WordPress Security

How Secure is Your WordPress Site? Tips and Insights

by

It’s no secret that websites are a favorite target for hackers. The ability to compromise a site through a plugin, unpatched security hole, contact form or a thousand other ways can open the door to a veritable online crime spree. 

It’s also an unfortunate fact that WordPress sites are a favorite target for hackers. While this may give the impression that it’s due to poor security, much of it comes down to market share: as of this writing, 43 percent of the world’s websites run WordPress. If you only look at websites utilizing a content management system (CMS), that number jumps up to 65.3%. A hacked plugin can affect a wider range of targets using WordPress than other CMSes such as Drupal or Joomla.

But is WordPress actually secure? The short answer is: it depends on who’s using it.

While WordPress is a CMS, it, like most other websites, are a composite of several other services and pieces of software operating to create a cohesive (hopefully) website experience. There’s the core WordPress software, there are themes to help determine how the site looks, and there are plugins for added functionality. There are also a wide number of hosting services with differing levels of quality. And then there are users.

Here’s how the security for each of these parts breaks down:

  • The CMS: WordPress is an open-source CMS platform and is regularly updated. Serious security vulnerabilities on it are relatively few and far between, largely owing to the fact that Automattic, the company that produces it, has roughly 1700 developers in its employ. Keeping WordPress itself up-to-date is a fairly simple process and is sufficient to keep it secure in and of itself.

  • Themes and plugins: While Automattic releases and maintains several themes and plugins for WordPress, there are thousands produced by third-parties. This is where many of the potential security issues come into play. An update to WordPress doesn’t mean that plugins and themes will be updated, and vice-versa.

    While there are several major plugin and theme developers that are constantly refining and updating their products, many are produced by companies with questionable coding practices, others are developed and released as a one-off, and many others are abandoned entirely. Most major news headlines about WordPress vulnerabilities actually involve those in poorly developed or unmaintained plugins.

    Anyone prioritizing keeping their WordPress site secure needs to select plugins and themes carefully, check regularly for updates and check ratings and reviews for which ones are highly recommended and more likely to be vetted. The alternative is to enlist the aid of a well-established web development agency to assist and make recommendations as needed. (One springs to mind.)

  • Web hosts: Hosting platforms are where WordPress sites are physically installed and can be very much of a mixed bag. Many offer low rates for hosting on shared servers with relatively minimal security, or with security offered as an add-on expense. At the higher end are more expensive solutions offering more amenities, higher capacities for traffic, and perhaps most relevant, significantly more powerful cybersecurity tools and protections.

    As far as web hosting security is concerned, there is no “one size fits all” solution. A smaller business or organization with a website that functions as a billboard needn’t spend hundreds or thousands per month on best-in-class cybersecurity protections; this would be comparable to storing a bicycle in a bank vault instead of using a bike lock. At the same time, any web hosting solution should have at least a minimal level of security and customer support in the event of a cyber incident.

  • Users: The human element is one of the most difficult factors to account for across all of cybersecurity, WordPress sites included. Shared accounts, poor password hygiene (reusing passwords, using “password” as a password, etc.), lack of attention to plugin and theme updates, etc. can all allow hackers an easy path to entry on even well-secured sites. Any website, especially one with multiple users or administrators, needs to have a policy in place requiring basic security best practices.

Rather than looking at the security of WordPress as a binary proposition, anyone with a website should consider the following questions and factors:

  • What data is being stored on my site? Websites storing sensitive information, especially personally identifiable information on their users, need to take an extra level of precaution.
  • How many people have access to my site? WordPress sites with multiple administrators or users with access to plugins, themes, content and data have a significantly larger attackable surface than a site with one administrator and should have an enforceable security and password policy.
  • How essential is my website to my overall business? If your livelihood depends on your site running 24-7, consider the costs of a hacker-induced site shutdown for days, if not weeks, you should plan and budget for security accordingly.

How much time can I commit to my site’s security? Keeping an eye on a website, keeping it well-maintained and updated, and checking regularly for suspicious activity can be a time-consuming activity for a layperson. Consider using a dedicated team or agency (we offer a range of Service and Performance plans) to keep tabs on your website if your time is at a premium.

Leave a Comment


Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.


What Our Clients Say

Watermelon Web Works, LLC place picture
Watermelon Web Works, LLC
4.7
Based on 19 reviews
powered by Google
review us on
OMS Anita profile picture
OMS Anita
22:20 29 Nov 24
Watermelon Web Works has been incredible to work with. They are patient, understanding, and quick to answer any questions (or emergencies) you might have. After switching over to them to help re-vamp our online retail store, we hired them to build our wholesale website as well. I can't recommend them enough - Thank you team!
Garrett Lister profile picture
Garrett Lister
19:55 10 Jul 24
Jared and the watermelon team were great - they quickly interpreted our website needs and designed a wonderful site. The project management site worked great to keep track of project.
N B profile picture
N B
21:23 14 Nov 23
My previous web developer who I was very happy with retired and I was pretty sad about it because it seems now days it is hard to hire a web developer close by with a good set of skills who is interested in helping small business at reasonable prices. Then I found Watermelon and I have been very happy. They are responsive, are able to solve problems, and work at reasonable prices.
Dark Star Magick profile picture
Dark Star Magick
18:05 03 May 23
We hired Watermelon to help us with our website. They were very thorough and took the time to explain in layman's terms what they were doing and how we could improve SEO and site functionality. We will definitely be back for future website needs!
Astoria Column profile picture
Astoria Column
18:42 24 Apr 23
Great work and amazing service! We're a non-profit, and our priorities are always focused on maintaining the Astoria Column. We had a website built by someone else a few years ago, but without regular updating and maintenance, sections of our site were no longer functional. Joanna and the rest of the team came in and had everything working within a week and it's been smooth sailing since then!
Ben Harris profile picture
Ben Harris
19:25 26 Aug 19
Watermelon has been a fantastic web development partner. Through every phase of our project they have always been 100% responsive to our requests and have always provided highly knowledgeable, creative, prompt, and personable team members to work with. As a financial institution we’re always concerned about the security and maintenance or our website and Watermelon has always provided the appropriate resources in order to meet and/or exceed our compliance and security requirements. We would surely refer them to any business associates looking for a qualified WordPress web designer in the future. – Denali Federal Credit Union
Mohr IP Law Attorneys profile picture
Mohr IP Law Attorneys
00:33 11 Apr 19
Watermelon Web Works did a great job creating a custom shopping cart page for our firm. Gavynn in particular was especially helpful and responsive. We appreciated the upfront costs and the technical competency of Watermelon Web Works and would not hesitate to work with the people there again.
Kim Markle profile picture
Kim Markle
23:36 08 Feb 19
Our company has been working with the Watermelon team for more than 10 years to help build and grow our website and customer portal. They are not only extremely talented and responsive, but are continuously looking for ways for us to enhance our current website. They are consistent, provide excellent customer service and really know what they are doing. Highly recommend!
Rick Brodner profile picture
Rick Brodner
23:23 12 May 17
I cannot say enough good things about Watermelon. They are terrific communicators, highly competent coders, and really, really nice people. They were instrumental in helping us to assemble a very usable, easily maintainable website for our organization. They' have demonstrated great flexibility in accommodating our evolving needs. They have been highly responsive to any technical issues, typically resolving them in less than 4 hours. Watermelon Web Works will make your organization better, and your CFO/Treasurer will be happy when they see the bill - what more can you ask for?
CLOSE

>Locations We Service