Despite being the most popular content management system in the world, myths about the security of the WordPress platform continue to circulate. Due to its open-source nature, inexperienced users might view it as less secure than a commercial product. Plus, they may be unnerved by reports of WordPress security problems in the news.
Myth #1: Security is the Job of Your Hosting Provider
As a beginner or first-time website owner, you might think that keeping your website secure is the domain of the people you pay to keep it online. And that is true in a way; your web hosting provider is indeed the first line of defense. It’s their job to make sure your web server isn’t easy to get into and to protect the physical entity that your site resides on. If they don’t, they are simply a bad host.
Website Security is Mainly Your Responsibility
However, aside from that, how involved your hosting provider is with the security of your WordPress website really depends on your plan. On a shared host, VPS host, or even a dedicated server, you basically only rent the server space. What you do with it is up to you.
That means, the hosting provider does not assist you in any way in keeping your WordPress website safe. That’s your job.
Sure, some providers will offer additional security features like a firewall or CDN. They will also monitor their servers for malware, viruses, etc., and take action if they detect something on your site. However, oftentimes that also means they disable your site and ask you to fix it. Not an ideal solution, especially if you are a beginner.
Managed Hosting Can Help
If you want your hosting provider to take a more active role in the safety of your WordPress website, you have to go with managed hosting. It’s called that because, besides providing server space, a managed hosting provider also takes over some of the day-to-day tasks that come with running a website. Security is one of them as is speed optimization, site updates, and expert support.
Of course, this kind of service costs extra, however, it’s often worth it depending on your confidence in your own skill level to secure your site. It can provide a lot of peace of mind.
However, overall let’s dispel this WordPress security myth once and for all: Unless it’s part of the service you booked, your hosting provider is not responsible for the safety of your website and to keep it from being breached and hacked. That responsibility is yours.
Myth #2: WordPress Itself Is a Security Risk
Now, you might be thinking, “Ok, if the hosting provider doesn’t do this for me, isn’t it risky to rely on a free piece of software? How good can something be that a bunch of volunteers make in their free time? Plus, I see these Wix people tell me on TV that WordPress isn’t safe, too.”
Alright, let’s tackle this one next.
The first thing you have to understand is that nothing connected to the Internet is completely safe. Thousands of websites get hacked every day, from the biggest to the smallest. It’s like life, in the end, there are just different levels of insecurity and making sure you make it as unlikely for something bad to happen as possible.
WordPress Has Extensive Safety Measures
Here, WordPress is not doing worse than others. In fact, over the years, the platform has implemented a robust system for discovering and addressing security concerns in the core product.
There is a dedicated security team made up of about 50 experts, including lead developers, security researchers, and other web security professionals. Many of them work for WordPress.com, a company that has a vested interest in fail-safing the software their entire business is based on.
Plus, the team consults with safety teams from other hosting companies and even content management systems.
Their role is to actively monitor WordPress for vulnerabilities and quickly respond to anything that crops up. If anything reported is severe enough, they have the possibility to create and ship an immediate patch. This will automatically install on any WordPress website higher than version 3.7 unless you specifically turn this feature off.
Besides that, WordPress generally sees frequent updates, about two to three new major versions per year with minor, maintenance, and security updates in between. Each comes with fixes for potential security issues and an extensive testing process.
Its Community Is Its Main Asset
In addition to the above, you might have a wrong image of what this “group of volunteers” really looks like. Many of them are employees of million-dollar companies using WordPress for their business. Plus, all of them have skin in the game to keep the software they base their livelihoods on secure.
In general, WordPress’ open-source nature is part of its strength. The source code is freely available, open for anyone to inspect as well as find and report security loopholes. And a lot of people do. I mean, just look at the number of contributors for WordPress 6.3.
Finally, there are many specialized hosting providers and security plugins to further improve the safety of WordPress websites. Not to mention, the thousands of blog posts and tutorials out there that help users implement security measures as well.
So, what do we say to this WordPress security myth? It’s not true. The systems in place to ensure the safety and impregnability of WordPress’ core product is equal to or exceeds that of commercial entities.
Myth# 3: WordPress is the Most Hacked Platform
Something that might contribute to your unease about using WordPress are statistics that say that it is the most hacked CMS out there. And it’s true, the platform has been in the news with some high-profile security issues in the past. I mean, just look at this graph, doesn’t it make you skeptical of using WordPress for anything serious ever?
Consider the Size of WordPress
At this point, we have to refer back to one of the first things we said in the introduction. WordPress is the most popular content management system out there.
Just how popular is it?
According to W3techs, it powers more than 43% of all websites on the Internet.
In absolute numbers, that is over 470 million sites. That’s a lot of websites. Plus, as you can see from the graph above, no other system comes even close to these stats.
So, why is WordPress the most hacked platform? Because there are a lot more WordPress websites to hack.
Think about it, if you were someone who breaks into other people’s websites for a living, which system would you target? The one with an endless supply of potential victims, and more chances that someone is leaving a side door open, or the one where targets are far and between? You probably know the answer.
WordPress Core Is Not the Problem
Finally, if you dive deeper into the statistics, you quickly find out that only a very small percentage of successful WordPress hacks happen due to WordPress itself. And even in those cases, oftentimes because the website is running an outdated version.
The vast share of vulnerabilities come through WordPress extensions, in particular plugins.
So, yes, WordPress is indeed the most breached platform, that much of this security myth is true. However, the reason behind it is much more nuanced.
Myth #4: Then WordPress Plugins Aren’t Secure
A keen observer (which you surely are) might have noticed that we just threw our own entire argument under the bus up there. Apparently, we admitted that WordPress plugins are a huge security problem.
Since they are a central part of WordPress ecosystem and experience (because everyone uses them to add more features to websites) that must mean you have no choice but to build insecure websites with WordPress.
Oh no, busted!
The Problem With Plugins
Naturally, here, too, you have to be more nuanced.
Yes, obviously there is an issue with WordPress plugins. They are a common entry point into websites.
However, to put that into perspective, you first have to look at the sheer number of plugins that exist. The WordPress repository alone has around 60,000. Plus, there are many more available from other shops around the web.
However, what is an asset of the WordPress ecosystem can also be a liability. The authors of these plugins have different skill levels and not all plugins are actively maintained and updated. Therefore, they can have different levels of code quality and security.
The WordPress community is aware of that and does its best to respond to this issue. There have been cases where plugins with known problems have been eliminated from the plugin directory. In addition, we have people working on a plugin checker similar to the Theme check plugin to increase the overall quality of WordPress plugins.
So, the first rule to push back on this security risk is to make sure you use plugins that a) come from reputable sources and b) receive active support and maintenance.
It’s Not Just About the Plugins, It’s About How You Use Them
However, the plugins themselves are just one part of the equation. In many cases, the problem is just as much about the way people use them on their sites. In the same report as mentioned above, it also says that 36% of hacked sites had an outdated plugin on them.
So, just like with WordPress core, it’s not necessarily the software that’s the problem, because security issues are indeed getting fixed, it’s that users don’t apply those fixes.
In addition, there is often a problem with the number of plugins. As is obvious from the above, extensions do carry some risk with them. Therefore, the more of them you have, the more potential side doors you introduce to your site.
The solution: only install as many plugins as you need to get the job done. If you are not actively using a plugin, delete it. Don’t let it linger on your website where it does nothing but get old and potentially offer a security risk.
Myth #5: Your Site is Not a Target, Nobody Cares About It
This one is a classic among the website security myths, even outside of WordPress. Many people, especially those who run hobby or small websites, don’t think they offer a profitable enough target for a hacker to take interest in attacking it. I mean, if you are only posting pictures of your pet hamster, what could someone possibly get out of breaching your website?
Hacking Isn’t Personal
There are two things you have to understand here. For one, website hacking is nothing like what you see in the movies. There isn’t a person in a hoodie sitting in front of a laptop who handpicks your site and then spends their time manually looking for ways into it.
No, the very vast majority of attacks happen automatically. There is an army of automated bots that constantly scan the web for known vulnerabilities in websites and, if they find one, take advantage of it. Most of the time you are simply a victim of opportunity.
Taking Over Your Site Isn’t Really the Goal
Secondly, hacking a website often isn’t about stealing financial data or other sensitive information. In most cases, hackers are simply trying to take over parts of your site in order to use it for their own gain:
- Recruit it as part of a botnet in order to use it in things like DDoS attacks
- Send spam from your mail server
- Spread malware to the computers of your visitors
- Post links to scammy websites on your site
Some people also simply do it to deface your site and prove their skills.
So, keep that in mind. This isn’t about you. It’s simply about being a target that can be exploited and you should do your best to avoid that.
Myth #6: Using Strong Passwords Will Keep Your Site Safe
Using secure login information is definitely a part of WordPress security, that much is not a myth. There are many ways in which weak passwords and usernames can come back to bite you:
- Brute force attacks – Means a program is randomly trying out different username and password combinations until something works out.
- Credential stuffing – This is similar to brute force attacks, however, more targeted. In this case, a hacker uses credentials that have already been compromised, e.g. revealed in another cyberattack. This attack is based on the fact that many people reuse their usernames and passwords.
If you don’t believe this can be so bad, here’s an infographic that shows you how fast on average hackers can crack your password based on its complexity.
So, strong passwords do help protect your site. Then why does this point appear in a list of WordPress security myths?
Because strong passwords alone won’t do it. Website security is a puzzle of which they are just one piece. If you neglect the rest, you are still leaving important avenues open for attackers to breach your website.
In addition, passwords are just the beginning. To really lock down your login page, you’d be best advised to limit login attempts, use multi-factor authentication, and consider a firewall. Plus, strong credentials not only matter on the site itself but also for everything related to it, like your hosting and FTP accounts.
Myth #7: Simply Install A Security Plugin, Job Done
A lot of beginners, who don’t know much about WordPress security, rely on plugins to keep their site safe. And WordPress security plugins like WordFence, MalCare, or Sucuri are a godsend for that. They are so helpful in assisting inexperienced users to harden their site against attackers with just a few clicks.
However, again, this is not a surefire way to keep your site safe. The area of influence for these plugins has its limits, they can really only lock down the site itself but have no power over its larger environment.
If your site resides on an unsecured server or your hosting account gets breached through a weak password, your security plugin will be powerless to defend your site against it. So, again, WordPress security plugins themselves are not a myth, it’s just that they can’t do the job on their own.
Final Myth: WordPress Security Is Complicated
The notion that keeping your WordPress website safe is difficult is another myth that is keeping people from starting their own. While this is an important topic, it’s not rocket science either. In the end, the majority of website security comes down to following a few best practices:
- Use a proper hosting provider, go for managed hosting if you want assistance with security
- Keep WordPress and all plugins and themes updated
- Have only the bare minimum of extensions on your site, disable and delete what you are not actively using, and ensure that what you have on site is well-maintained
- Make sure your login credentials are strong and keep them safe, improve security by limiting login attempts and through multi-factor authentication
- Regularly back up your website in order to be able to roll back to an earlier version
- Use WordPress security plugins for assistance but also consider the parts they don’t have control over
With these in place, the likelihood of anything happening to your site should be greatly reduced, even if it can never be zero.
What WordPress security myth do you regularly hear about or did you use to subscribe to? Let us know in the comments!