WordPress can be as secure as any other CMS available in the market today, but you will need to take some of these proactive measures to bolster your WordPress website security set-up and prevent unauthorised access by hackers.
Is WordPress a Secure Content Management System? That is one of the questions we’re often asked by clients. And in answering the question we first have to point out that WordPress has an unfair reputation for having poor security. It is an extremely popular Content Management System (CMS) powering almost 30% of the web – including some very prominent websites – therefore any successful attack is destined to become big news.
Fundamentally, any large CMS (or piece of software) is going to occasionally contain bugs that lead to security vulnerabilities. However, WordPress has a fantastic infrastructure in place for finding and dealing with these vulnerabilities in as short a time as possible. It is such a popular and well-used CMS that vulnerabilities are often found and fixed by the community of developers before it is known to hackers.
One major source of security concern is when a website has not been updated after a security patch has been released in the core WordPress CMS software. As is true of any software – if it isn’t kept up-to-date it will be vulnerable to attack. WordPress has an inbuilt auto-update feature so future security updates are applied automatically. Needless to say, it is important to ensure your website is running on the latest stable version of WordPress.
The other source of security issues in WordPress has to do with the fact that WordPress has an open system for plugin and theme development. Each plugin and theme is a potential source of security vulnerability – especially if they are out-of-date. There are a number of steps that you can take to minimise these security vulnerabilities such as:
- Limiting the number of plugins in use on your WordPress website.
- Only using plugins that are popular, well-maintained and regularly updated.
- Ensuring your WordPress website plugins are kept up-to-date.
How to secure your WordPress website
The key to the question of safety is how you manage your site. It’s critically important to have the right security set-up on your WordPress website in order to prevent unauthorised access to the site. And there are a lot of steps that can be taken in this regards. As part of our WordPress support and maintenance standards we recommend:
- All user accounts have strong passwords i.e. long passwords with a mix of letters (upper and lower case), numbers, and symbols.
- Users have the right access levels - WordPress comes with default user roles that help control how individual users interact with every aspect of your website.
- Reduce user credentials. The administrator account should only be needed to perform updates or add/change themes and plugins. Those who edit posts or write articles should never need to be at an administrator level.
- Disabling all non-required functionality such as WordPress comments, and uninstalling all redundant plugins.
- Installing security auditing and logging software that lets you track a huge range of usage activities - from publishing posts to marking comments to entering incorrect passwords.
- Installing an SSL certificate to activate the https protocol and allow secure connections from your web server to a browser.
- Avoid using WordPress default settings such as the “ADMIN” name. Also consider renaming default database prefixes to prevent SQL injections.
In addition we advice you to consider implementing:
- Whitelisting IP Addresses which limits access to your website admin area to people with pre-authorized IP addresses, and locks down access for unauthorised users.
- Two step authentication – ideally for all users, but consider implementing for the administrator account at the very least.
- A cloud-based Web Application Firewall - such as Cloudflare or Sucuri – to protect from vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests.
- Additional server side security measures such as a Content Security Policy and HTTP Strict Transport Security.
Can you trust WordPress?
So back to the question Is WordPress a Secure Content Management System, the simple answer is yes, with some caveats. We believe that with the right setup, the right hosting platform and proactive ongoing maintenance, WordPress is as secure as any CMS available in the market today.
It's also vital to keep in mind when using WordPress that it’s of utmost importance to back-up your WordPress CMS installation at regular intervals and, to have a robust disaster recovery plan in place. Whilst other security measures are essential, backups are the ultimate insurance: they mean that, if the worst were to happen, your website (plus all related files and databases) stay safe, and can be restored in no time.