themes – all of our sites are coded from scratch.
Another major issue that concerns site security is not updating the WordPress core – especially after any sort of security patch has been released. By not keeping up-to-date, you’re more vulnerable to an attack – the same goes for any piece of software!A few years back, WordPress (in 3.7) introduced automatic updates which has massively helped this problem – this automatically adds security patches to your WordPress installation as soon as they’re released. This is providing your WordPress version is greater than 3.7 (yes, we still come across websites that are below this version!).This being said, it’s still important to work with a WordPress agency that will keep plugins up-to-date and perform any major WordPress updates seamlessly.
Because of WordPress’ popularity, theres a high chance any vulnerabilities are found by the community before any hackers have had a chance to exploit it. Once these security risks have been found, the hundreds of developers supporting WordPress will work to release a patch via an system update.
With the correct hardening of the core system, proactive maintenance and hosting environment, it’s our belief that WordPress can be as secure as any CMS available out there.