In general vanilla, WordPress is actually secure and is highly unlikely to be hacked if you followed initial safety guidelines such as choosing a strong administrator password. The safety issues regarding WordPress are mostly in regards to plugins that are developed by third-party developers many of which vary in quality, from absolutely horrendous coding to very well maintained and safely written code.
In general, WordPress is as secure as you make it as you cannot rely on old faithful which is, security thru obscurity. WordPress is one of if not the most popular ways today to build a website ranging from a simple and lowly blog to a fully functioning one. E-commerce website. With this kind of popularity, people have inevitably developed automated scanners to find and detect websites running WordPress and if a website is found, they further check to see if any vulnerable plugins are running on the website. If any of such plugin is found, you can guess what happens next, and it's not pretty.
There are steps you can take to secure a WordPress website, many of which are free later on in this little post.
In summary for this section, WordPress is as safe as you want it to be.
You can figure this part out, most WordPress websites out there usually get hacked from out-of-date software and plugins running on the webserver.
This ranges from an out-of-date WordPress core to an out-of-date plugin, both of which should always be kept up to date if possible.
As you can see from these two different charts, if you imagine that your website is running a WordPress version around the 3.x range you will likely have around 50+ vulnerabilities that could affect you! Also looking at the second chart WordPress in 2017 currently holds around 39.3% of the world's outdated websites.
Odds are high though that you are currently running one of the more recently updated versions of WordPress due to WordPress core having an automatic update now as compared to before. This does help relieve some of the misconceptions that WordPress sites are insecure by default.
You should always keep your WordPress automatic update on if possible to ensure that you are always running the latest version that is secured from the pasts' versions vulnerabilities. You should also always maintain and ensure that your WordPress plugins are up to date since you do not know when a vulnerability will be found within one of the plugins that your website uses.
WordPress has a bunch of moving pieces and plugins only add to the complexity that is WordPress, and with the varying qualities of plugins that are out there, you will never know what you are getting. The only thing you can be sure of is that if you always make sure your plugins are updated, you should be safe from the majority of exploits out there, hopefully.
Plugins such as Sucuri and Wordfence are excellent plugins that should be your second line of defense if a new 0-day is found for your unpatched plugins. These companies will have a firewall in place with a managed ruleset that will be updated each time a new vulnerability is found in either WordPress or one of your various plugins, and should the developers not respond immediately in either one of these cases, these companies will hold you hand thru those hard times.
A small list of what these plugins can provide is brute force protection, WAFs, leaked password protection, and many more other features that you as an administrator should be able to find useful.
While this may not directly benefit you, it is always a good idea to have an SSL certificate installed on your web server. While it may not protect you against any vulnerabilities found in WordPress or its plugins, if you like doing your work in a coffee shop or any other place, it can encrypt your traffic from your internet connection to your web server and back, making sure that no one is able to sniff your traffic.
An extra benefit of having an SSL certificate installed is that Google loves seeing that little green lock icon and will reward your website with the SEO gods and this never helps. SSL is free with LetsEncrypt, so there should be no excuse for not having an SSL certificate in 2021/2022.
Now if you have the money in your pocket and you want everything to be managed for you, you can go with a managed WordPress provider such as WpEngine, which will do most of the things above automatically for you. The only downside to this is that it generally costs more than a more generic host, but if you have the money, who really cares.
Copyright © Brandon-travis.com 2022.