Get expert answers to several frequently asked questions about WordPress. Learn about WordPress security and plugins, how to choose a WordPress host, and more.
- Every six months or so, there's some news story about how insecure WordPress is. It generally sounds something like, there was a major breach where hundreds of thousands of WordPress sites are vulnerable due to some sort of security flaw, usually in a plug-in or some sort of other ancillary system to WordPress. And any time that story comes up, people immediately ask the question, so, is WordPress secure? Should I immediately move to a different platform? It's one of those things where it's easy to answer the question and say, actually, WordPress is secure. Now, there's more to it than that, but it's challenging to answer the question just like that because you need to understand some of the context around WordPress to understand both why you get these news reports about security breaches in WordPress and why that doesn't mean WordPress is not secure. So, first of all, consider this. WordPress, the application in itself is an extremely diligently-built application that is maintained by thousands of people all over the world and that has a dedicated security team with proper channels for collecting security vulnerabilities, fixing them behind the scenes, and shipping immediate security updates. There have been several cases where there were actual security risks inside WordPress, and patches to those risks are often shipped seamlessly to every WordPress site in the world within hours or maybe a day of that security risk being discovered. Now, to compare, it often takes larger software manufacturers or operating system manufacturers and so on weeks, months, or even years to ship the same kind of security patches. And the reason for that is the security issues that appear in, let's say, an operating system are usually exceptionally complex. Security issues that occur in WordPress are usually relatively simple. They are often related to best practices or standards that used to exist that no longer exist or maybe a change in how a browser behaves or something like that where the code needs to be updated, or there might be a vulnerability that no one was aware of at the time, a piece of code was added that only later became a problem for anyone in the world. And then it also, because that code exists inside WordPress, needs to be fixed. Now, in most cases, the issues you see around WordPress and security are not caused by WordPress core or WordPress itself. They come in through plug-ins. So you'll often, in the past week or so, from when I'm recording this, there was a major security risk that was uncovered in a plug-in, and all the sites that had that plug-in installed had that security vulnerability, and it took some time for the plug-in developer to patch that because it was related to a central feature within the plug-in. And this is where it gets complicated because even though WordPress itself is secure, WordPress is only as secure as the stuff that is attached to WordPress. That can be themes, which very rarely introduce any kind of security vector because they're usually just templates that lay out content, but it could very often be plug-ins that have advanced functionality, and it could be the hosting environment WordPress sits on. Some of the worst security issues I've seen around WordPress have nothing to do with WordPress. They were just risks that were associated with the hosting environment, and the reason why they became serious is because web hosts will often place similar applications on similar servers. So if you have a shared hosting environment with a bunch of other people, there's a good chance that if you have WordPress, you're on the same server as a bunch of other people who have WordPress. And in some rare cases, you'll have a situation where one WordPress site has a plug-in with a security risk installed that was not updated, and then someone gets into that site through that security risk, and then they're able to tunnel through the server into other sites that way. So that means even though WordPress is secure and your site is secure, because of just the way the server works, there might be someone sneaking into your site from elsewhere. That's extremely difficult to protect yourself from from a user perspective because this is now into server security and server architecture, which is why a lot of the big hosting companies in the world now have security engineers specializing in WordPress on staff. So what's happening now is if you have a reputable host that supports WordPress development, you'll often see that they will manage the WordPress site for you. They'll update your WordPress site and they might even update your plug-ins or deactivate plug-ins that have known security issues to prevent this kind of situation from happening. So when I say all this, it may sound like WordPress is not that secure because all of these things may happen. The weird thing is, these things happen in part because WordPress is so secure, and that's because people trust WordPress because it is secure. That's why WordPress has such a large market share. WordPress is now powering over 32.5% of the 10 million top sites on the web, and just because of its sheer size, it then becomes the target for a lot of people who are trying to do malicious things on the web. It's easier to target something that has a lot of footprint than to target something that has very little footprint. It's that classic, one of the reasons why more people attack Windows computers than Apple computers is simply that there are far more Windows computers on the internet to attack. So with WordPress's size comes a larger number of people who try to attack it, and that means security risks, even though they grow smaller and smaller, become more visible because when someone manages to exploit one, they have the potential of infecting way more sites than they do with any other platform. All that just means as long as you have a WordPress site that sits on a secure server that supports WordPress and does their job, you keep your WordPress installation and your plug-ins and themes up to date, and you don't do anything absolutely crazy, which is really hard to do anyway, then your WordPress site is secure. Security risks usually come in through poorly maintained plug-ins or some sort of problem on the server or sites that are not up to date.