While WordPress is the most popular content management system in the world — and nearly 30 percent of all websites run on WordPress — that popularity also translates into WordPress security risks. Why? WordPress is open-source software that depends on its users for secure installation and maintenance.
According to Sucuri’s Hacked Website Report 2017, 83 percent of the more than 34,000 infected websites analyzed by the Sucuri team were built on the WordPress platform — an increase from 74 percent in 2016. The report’s authors note:
“Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento. This data does not imply these platforms are more or less secure than others. In most instances, the compromises which were analyzed had little, if anything, to do with the core of the CMS application itself but more with its improper deployment, configuration and overall maintenance by the webmasters.”
WordPress security includes installing WordPress on a reputable hosting platform; keeping the core software and WordPress plugins and themes updated; setting strong admin and user passwords; and managing user roles with WordPress security in mind. In addition, it’s important to secure all websites with an SSL certificate.
SSL, which stands for Secure Sockets Layer, is a layer of security that establishes an encrypted link between a user’s web browser and a web server. Google has begun marking sites without SSL encryption as “not secure.”
You can also harden WordPress security by using tools that regularly scan WordPress websites for malware and monitor related services such as DNS to ensure visitors aren’t redirected to another site or tricked into giving their private information. Plus, a web application firewall (WAF) can intercept and inspect incoming data and automatically remove malicious code.
The WordPress security resources on this page are designed to help WordPress site owners and webmasters gain the knowledge and find the tools they need for a more secure WordPress site.