Is WordPress Secure? 5 Biggest Do's And Don'ts In WordPress Security

Published 1 January 2022
Updated 30 January 2024
Agnes Talalaev
SEO wizard at Patchstack
Table of Contents

In this article, we won’t dive into technical details, but try to address a common misconception instead. We will explain what website security is in general, how to secure WordPress and answer the question - is WordPress secure?

As per calculations, approximately 380 new websites are created every minute. However, the actual number of new websites being created every day is probably a little more than 500 000. In a perfect world, security should be kept in mind from the beginning of the development process, but this, unfortunately, is always not the case.

Unfortunately, people usually get acquainted with website security when a website is experiencing an attack that results in being defaced, stuffed with SEO spam, being blacklisted, or spreading malware.

There are hundreds of WordPress security providers out there who all claim their plugin to be “the best”, “most complete” and the “only thing you need”. We understand the marketing efforts, but there are concerns in this kind of message.

Why is WordPress security important?

WordPress sites are being hacked and infected every day. Some statistics say that about 50,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target.

Whether it’s your customers’ data such as emails, shipping details, and credentials, or just the server resources (processing power and storage), it’s all something that hackers can monetize or use for their own good.

1. Secure the website before it goes live

It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. Your website will be scanned on a daily basis for vulnerabilities and outdated software, configuration errors and it will most definitely be actively brute-forced.

is wordpress secure

It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. Your website will be scanned on a daily basis for vulnerabilities and outdated software, configuration errors and it will most definitely be actively brute-forced.

Even if you don’t keep any visitor data such as emails, your website is still perfect for conducting a watering hole attack or to just host malware and redirect traffic to malicious sources.

2. WordPress security is not plug-and-play

WordPress security cannot be plug-and-play. Never trust services that promise 100% security, because security is a process and should be considered more like continuous risk management.

is wordpress secure

Paying a company so that you don’t have to worry or think about security creates opposite results in the long term.

3. Using multiple security tools is not a good idea

When it comes to WordPress security (or any other CMS) site security, the owners and developers load their sites with multiple security plugins, because the more is better right? Unfortunately, this can cause more harm than good.

WordPress security plugins also need to be updated, and they too can have vulnerabilities. (e.q WordFence XSS vulnerability). Security plugins, especially the ones that connect the site with a web application firewall or some simpler filtering engine can create conflicts and the traffic might not be properly monitored and filtered.

is wordpress secure

Some also change the settings on a hosting environment via .htaccess and nginx.conf file. When multiple plugins try to push their own changes, you can end up with an unstable site with questionable security configurations.

4. Question “one-click malware removal” tools and services

We often see service providers that offer “daily malware removal”, “one-click malware removal” and similar services that seem to be working well for website owners because every time they do it, a report shows that the website is clean. And it seems to be good because it does it often.

is wordpress secure

Instead of throwing out the bad guys on a regular basis, maybe it’s time to make a real effort and instead of investing in a fancy bucket to throw water out of a sinking ship, invest in tools to keep the water out.

Malware infection is the result of a problem. Does it really make sense to focus on the consequences? As far as you don’t solve the problem, you will end up in a dead circle of infections and cleanups.

5. Monitor actionable insights

When it comes to content management systems like WordPress, it’s highly important to have a proper overview of every single component your website uses. If you’re an agency or a developer, it’s important to be able to set alerts and receive the information from a single place.

Whether it’s a vulnerable PHP version, a vulnerable plugin version, or a buggy theme, you want to know this information immediately. It’s not only about the internals, but the external information as well.

is wordpress secure

You should always know and be alerted about:

  • Is the website blacklisted?
  • Is the website mentioned in defacement databases or hacking forums?
  • What kind of information can be enumerated from your site with the use of simple tools?
  • Is the SSL certificate properly set up and when is it expiring?
  • Is the domain expiration date around the corner?

Comprehensive website monitoring is essential, it’s not just about up-time, it’s about the integrity and about knowing where to look at. If you know where to look and what to improve, it will be much easier to keep pace with the latest and modern security practices.

Keep a proactive approach to security

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks of this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Monitor traffic your website receives and takle take action on malicious or suspicious traffic. You can do that using Patchstack.

For example, Patchstack gets daily vPatches that will be distributed automatically among the sites when vulnerabilities are discovered.

What to do when a website is hacked?

First of all, we have offered remediation services and malware removal since 2014 and have tested a lot of different tools. Many of them claimed to find malware with 100% accuracy. This has never happened.

Scanners are either heuristic or pattern-based and malware is always engineered to be invisible from scanners. Some scanners find malware better, some struggle with false positives, and many just don’t work at all.

Over the years of experience, we have stayed to supervised remediation. It means that we use different techniques to clean up the site and make sure that not a single backdoor remains on the site.

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third-party components or plugins that are used to improve its functionality. Our vulnerability statistics show that 93% of WordPress vulnerabilities are related to plugins. You can see a list of the latest WordPress vulnerabilities here.

For that reason, it is important to keep in mind, that WordPress security is much more than just a security plugin and strong passwords. It’s a process.

We tend to get lost and confused in the world of ads and marketing messages without really knowing what is good for us. If you have the proper tools, sometimes the most effective way is to just take an hour per week to look at what could be improved.

If you don't know how to get started, you can follow our complete guide to WordPress security here step by step.

Keep in mind that security is a process, not just a plugin you install.

How do WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer “100% security”. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with vPatches and active support.

The latest in Security Advice

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.