WordPress is the most popular platform for building a website — the absolute undisputed champ. Almost 40% of all websites on the entire Internet are built using WordPress. And unfortunately, this level of popularity has another, less cheerful side of the coin.
It makes WordPress the most attractive target for all kinds of hackers and malicious actors around the world. So, you’re right to wonder: is WordPress secure enough to fend off most of these attacks?
First, we'll start with the bad news — hundreds of thousands of websites powered by WordPress get hacked each year, and eCommerce sites have become particularly juicy targets.
That's a bit grim, right? No need to despair because there's a significant bright side here: most of the vulnerabilities that hackers exploit to gain access to websites aren't WordPress' fault.
In other words, WordPress websites do get hacked — but:
1) By a law of large numbers, some WordPress websites are bound to get hacked simply because they're so numerous;
2) Most of the hacks happen due to issues completely preventable by WordPress users, such as insecure passwords and outdated software.
As a result, the question of whether WordPress is secure in 2022 isn’t as simple to answer. Don’t worry, though — we’ll tackle the issue in-depth right here.
Okay, so considering all of the above — why do most WordPress attacks happen? Is there some sort of global WordPress issue, or do the problems stem from lackluster work by web admins?
Let’s take a look at the cold hard data on why attacks happen.
According to some industry reports, around 39% of all successfully hacked WordPress websites were running older, outdated WordPress core software when the incident happened.
The correlation between the use of outdated WordPress software and getting hacked is so huge that it definitely implies a causality. Still, we have to point out that this is one area where website owners, managers, and webmasters have been improving in the past couple of years. Back in 2016, a stunning 61% of all hacks happened for the same reason.
Now, before we move any further, it’s worth pointing out that there are three basic types of vulnerabilities a WordPress website can exhibit:
● Vulnerabilities in WordPress itself;
● Vulnerabilities in WordPress plugins;
● Vulnerabilities in WordPress themes.
And 75% of all known vulnerabilities are in the first category — core WordPress software. But most of them get fixed pretty quickly. In fact, the releases that contain most of them are the long-outdated WordPress 3.X versions.
The problem lies in the fact that only 47.3% of sites running WordPress are using the latest version. And all the rest are open to a bunch of vulnerabilities that hackers readily exploit.
Promptly apply any updates that WordPress releases. If you do so on a regular basis, it’s really unlikely that core vulnerabilities will lead to someone hacking your website.
A huge number of plugins and themes is one of the main draws of WordPress. As of now, there are almost 60,000 free plugins available on the WordPress repository — with countless others premium plugins scattered across the Internet.
All of them give you some kind of great functionality or aesthetic that improves your website — but many people forget that each new extension represents another new potential gateway for hackers. And while the majority of WordPress devs try to follow code standards and provide constant updates, there are still some issues.
Because the dev teams for themes and plugins are a lot smaller than those working on WordPress core software, there's a much bigger chance that a vulnerability won't be detected. Also, there are countless situations where developers stop updating an extension, but webmasters continue using them on their websites.
And finally, just like in the case above — people just don't always update plugins and themes even when the developer patches an issue.
If you’re wondering how widespread this problem is, the short answer is — substantially. A Wordfence survey shows that, among the website owners who got hacked and managed to trace the issue, 60% attributed their vulnerability to a theme or a plugin.
And in most of these cases, the developers of the plugins had long since provided the necessary security updates — the site owners simply didn’t update the plugins, leaving their website unprotected.
The issue and its solution are both pretty similar to the problem with core WordPress vulnerabilities. When it comes to plugins and themes, most vulnerabilities exploited by hackers exist because users haven’t updated their websites on time. So, the solution is not to repeat their mistake — and to only install plugins and themes from reliable, reputable sources.
A noticeable percentage of successful hacks are the result of malicious hackers obtaining WordPress login credentials or the login info for web admins' FTP or hosting accounts.
Brute force attacks on passwords make up the most of these — around 15% of all attacks happen due to these direct hacks of login credentials. However, insecure workstations, password theft, phishing, and similar vulnerabilities all make individually small appearances that add up to a noticeable chunk of all hacks.
And the problem with this is that no security patch can fix someone having the metaphorical key to your website's front door. So if a malicious actor gets ahold of your login information, no other defenses are likely to stop them.
WordPress devs try to mitigate this user issue by generating extremely secure passwords automatically. However, users still have to keep them protected — and WordPress doesn’t control your passwords for FTP and hosting.
All webmasters need to take elementary steps to secure their account credentials. For example, using strong passwords for all WordPress-related accounts can keep brute force attacks to a minimum, and limiting login attempts is also a good idea.
When it comes to hosting accounts, use a provider that offers security options like two-factor authentication. Also, don't keep your FTP passwords in the form of plain text. If you can choose between SFTP and FTP, always go with SFTP, and you'll have a more secure file transfer protocol — quite literally.
Remember when we said how important it was to only install plugins from reputable sources that you trust? So-called supply chain attacks are one of the newest reasons why.
Lately, hackers have been gaining backdoor access to websites by buying a previously reputable plugin whose development has since been discontinued, putting a backdoor into its code, and releasing it as an update.
Still, these attacks are pretty niche, and they’re by no means widespread. But it’s worth knowing just how diverse of a pallet WordPress hackers have while disrupting websites — you shouldn’t just go updating your website without even reading about an update.
That being said, most of these attacks aren't long-lived because the WordPress team is pretty great at spotting problematic plugins and removing them from their directory.
This problem isn’t as easily preventable — but the way to do it is to be careful when updating your plugins and themes. There are also security plugins that deal with this for you, and having a decent backup strategy is always the best way to ensure you don’t sustain any permanent damage even in the event of an attack.
As you can see, there are plenty of WordPress security vulnerabilities. However, most of them are completely preventable — as long as you're diligent about regularly updating your WordPress software and installing plugins and themes only from trustworthy sources.
Not all security vulnerabilities are technical, however. Many "hacks" aren't done by code, but by social hacking in search of users' login credentials — so be on guard for phishing and other forms of password-related fraud if you want to keep your website secure.