Cybersecurity is a hot topic these days, as it should be: 30,000 new websites are successfully hacked every day, and spending to protect against online threats is in the hundreds of billions. And no website is immune — these attacks affect individuals, small businesses, and giant corporations alike.

Websites that use WordPress as their CMS are a favorite target for hackers. In 2019, 94% of successful cyberattacks against CMS-powered websites targeted WordPress sites. Even when considering WordPress’ 60% share of the CMS market, nine out of 10 attacks is still quite high.

alt text: chart showing that WordPress websites were hacked far more in 2018 and 2019 than websites hosted with competing CMS brands


These stats might make you question whether using WordPress as your CMS is a good idea. You might wonder, is WordPress actually safe to use?

Download Now: Free Website Safety Checklist

In short, yes. But I want to dig a bit deeper into this question, so you can understand what makes WordPress vulnerable to security problems, how to avoid them, and ultimately feel more confident about your CMS choice.

Let’s break down a WordPress website’s security into its main components: WordPress core (the source files that control basic WordPress functionality), plugins, and themes. Doing this will help us understand WordPress safety as a whole.

Is WordPress Core Secure?

Short answer: Yes, WordPress core is safe when kept updated to the latest version. But there are additional steps users can take to harden WordPress core on their website.

Longer answer: Unlike themes and plugins, there’s only one WordPress core, and it’s maintained by a world-class security team. WordPress stays on top of vulnerabilities in their software and releases security updates to patch their core files. Whenever WordPress releases an update, install it as soon as you can, since the issues each update solves are public knowledge.

Also, there are additional measures on your end to keep WordPress functioning at its safest. These include:

For a full list of best practices, you can take to protect WordPress core, see our Ultimate WordPress Security Checklist.

Are WordPress Plugins Secure?

Short answer: Not always. Use only reputable, legitimate plugins, and update them when necessary.

Longer answer: If core files are the heart of WordPress, plugins are...well, basically everything else. They make WordPress infinitely customizable and flexible. The issue is that plugins are made by third parties, and not all are guaranteed to be properly maintained, or even safe in the first place. As a result, plugins are one of the most popular gateways hackers use to enter WordPress-powered websites.

Don’t get me wrong, plugins are necessary for anything beyond the functionality of WordPress core. But, like you wouldn’t download a sketchy file from a sketchier website, be very careful where you source your plugins. We recommend sticking to the WordPress plugin directory and weighing popularity, maintenance frequency, and user reviews in your plugin choices.

Also, even a reputable plugin is still unsafe if not kept up to date. Install updates for your plugins as soon as possible, and stay informed about what developers are fixing and improving.

Are WordPress Themes Secure?

Short answer: Not always. Use a theme that meets WordPress’ standards, and update it when necessary.

Longer answer: Many themes are made by third parties, and thus not regulated or approved by WordPress. Don’t just install a theme because you like that look, as important as that is. Your theme also needs to meet the WordPress standards for code. To ensure this, choose your theme from the official WordPress theme directory or try one that we recommend. You can also check the safety of any WordPress site (including your own) by pasting the website URL into W3C’s validator.

Finally, I said it before, and I said it again, and I’ll say it once more: Update! Outdated themes are another easy opportunity for unwarranted access to your site’s backend.

“Keeping your plugins and themes updated regularly are critical to maintaining the security of your WordPress site. You also need to test themes and plugins updates separately, such as on a staging site, before launching them to production. That’s to make sure the updates don’t break existing functionality, or worse, crash the website entirely.” - Alec Wines, Head of Growth at WP Buffs

The Truth About Cybersecurity

One more thing you should know: In an ideal world, knowing the risks and putting the right systems in place would eliminate the chances of being hacked. But being secure is not the same as being immune.

Perfect security is impossible no matter which CMS you decide on, and there will always be risks to hosting content online. The best thing you can do is reduce the risk of attacks. Again, if you take security seriously, you’ll be in great shape. By questioning WordPress’ security in the first place, it shows that you probably already do.

New Call-to-action

 New Call-to-action

Originally published May 28, 2020 7:00:00 AM, updated November 10 2020


WordPress Security