WordPress and Security


Everyone thinks of WordPress when they think of personal blogs or small businesses. The CMS is known for its ease of use so many assume it’s only meant for the little guys, but WordPress’ user statistics tell a different story. For example, did you know WordPress is the single most used CMS in the world? Almost 30% of the content on the internet is powered by WordPress, and the CMS enjoys an almost 60% market share while their next leading competitor rounds out at about 6%. By and far, WordPress is the CMS the world is using. But this isn’t some statistical trick. These numbers aren’t a result of millions of small business blogs. Nearly 15% of the top 100 most visited websites are powered by WordPress. So here we see a CMS that’s widely preferred to create online content over its competitors even by those running incredible powerful and popular sites. Why is that?

For the most part, WordPress’ monumental success is due to two things:

  1. Ease of use, and

  2. The depth and breadth of creative possibilities.

If you don’t want to spend the time building a website from scratch -- something that can be time consuming, expensive, and ultimately still produces subpar results -- WordPress really is the only option. With nearly 50,000 custom plugins, WordPress offers its users everything they might need to create an online presence that couldn’t be less cookie cutter.

So WordPress is perfect, and there’s literally no reason they aren’t operating 100% of the content on Earth.

Well, not exactly. WordPress does have one pitfall that comes up time and again: security. This isn’t to say every site operating with WordPress is in danger. In fact, the core source code that runs WordPress and all of its subsites is actually very secure. But still, the IT consulting experts at Pittsburgh’s Savvior hear time and again from their clients that WordPress has let them down. How could this be?

The problem -- as it turns out -- isn’t actually WordPress letting down its clients but the clients letting down WordPress. Between never updating to the latest available version, weak password protection, and installing insecure plugins WordPress’ clients are far from using the system in a secure way. So what can you do to keep your WordPress site secure? The IT consulting experts at Pittsburgh’s Savvior know the best practices and are here to share them. Let’s take a look at the 3 most common user mistakes and how to remedy them.

Update Update Update

wordpress code

We’re starting with the biggest threat first. The IT consulting experts at Savvior’s Pittsburgh office want to make sure WordPress users hear this part. The number one way hackers gain access to otherwise secure sites is by exploiting a known security problem. This means WordPress is aware of the deficiency and has probably released an update to remedy it. Unfortunately, less than 33% of WordPress users are operating on the latest available version. That’s a lot of users left vulnerable to attack when the solution is widely available and free.

Fortunately, this is probably the easiest mistake to fix. The IT consulting experts at Pittsburgh’s Savvior emplore their partners and clients: constantly, religiously, fanatically, obsessively update your WordPress. If a new update becomes available, it’s more often than not because they’ve patched some hole in their security system. How can you expect to operate a secure site without constantly patching these holes? Before you continue reading, go check to make sure your WordPress site is fully updated.

Passwords Are Everything

computer password fingerprint keyboard

Continuing in order of ease, next up is passwords. This one should be obvious, but the IT consulting team at Pittsburgh’s Savvior see the same problems time and again. No matter how hard the security team at WordPress works, nothing can save their clients from bad passwords. Once your administrative password is “[your birthday]1234” no one can help you.

Your password should be unique, unrelated to personal information, lengthy and combine capital and lower-case letters with numbers and special characters -- and spelling common words but replacing some of the letters with numbers doesn’t count. Hackers these days aren’t just plugging away trying to guess the infinite number of combinations and possibilities. They have programs doing it for them, and spelling your mom’s name with a 5 instead of an S isn’t stumping those things.

You also shouldn’t write them down. Leaving a sticky note with your admin password on the back of your monitor is a huge mistake. You might as well just not have a password. There are a number of password management applications you can download that will keep your passwords for you completely secure.

So please, go change your password to something better than 1234P455W0rD4321.

The Hack is Coming From Inside the Plug-In

computer servers

Fixing this problem is a bit more difficult -- meaning it’ll probably take more than 5 seconds. Another main vulnerability WordPress faces is because of all of those attractive, custom plugins. While WordPress works hard to keep their network secure -- and the plugins they release are well tested to integrate with their main system -- many of the thousands of available WordPress plugins are not put out by WordPress and are not as rigorously tested. Here’s what to know about plugin security:

When adding plugins to your WordPress site, the IT consulting experts at Pittsburgh’s Savvior suggest rigorous testing before you do anything. Make sure the plugins are secure individually and when grouped together. There are a number of guides online devoted to helping users identify potentially malignant plugins, but your best bet is hiring a team of experts to run diagnostics on your system. It’s the best way to be sure you remain safe.