Brandon Travis

Picture of WordPress logo

How secure is WordPress really?

Last updated on: Sunday, December 26, 2021

How secure is WordPress?

In general vanilla, WordPress is actually secure and is highly unlikely to be hacked if you followed initial safety guidelines such as choosing a strong administrator password. The safety issues regarding WordPress are mostly in regards to plugins that are developed by third-party developers many of which vary in quality, from absolutely horrendous coding to very well maintained and safely written code.

In general, WordPress is as secure as you make it as you cannot rely on old faithful which is, security thru obscurity. WordPress is one of if not the most popular ways today to build a website ranging from a simple and lowly blog to a fully functioning one. E-commerce website. With this kind of popularity, people have inevitably developed automated scanners to find and detect websites running WordPress and if a website is found, they further check to see if any vulnerable plugins are running on the website. If any of such plugin is found, you can guess what happens next, and it's not pretty.

There are steps you can take to secure a WordPress website, many of which are free later on in this little post.

In summary for this section, WordPress is as safe as you want it to be.

How do WordPress websites usually get hacked?

You can figure this part out, most WordPress websites out there usually get hacked from out-of-date software and plugins running on the webserver.

This ranges from an out-of-date WordPress core to an out-of-date plugin, both of which should always be kept up to date if possible.

A Multitude of different charts showing WordPress vulnerability statistics

A Multitude of different charts showing WordPress vulnerability statistics

As you can see from these two different charts, if you imagine that your website is running a WordPress version around the 3.x range you will likely have around 50+ vulnerabilities that could affect you! Also looking at the second chart WordPress in 2017 currently holds around 39.3% of the world's outdated websites.

Odds are high though that you are currently running one of the more recently updated versions of WordPress due to WordPress core having an automatic update now as compared to before. This does help relieve some of the misconceptions that WordPress sites are insecure by default.

How can you secure a WordPress website

Update WordPress and Plugins

You should always keep your WordPress automatic update on if possible to ensure that you are always running the latest version that is secured from the pasts' versions vulnerabilities. You should also always maintain and ensure that your WordPress plugins are up to date since you do not know when a vulnerability will be found within one of the plugins that your website uses.

WordPress has a bunch of moving pieces and plugins only add to the complexity that is WordPress, and with the varying qualities of plugins that are out there, you will never know what you are getting. The only thing you can be sure of is that if you always make sure your plugins are updated, you should be safe from the majority of exploits out there, hopefully.

Web Application Firewalls and Security Plugins

Plugins such as Sucuri and Wordfence are excellent plugins that should be your second line of defense if a new 0-day is found for your unpatched plugins. These companies will have a firewall in place with a managed ruleset that will be updated each time a new vulnerability is found in either WordPress or one of your various plugins, and should the developers not respond immediately in either one of these cases, these companies will hold you hand thru those hard times.

A small list of what these plugins can provide is brute force protection, WAFs, leaked password protection, and many more other features that you as an administrator should be able to find useful.


While this may not directly benefit you, it is always a good idea to have an SSL certificate installed on your web server. While it may not protect you against any vulnerabilities found in WordPress or its plugins, if you like doing your work in a coffee shop or any other place, it can encrypt your traffic from your internet connection to your web server and back, making sure that no one is able to sniff your traffic.

An extra benefit of having an SSL certificate installed is that Google loves seeing that little green lock icon and will reward your website with the SEO gods and this never helps. SSL is free with LetsEncrypt, so there should be no excuse for not having an SSL certificate in 2021/2022.

Managed WordPress Hosting

Now if you have the money in your pocket and you want everything to be managed for you, you can go with a managed WordPress provider such as WpEngine, which will do most of the things above automatically for you. The only downside to this is that it generally costs more than a more generic host, but if you have the money, who really cares.

Related Posts

Linux mascot penguin
Linux Servers and Security
A picture that shows security issues
WordPress All in One SEO Plugin Vulnerability
picture of laptop with warning icon
Log4j vulnerability and what it means

Copyright © 2022.