WordPress is, by far, the most popular way to build a website. That popularity has the unfortunate side effect of also making WordPress sites a juicy target for malicious actors all across the world. And that might have you wondering whether WordPress is secure enough to handle those attacks.

First – some bad news: Every year, hundreds of thousands of WordPress sites get hacked, as well as ecommerce sites (that’s why we have an in-depth guide about Ecommerce Fraud Prevention).

Sounds grim, right? Well…not really, because there’s also good news:

Hackers aren’t getting in due to vulnerabilities in the latest WordPress core software. Rather, most sites get hacked from entirely preventable issues, like not keeping things updated or using insecure passwords.

As a result, answering the question of “is WordPress secure?” requires some nuance. To do that, we’re going to cover a few different angles:

  • Statistics on how WordPress sites actually get hacked, so you understand where the security vulnerabilities are.
  • How the WordPress core team addresses security issues, so you know who’s responsible and what they are responsible for securing.
  • If WordPress is secure when you follow best practices, so you know if your website will be safe.

How WordPress Sites Get Hacked (By The Data)

Ok, you know that plenty of WordPress sites are getting hacked each year. But…how is it happening? Is it a global WordPress issue? Or does it come from those webmasters’ actions?

Here’s why most WordPress sites get hacked, according to the data that we have…

Out-of-Date Core Software

Here’s an unsurprising correlation from Sucuri’s 2017 Hacked Website Report. Of all the hacked WordPress sites Sucuri looked at, 39.3% were running out-of-date WordPress core software at the time of the incident.

Hacked websites
Hacked websites (Image source: Sucuri)

So right away, you can see a pretty close relationship between getting hacked and using out-of-date software. However, this is definitely an improvement over 61% from 2016. 👏

According to the WPScan Vulnerability Database, ~74% of the known vulnerabilities they logged are in the WordPress core software. But here’s the kicker – the versions with the most vulnerabilities are all way back in WordPress 3.X:

WPScan list of known vulnerabilities
WPScan list of known vulnerabilities

But – unfortunately – only 62% of WordPress sites are running the latest version, which is why many sites are still unnecessarily vulnerable to those exploits:

WordPress Usage By Version
WordPress Usage By Version. (Image source: WordPress.org)

Finally, you can see this connection once more with the major WordPress REST API vulnerability from February 2017 where hundreds of thousands of sites were defaced.

WordPress 4.7.1 contained multiple vulnerabilities that were eventually used to deface those sites. But…weeks before the vulnerabilities were exploited, WordPress 4.7.2 was released to fix all of those vulnerabilities.

All the WordPress site owners who hadn’t disabled automatic security patches or otherwise had promptly updated to WordPress 4.7.2 were safe. But those who didn’t apply the update weren’t.

Takeaway: The WordPress Security Team does a great job at quickly fixing issues in the WordPress core software. If you promptly apply all security updates, it’s highly unlikely that your site experiences any issues as a result of core vulnerabilities. But if you don’t, you take a risk once an exploit gets out into the wild.

2. Out-of-Date Plugins Or Themes

One of the things people love about WordPress is the dizzying array of available plugins and themes. As of writing this, there are over 56,000 on the WordPress repository, and thousands of additional premium ones scattered across the web.

While all those options are great for extending your site, each extension is a new potential gateway for a malicious actor. And while most WordPress developers do a good job of following code standards and patching any updates as they become known, there are still a few potential issues:

  • A plugin or theme has a vulnerability and, because there aren’t as many eyes on it as the WordPress core software, that vulnerability goes undetected.
  • The developer has stopped working on the extension but people are still using it.
  • The developer quickly patches the issue, but people just don’t update.

So how big is the issue?

Well, in a survey from Wordfence of hacked website owners, over 60% of the website owners who knew how the hacker got in attributed it to a plugin or theme vulnerability.

Wordfence hacked website survey
Wordfence hacked website survey (Image source: Wordfence)

Similarly, in Sucuri’s 2016 report, just 3 plugins accounted for over 15% of the hacked websites they looked at.

Sucuri hacked plugin list
Sucuri hacked plugin list

Here’s the kicker, though:

The vulnerabilities in those plugins had long since been patched – site owners just hadn’t updated the plugin to protect their site.

Takeaway: WordPress themes and plugins introduce a wildcard and can open your site to malicious actors. Much of this risk can be mitigated by following best practices, though. Keep your extensions updated and only install extensions from reputable sources.

We also have to mention these GPL clubs you might see floating around the internet where you can get any premium WordPress plugin or theme for just a couple dollars. While WordPress is licensed under GPL, which is awesome and one reason we love it, buyer beware. These are sometimes also referred to as nulled plugins.

Buying plugins from GPL clubs mean you’re trusting a third-party to grab the latest updates from the developer and a lot of times you won’t get support. Getting plugin updates from the developer is the safest route. Also, we are all about supporting developers and their hard work!

3. Compromised Login Credentials For WordPress, FTP, or Hosting

Ok, this one isn’t really WordPress’ fault. But a non-trivial percentage of hacks are from malicious actors getting their hands on WordPress login credentials, or the login credentials for webmasters’ hosting or FTP accounts.

In that same Wordfence survey, brute force attacks accounted for ~16% of hacked sites, with password theft, workstation, phishing, and FTP accounts all making a small, but noticeable, appearance.

Once a malicious actor gets the metaphorical key to the front door, it doesn’t matter how otherwise secure your WordPress site is.

WordPress actually does a great job mitigating this by automatically generating secure passwords, but it’s still up to users to keep those passwords safe and also use strong passwords for hosting and FTP.

Takeaway: Taking basic steps to keep account credentials secure can prevent malicious actors from walking right in. Use/enforce strong passwords for all WordPress accounts and limit login attempts to prevent brute force attacks (Kinsta hosting does this by default 👍).

For hosting accounts, use two-factor authentication if available and never store your FTP password in plaintext (like some FTP programs do).

If you have a choice between FTP and SFTP (SSH File Transfer Protocol), always use SFTP (learn the difference between FTP and SFTP so you can understand why). If your host only uses FTP, we recommend inquiring about SFTP support or switching to a host that supports SFTP. This ensures that no clear text passwords or file data is ever transferred. Here at Kinsta, we only support SFTP for file transfers.

4. Supply Chain Attacks

Recently, there have been some instances where hackers gain access to sites through a nasty trick called a supply chain attack. Essentially, the malicious actor would:

  • Purchase a previously high-quality plugin listed at WordPress.org
  • Add a backdoor into the plugin’s code
  • Wait for people to update the plugin and then inject the backdoor

Wordfence has a deeper explanation if you’re interested. While these types of attacks are by no means widespread, they are harder to prevent because they result from doing something you should be doing (keeping a plugin updated).

With that being said, the WordPress.org team usually quickly spots these issues and removes the plugin from the directory.

Takeaway: This one can be hard to prevent because it’s a good thing to always update to the latest version. To help, security plugins like Wordfence can alert you when a plugin is removed from WordPress.org so that you quickly address it. And a good backup strategy can help you roll back without any permanent damage.

5. Poor Hosting Environment And Out-Of-Date Technology

Beyond what’s happening on your WordPress site, your hosting environment and the technologies that you use make a difference, too. For example, despite PHP 7 offering many security enhancements over PHP 5, only ~33% of WordPress sites are using PHP 7 or higher.

WordPress website PHP usage.
WordPress website PHP usage. (Image source: WordPress.org)

PHP 5.6’s security support officially expires at the end of 2018. And earlier versions of PHP 5 haven’t had security support for years.

That means using a hosting environment using PHP 5.6 or below will soon open you up to the potential of unpatched PHP security vulnerabilities.

Despite that fact, a whopping ~28% of WordPress websites are still using PHP versions under 5.6, which is a huge issue when you consider that recently we’ve seen record years for the number of discovered PHP vulnerabilities.

Beyond giving you access to the latest technologies, using secure WordPress hosting can also help you automatically mitigate many of the other potential security vulnerabilities with:

Takeaway: Using a secure hosting environment and recent versions of important technologies like PHP helps further ensure that your WordPress site stays safe.

Who’s Responsible For Keeping WordPress Secure?

Now you might be wondering, who’s responsible for combating all the issues above?

Officially, that responsibility falls to the WordPress Security Team (though individual contributors and developers from around the world also play a huge role in keeping WordPress secure).

The WordPress Security Team is “50 experts including lead developers and security researchers”. About half of these experts work at Automattic. Others work in web security, and the team also consults with security researchers and hosting companies.

If you’re interested in a detailed look at how the WordPress Security Team functions, you can watch Aaron Campbell’s 48-minute talk from WordCamp Europe 2017. But in general, the WordPress Security Team:

  • Detects and patches bugs and potential issues using, in part, tools like HackerOne’s bug bounties
  • Consults on all WordPress core releases

The WordPress Security Team has a policy of disclosure which means that, once they’ve successfully patched the bug and released the security fix, they publicly disclose the issue (this is part of why so many sites were defaced in 2017 – they still hadn’t applied the update even after the security team publicly disclosed the bug).

What the WordPress Security Team does not do is check all the themes and plugins at WordPress.org. The themes and plugins at WordPress.org are manually reviewed by volunteers. But that review is not “a guarantee that they are free from security vulnerabilities”.

So – Is WordPress Secure If You Follow Best Practices?

If you look at all the data and facts above, you’ll see this general trend:

While no content management system is 100% secure, WordPress has a quality security apparatus in place for the core software and most of the hacks are a direct result of webmasters not following basic security best practices.

If you do things like…

  • Keep your core WordPress software, plugins, and themes updated.
  • Choose plugins and themes wisely and only install extensions from reputable developers/source. Beware of GPL clubs and nulled plugins/themes.
  • If you have a choice between FTP and SFTP, always use SFTP.
  • Use strong passwords for WordPress, as well as your hosting and SFTP accounts (and two-factor authentication if available).
  • Don’t use “admin” for your username.
  • Set up a firewall in front of your site. All Kinsta sites are protected by our free Cloudflare integration, which includes an enterprise-level firewall with DDoS protection built in. If you’re not hosted on Kinsta, adding Cloudflare or Sucuri’s WAF can make your site more secure.
  • Keep your own computer free from viruses.
  • Change your WordPress login URL to reduce brute-forcing.
  • Use a TLS certificate (HTTPS) so all communication with your WordPress site (such as logging into your dashboard) is encrypted. Kinsta provides free HTTPS certificates!
  • Utilize SSH keys. This provides a more secure way of logging into a server and eliminate the need for a password.
  • Pick a host with a secure environment and use the latest technologies like PHP 8+.

…then WordPress is secure and your site should remain hack-free both now and in the future. If you’re a Kinsta client, you also don’t need to worry. If by an off chance your site is hacked, we’ll fix it for free!

Brian Jackson

Brian has a huge passion for WordPress, has been using it for over a decade, and even develops a couple of premium plugins. Brian enjoys blogging, movies, and hiking. Connect with Brian on Twitter.