At one point or another, you will have heard the phrase “WordPress is not secure”. Based on this unfair reputation you might be dealing with a client who is dismissing WordPress as a suitable CMS. However, this statement couldn’t be further from the truth. WordPress core is one of the most secure publishing and web development platforms you can choose to build a website on.
If this sounds like you, and your client is rejecting WordPress due to these concerns, here are a few ways to convince them that WordPress is actually more secure than they might think.
WordPress security was not as always as secure as it is now. In 2009 when WordPress was gaining popularity, the CMS contained a number of security defects that were found and exploited. This was then quickly picked up by the news and the platform received extreme criticism.
This was the wakeup call WordPress needed to up its security game. The exposed security concerns were swiftly addressed in an update to strengthen the WordPress codebase. Still today, ten years later, WordPress remembers this early lesson and have kept on top of security ever since.
Staying ahead of the hackers
WordPress makes a huge portion of the internet, with over 28 percent of websites using WordPress. This makes them a prime target for hackers, and WordPress knows it, which is why they stay one step ahead.
Other CMSs like Drupal and Joomla are simply not targeted as much (or not reported on when they are) since they are not widely used. 52 percent of CMSs used today are WordPress, while Drupal powers a mere two percent and Joomla only six percent.
Updates are key
Typically, security breaches on WordPress websites occur because of an outdated theme or plugin. Any notable hack to a WordPress website in recent years has been traced back to hackers targeting vulnerabilities that would have been avoided with a simple update.
While automatic updates happen to your WordPress core, it’s still your responsibility to update plugins and themes to ensure they contain the latest security patches.
The open source nature of WordPress means that anyone can contribute to detecting security vulnerabilities, meaning faster fixes. For example, there was a previous WordPress security breach through the REST API (introduced in version 4.7.0) where 1.5 million-plus pages running that version were affected. Various security vendors detected the vulnerability and immediately reported it to WordPress to build an update before any hackers could take advantage of the situation.
Secure as you want it to be
It’s your duty to take additional measures to strengthen the security of their WordPress site. To avoid your site falling foul to hackers there are some extra security measures you can take to harden the security of your WordPress site:
This is one of the most basic of security measures you should be taking. When a hacker runs a brute-force automated script to gain access, an easy-to-guess password will make it much easier for them to crack the code. You should be using a strong password generator to make sure your password is complicated enough that it can not be easily guessed.
Two-factor authentication (2FA)
2FA puts in place an additional layer of security to your login process. 2FA works by requiring a second factor of information, typically a 4-digit code sent to your mobile phone to confirm your activity on a specific computer. There are multiple WordPress plugins that can add 2FA to your site.
An SSL (secure sockets layer) encrypts all information submitted to your site. This means hackers won’t be able to see or intercept any data your users share on your site. WordPress doesn’t come with an automatic SSL, however, many hosting providers offer free SSL certificates.
User role access
When creating new users for you CMS be wary who you give “Admin” privileges to, there is no reason to give full access to a team member who is only performing minor tasks. It is always good practice when an employee leaves that you downgrade their permission level to “Subscriber” or even delete them entirely.