WordPress security – everyone is talking about it, but why?

In 2018, 90% of all hacked CMS websites were WordPress sites [1]and you could argue that WordPress is likely to be top of the list as it runs more websites. However its 60% share of CMS sites is too low to fully explain it; there must be other reasons. It’s also getting worse as WordPress’s share of hacked sites is increasing: 74% in 2016, 83% in 2017.

According to Sucuri which carried out the research, WordPress administrators are better than most at installing core updates. Other CMS’s sites are much more likely to be running out of date systems. No, the main reason WordPress gets hacked more often is due to vulnerabilities in plug-ins and themes.

You can search for “WordPress security” and find pages of “we fix hacked websites” links as well as tips on cleaning up and generic good practice. Here we take a deeper look at the more likely causes of a WordPress hack and how to protect against them.

What are the risks?

First, what do hackers do after hacking a WordPress site?

  • Inject a backdoor (eg a rogue system file) allowing hackers to implement attacks on other sites on the same server
  • Implement a pharma hack which returns spam ads and can cause the site to be blocked by search engines
  • Redirect to malicious websites
  • Use cross-site scripting to steal session data or a cookie from the end-user

Choose WordPress plugins wisely

In the middle of development, with a deadline to meet, it’s easy to pick a plugin without investigating it. It looks as though it will do the job exactly, and you might find a freebie version. Once it’s in, development can move on and it becomes part of the website, forgotten almost.

Choose a plugin from the WordPress repo, or download it directly from a developer’s website. Look for plugins that have been updated recently, indicating not only their security but bug-fixing and compatibility with the latest WordPress core. Also, check ratings from other users and after downloading, virus scan the plugin.

You can find premium plugins and themes on secondary sites (ie not the original developer) that have been modified so as not to require a license key. Don’t be tempted to use them. They may contain malware; they won’t get updated for bug fixes or core compatibility; and, ultimately, it’s stealing – depriving the developer of revenue.

Use the latest versions of everything, not just the core

The WordPress security team (about 50 people) is constantly addressing vulnerabilities. It’s essential to implement the core changes they deliver, but also plugins and themes.

Regularly check security sites for guidance and new vulnerabilities, this is a must-do for e-commerce websites. Four resources worth checking are:

  • WP Security Bloggers [2]
  • WPScan vulnerability database [3] – which includes sections for plugins and themes
  • Threatpress [4]
  • WordPress official security archive [5]

Was WordPress the right choice?

WordPress is still an excellent choice as a CMS. With such a high share of the market, its future is assured. However, that also makes it a target for hackers and it’s essential to protect against threats. Follow good practice on-site security but give special care to choosing and updating plugins and themes.


[1] https://www.zdnet.com/article/wordpress-accounted-for-90-percent-of-all-hacked-cms-sites-in-2018/

[2] https://www.wpsecuritybloggers.com/blog/

[3] https://wpvulndb.com/

[4] https://db.threatpress.com/

[5] https://wordpress.org/news/category/security/