How secure is WordPress as a CMS?

WordPress has an unfair reputation for having poor security. It’s existence has lasted since a very long time and is proving to be extremely popular, powering almost 30% of the web. As a consequence, the platform has been extremely vulnerable.

There are two main reasons that news of successful attacks are not representative of WordPress as a secure CMS:

  1.  WordPress has an open platform for external plugin and theme development. The majority of cyber attacks are primarily related with third parties rather than the core system. That is why we limit the number of plugins used. Only plugins that are structured, well-maintained and regularly updated are utilised.
  2. A major cause of problems has been when a website has not been updated after a security patch is released. As you are well aware, this is true with anything – if a system is not kept up-to-date, it will be vulnerable to attack. Auto updates were introduced to WordPress several years ago, allowing security patches to automatically update as soon as they are released. This has been very helpful but it is still crucial to work closely with a WordPress agency that can proactively monitor the security set up of the site.

Fundamentally, any large content management system is going to occasionally contain bugs that lead to security vulnerabilities. The most important aspect is finding and preventing these vulnerabilities. Since WordPress is so popular, it is highly likely that vulnerabilities are detected by the community before a hacker does.

How we secure our WordPress websites

There are numerous procedures that can be applied to secure a WordPress website. As standard, we ensure:

  • All user accounts have strong passwords, and only have access to what they need
  • Disable non-required functionality, such as WordPress comments
  • Install security auditing and logging software that tracks usage
  • Install an SSL certificate
Additional measures to consider
  • Locking down the Admin area to whitelisted IP addresses only (so only people located in your location can access the backend of the site)
  • Double authentication for all users
  • Implement other server side measures such as a Content Security Policy and HTTP Strict Transport Security

Finally, it is worth pointing out that WordPress is used by a huge number of global brands, including Toyota and Yahoo. It is our belief that with the correct configuration,, the right hosting platform and proactive ongoing maintenance, WordPress can be made as secure as any CMS available today.