How secure is WordPress?

WordPress is fundamentally a secure platform which is constantly supported and updated by thousands of developers.

When properly installed WordPress is secure. But like any other system, there are points of vulnerability.

What are the biggest risks?

The code you run

Your WordPress website is only as secure as the code you run.

The plugins and themes you install all add risk to the security of your WordPress website.

To reduce this risk only install plugins and themes from trusted sources.

The WordPress plugin directory is (mostly) a safe bet as well as big name premium plugins such as Gravity Forms. For other plugins look for a lot of active installed (1000+) and positive feedback.

If you want to go a step further you could pay for a security audit, such as the Wordfence Site Security Audit.

Not installing updates

Security issues are discovered fairly often – it’s part of the benefit of an open-source project like WordPress. People are actively checking and fixing issues.

But to benefit from these updates you need to keep WordPress as well as your plugins and theme updated.

By default WordPress will automatically install minor updates (e.g. 5.0.0 -> 5.0.1) to WordPress itself – but does not install:

  • updates plugins
  • updates to themes
  • major WordPress updates  (e.g. 4.9.8 -> 5.0.0).

I recommend using Companion Auto Update to manage updates – making sure these are also automatically installed.

Weak passwords

I find the term “password” isn’t very useful when it comes to security – because if your password is one or more words it’s not good enough!

Instead create a “pass-phase” such as a poem or song lyric. Length is the important – the longer it is the harder to brute force (guess) the password.

Or even better use a password manager such as LastPass and randomly generated passwords of 16 or more characters.

What if something goes wrong?

Always keep a current backup of your website – I recommend using a plugin like UpdraftPlus and backing up to an external location such as a Google Drive. The backup may be needed to either restore or find the infected code.

If your website is compromised you need to:

  1. get access to the site – this may mean resetting an administrators password
  2. find the infected code
  3. clean the infected code
  4. remove any changes made – for example, changes to your posts or additional backdoor scripts

This can be quite a complicated process. Fortunately Wordfence offer a WordPress site cleaning service if you want experienced professionals to do it.