Is WordPress A Secure Platform/CMS? - HITS

Is WordPress A Secure Platform/CMS?

WordPress has been around for a long time and is extremely popular, powering almost 30% of the web. Consequently, when a vulnerability or successful attack on a prominent website becomes big news – WordPress can become the scapegoat. At HITS, we feel this can result in WordPress being given an unfair reputation for poor security.

Why We Use WordPress

Our sincere belief is that with the right setup in terms of hardening the core system, the right hosting platform, and proactive, ongoing maintenance, WordPress can be made as secure as any CMS available today.

There are two critical reasons that news of successful attacks are not representative of WordPress as a secure CMS:

  1. WordPress has an open system for plugin and theme development, and the vast majority of vulnerabilities are actually to do with plugins and themes rather than the core system. That is why we limit the number of plugins we use, and we only use plugins that are well-used, well-maintained and regularly updated. We also rarely use WordPress themes as the majority of our sites are coded from scratch.
  2. A significant cause of problems has been when a website has not been updated after a security patch is released. As you know, this will be true of any piece of software – if a system isn’t kept up-to-date, it will be vulnerable to attack. WordPress introduced auto-updates a couple of years ago, so security patches are added to a WordPress installation automatically as soon as they are released. This has been very helpful, but it is still crucial to work with a WordPress agency that can keep plugins up-to-date, make more major WordPress updates, and proactively monitor the security set up of the site.

Fundamentally, any large CMS (or piece of software) will contain bugs that occasionally lead to security vulnerabilities. The important thing is that there is an infrastructure for finding and dealing with these vulnerabilities in as short a time as possible. WordPress is actually in a fantastic position in that regard. Since it is so popular and well-used, the community will likely find vulnerabilities before a hacker. When a vulnerability is located, there is a community of hundreds of developers supporting WordPress to be patched quickly via an update of the system.

How We Secure Our WordPress Sites

Many steps can be taken to ensure a secure WordPress setup, which can be fine-tuned to suit your priorities. However, as standard, we guarantee the following:

  • All user accounts have strong passwords, and only have access to what they need
  • Disable non-required functionality, such as WordPress comments & emoji support
  • Install security auditing and logging software that tracks usage
  • Install an SSL certificate

Additional Measures To Consider

  • Locking down the Admin area to whitelisted IP addresses only (so only people located in your location can access the backend of the site)
  • Two-factor authentication for all users
  • Use a Web Application Firewall such as Cloudflare or Sucuri – the former offers additional performance boosts as well
  • Implement other server-side measures such as a Content Security Policy and HTTP Strict Transport Security

Finally, it’s worth pointing out that WordPress is used by many global brands, including a few that are obvious targets for attack. For example, the following large companies utilise WordPress; The Times, Walt Disney Corporation, New York Post, Time magazine, Quartz and many more.

How Can We Help?

We are HITS, a creative web design and development studio based in Andover, Hampshire. Established in 2010, we offer a complete package service across WordPress website design and development. We have extensive experience in bespoke Website Design, Ecommerce Store DevelopmentBranding and Organic SEO services.

If you would like to find out more, please get in touch with us on 01264 316141 or via email at enquiries@hits.group