WordPress has been a hot topic of debate for quite some time. According to several articles I’ve read, WordPress is not safe; however, most of these articles were based solely on personal opinions. Nevertheless, what does security mean for a CMS like WordPress?

Being a Market Leader Is No Easy Task

WordPress is the leading CMS for websites according to W3Techs. In 2018, WordPress held 59-60% of market shares, followed by Joomla at a mere 6%. Someone who is trying to develop a hacking tool and exploit its flaws won’t be interesting in targeting Ektron which accounts for 0.1%. The number of sites that may be taken advantage of would be substantially lower. Besides, return on investment is essential for hackers; therefore, a market leader (i.e. WordPress) is more likely to be targeted.

Web Hosting and Maintenance

WordPress may be used as a full-fledged integrated platform (WordPress.com) similarly to Wix and the rest: Weebly, Squarespace etc. In this case, it is not possible to access servers or files: all you need to do is set up your website with an extremely low risk of error.
However, WordPress also includes WordPress.org, the open source project that you may set up yourself if needed. Here is where things get serious. First of all, in terms of web hosting: it’s quite common to come across servers based on PHP 5.2 (which is no longer supported for quite some time: https://php.net/supported-versions.php meaning there was no available security update in years). Then, in terms of web design: was the setup performed properly? Have you accurately established file copyrights? And in the long term: is there a maintenance plan to update the various technological components of the project? If security was not monitored in years, you are most likely at risk; nevertheless, this would have been the case with any other CMS.

Access Denied. Try Again

Hackers will try to gain illicit access to your WordPress website using an admin account. Obviously, avoid using an account with an “admin” username and an “admin” password. To avoid a dictionary attack (someone using all possible passwords), you may set up various plugins requiring Captcha feature as an additional step, or blocking access after multiple failed attempts, or even use a second authentication step (e.g. SMS).

Limit the Hacked Area

Do you really need 30 active plugins from 30 different developers? You own various active admin accounts which you probably have not checked in months… Don’t create doors if these are not fully protected! Close these accounts and reduce the number of plugins to the bare minimum.

Prepare for the Worst

Security is also about prevention. Don’t forget to perform regular backups of your files and databases. Are you really going to do it yourself? No, you’re well-intentioned to do it a couple of times during the first month, and then forget about it altogether. However, you can always have an automated backup! There are quite a number of awesome plugins ready to do the backup at your selected location. Your desktop is working offline? No problem, you can opt for Dropbox backup based on your selected frequency.

In Conclusion

WordPress is not a security liability but a tool. If you use it the wrong way, you are likely to get in trouble! However, using another CMS is not the solution. Improve your security and stay safe.