Is WordPress Secure?
WordPress is the most popular content management system in the world, now powering around 30% of all websites. To put that into perspective, the next biggest competitor, Joomla, has just over 3%. So that’s a pretty formidable market share when it comes to websites.
So obviously, with this many folks using WordPress, the next question you may be asking is:
Is WordPress secure?
I get asked this from time to time and I have a stock answer. It’s as secure as you make it. And I think this is the key point that people miss when it comes to securing anything. The level of security is determined by YOU, not by the content management system.
That’s not to say that WordPress doesn’t bear some responsibility for having a secure system. They do. And yes, WordPress is secure. But that doesn’t come with caveats.
What’s your password?
Did you know that some of the most popular passwords include 12345678, password, and letmein? WordPress security starts with you. If you can’t be bothered to use a secure password, then you’re the problem when it comes to your website security. Here are my three simple rules for password security that you should always follow:
- Don’t use the same password on multiple sites (use a password manager like Lastpass to help you keep track)
- Make it long – I recommend 30 characters with letters, numbers and symbols
- If you can remember it, it’s probably not secure
Having a secure password is your #1 preventative security method. If you use strong passwords, you are much, much less likely to get hacked. This applies to your WordPress site password, but to your web hosting password as well. Feel free to change these every few months to enhance security.
What version of WordPress is your site using?
If your answer isn’t ‘the most current one’ – then you are again, part of the problem. WordPress releases routine updates that, among other things, sometimes patch security vulnerabilities. If you fail to run your updates, you are opening yourself up to being hacked. I can’t tell you how many times I’ve logged into someone’s website for the first time to see that the last several updates weren’t run and the site is way out of date.
Some web hosts will run your WordPress updates for you, but most of the time this is really on you to make sure it’s being done expeditiously.
What about automatic updates?
Automatic updates were released in version 3.7, but if you haven’t made it to 3.7 yet, you aren’t being updated. Also, the automatic updates are for WordPress core, not for your plugins and themes which, yes, also routinely need to be updated.
A note about plugin and theme updates
I love a good premium plugin. What makes a premium plugin? That is code for a plugin that you have to pay for. There are many that I use on every site I make, like Beaver Builder, Gravity Forms, and WP Rocket. Most of these plugins have an annual fee.
However, some folks discovered that the plugin still works if they cancel their membership. And this is true. However, if you cancel your renewal, you are no longer able to get plugin updates. And guess what? Not running plugin updates can lead to being hacked. I have seen sites hacked because their premium plugin was very out of date, because the site owner didn’t want to pay for the plugin renewal. This is the deal with premium plugins. If you don’t want to pay the annual fees, then stick with free plugins from the repository. (Just make sure you check that it’s a solid, reputable free plugin.)
If you are concerned about your ability to maintain the various core, plugin and theme updates that routinely are released, you should consider signing up for a support plan so that this is taken care of for you.
If you use strong passwords and keep your software up to date, that will go a long way toward preventing your website from being hacked. Using a security plugin also helps, and I’ll write another blog post about security plugins next week.
WordPress Security starts and ends with YOU.
Join our list!
Our blog, delivered to your inbox. Never miss a post!