While WordPress is the most popular content management system in the world — and more than 34 percent of all websites run on WordPress — that popularity also translates into WordPress security risks. Why? WordPress is open-source software that depends on its users for secure installation and maintenance.
The resources on this page are designed to help you keep your WordPress website more secure.
- General WordPress Security
- WordPress + SSL
- Security Monitoring
- Plugin & Theme Security
- Updates & Backups
- Admin & User Security
According to Sucuri’s Website Hack Trend Report 2018, 90 percent of the more than 25,000 infected websites analyzed by the Sucuri and GoDaddy Security teams were built on the WordPress platform — an increase from 83 percent in 2017.
The report’s authors note that while the report found security breaches most prevalent on sites built on the WordPress, Magento and Joomla! CMS platforms, “this does not imply these platforms are more or less secure than others.” Rather, the data reflects the popularity of these open-source website building tools.
The security problems are rooted in improper deployment, security configuration issues, and a lack of security knowledge, among other factors.
“As seen in previous reports, issues pertaining to vulnerabilities in extensible components and overall security posture among website administrators are a constant factor,” the authors write.
“The most notorious threats to CMS’ stem from vulnerabilities introduced by add-on modules, plugins, themes, and extensions.”
WordPress security includes installing WordPress on a reputable hosting platform; keeping the core software and WordPress plugins and themes updated; setting strong admin and user passwords; and managing user roles with WordPress security in mind.
In addition, it’s important to secure all websites with an SSL certificate.
SSL, which stands for Secure Sockets Layer, is a layer of security that establishes an encrypted link between a user’s web browser and a web server. Google has begun marking sites without SSL encryption as “not secure.”
You can also harden WordPress security by using tools that regularly scan WordPress websites for malware and monitor related services such as DNS to ensure visitors aren’t redirected to another site or tricked into giving their private information. Plus, a web application firewall (WAF) can intercept and inspect incoming data and automatically remove malicious code.
The WordPress security resources on this page are designed to help WordPress site owners and webmasters gain the knowledge and find the tools they need for a more secure WordPress site.