Readers of my blog know that I am very passionate about developing WordPress websites. I live and breathe WordPress. I am always looking for creative ways to design and develop WordPress websites for business owners. One question that normally gets asked is: “Is WordPress secure?”
Core WordPress software
The core WordPress software released by Automattic undergoes a security check. The core software includes the WordPress program. Themes include the year-named (Twenty Seventeen, Twenty Sixteen), specialized (Storefront), and several child themes (Deli, Boutique). Plugins include Jetpack, Akismet, VaultPress, and Polldaddy. The WordPress Security Team checks the Automattic-created core software, themes, and plugins before releasing them to the public. If your website runs on the newest Automattic-released software, you can rest assured that you have the latest security updates. Additionally, if your website runs on the WordPress.com servers, Automattic provides regular security updates and strictly controls which themes and plugins a website owner can install.
However, most self-hosted WordPress websites use a variety of core software, themes, and plugins. The WordPress Security team cannot check every plugin and theme released by third-party developers. Although most third-party themes and plugins follow an Automattic-approved process, these additions are not security checked. Most theme and plugin developers will work with Automattic to fix security holes. Automattic cannot remove themes and plugins listed on third-party websites.
Choose the right web host
Select your web hosting provider carefully. Some providers will have hundreds of websites on a single server (shared hosting). Some use the same outdated version of WordPress in their one-click installation process. Once a hacker finds a vulnerability on one website, they can target others on the same hosting server. Automattic recommends three website hosting companies (Bluehost, Dreamhost, and SiteGround). I use Dreamhost Virtual Private Servers for all my WordPress websites. Dreamhost automatically monitors and updates WordPress installations (typically within hours of Automattic releasing a new version).
Follow the Least Privilege Principle
As your company and website grow, more people will need access to the backend of your WordPress installation (page editors, post writers, website subscribers, etc.). Provide these people with the least privileges required for them to do their job. In addition, remove the privileges once their work is completed. Understand the different roles available and only provide the minimum required.
Depth in Defence
Website security is not a single process. Ensure that your website uses several complimentary defence solutions. Add a firewall to your website. Use a security scanner (i.e. Sucuri) to check, monitor, and harden your website. Make regular backups and test them. It is too late when you have a problem and discover that you cannot restore your website from a backup. Keep your software up-to-date (core, themes, and plugins). Only install add-ons from trusted sources. Enforce strong passwords for all users. Install two-factor authentications.
So, is WordPress secure? Well, yes and no. WordPress security is not a do it and forget it type of process. It is a continuous process as hackers discover new vulnerabilities on a regular basis. As Automattic states, security is about “risk reduction, not risk elimination”.
Is your WordPress secure?