It has been estimated that about a third of the web is powered by WordPress sites. While some people have expressed security concerns about it, it wouldn’t be used that widely if it wasn’t a secure platform. Instead, the fact that it is so widely used is why any vulnerability in it makes the news. Let’s look at how secure WordPress is as a CMS. We’ll also provide straightforward tips to improve the security of WordPress that anyone can implement.
WordPress powers 30% of the internet.
What Caused the Reputation in the First Place
In 2009, a lifetime ago in internet years, many WordPress sites were compromised in a short period of time. Adding to the aggravation for users was the need to manually update their websites every time. Because not all administrators kept up, identified vulnerabilities were in place on many sites and then exploited.
Missing one update in the process could leave a site that otherwise seemed up to date vulnerable to an exploit years later. That led to WordPress sites still being hacked and people thinking it was a problem with the modern WordPress.
WordPress solved this problem by letting you automatically upgrade WordPress in the background and upgrade all plugins at the same time. This eliminated the holes often left by manual upgrades and the hassle factor that caused many to put off updates.
Why WordPress Security Is Still a Concern
WordPress is an open system, and this allows many people to develop plugins and themes. But the core of WordPress itself is quite secure. The greater issue is that third party plugins for WordPress are not always as secure and can cause security breaches. Shaky plugins are often hacked and many more contain known vulnerabilities like buffer overflows and SQL injections for instance.
How to Make WordPress More Secure
There are a few simple things you or a developer can do to improve WordPress’s security. One solution is to scan your site with tools that look for these vulnerabilities in plugins. Another is to only use third party plugins that have been proven secure, are well-maintained and regularly updated.
You could also implement a lockdown feature to shut down an account after a certain number of login failures, and use plugins that do this while notifying you of the issue. The next level up is one that bans an IP address if there are too many login failures with any account; this prevents hackers trying every account they have until they get in.
You should change the login URL for your page from the default. Hacking scripts that go to the default URL are lost, and your site is less likely to be hacked. You should also change key user names to trip up scripts. For example, if your administrative account user name is admin, they’ll test this and their database of most likely passwords.
WordPress’ reputation for poor security is now the result of insecure third party plugins than the core system, but the WordPress CMS continues to get a bad rap. There are many options for securing your WordPress site without implementing advanced IT security measures, though those are options as well.