I have heard people argue that WordPress isn’t the best platform for security because it is open source which means that hackers can easily access the full software and look for the holes in its security.
In other words if you build a WordPress website then you are asking for trouble.
I don’t think that’s the case or ever has been the case.
Let’s start with the “total security aspect”. What’s the worst that can happen to your WordPress website? Here are some of the most common problems that can either take your site down completely or cause a whole heap of problems that you’d rather avoid.
Issue #1: Hacked Website
Getting your website hacked is definitely the most feared of all potential WordPress website issues. You don’t want someone inside your site messing around and breaking things. It’s a lot like letting a teen hold a party in your house when you are on holiday… I bet you are cringing at the thought of someone vomiting in your plants and smashing your ornaments
A hacker can do any number of things to your website:
- Add unwanted links that you can’t see.
- Add unwanted links that you can see.
- Add viruses that attack your visitors’ computers.
- Delete your site completely (and even replace it with a nice “You’ve been hacked by XXX” message complete with a skull and cross bones image).
- Delete website and content files.
- Take control of your site and lock you out.
- Insert malware
- Add rogue code
Issue #2: Hosting Company Issues
Every website is hosted on a computer. And we all know that a computer, as a piece of man-made technology, can sometimes go wrong. Please don’t make the mistake of totally relying on your hosting company to protect your site and expect that they’ll never have any technical issues. .
The vulnerable part of your hosting company is the server where they host your website. It could crash, get hacked or even be required to shut down. When my hosting has upgrades they let us know in advance of any potential outages. Technical issues can happen when servers are moved and new software is installed.
Recently I had a client lose her site during “routine maintenance”. Her hosting was based in the US where it was 3am. In the UK where my client was based, it was 11am… her hosting thought it was acceptable and reasonable to do maintenance work at 3am when everyone was asleep… it was my clients peak period and her website wasn’t working.
The hosting company knew it was coming, and once they were able to complete their work within a few hours and things went back to normal. However, if a company has an unexpected server problem, the damage could get much more unpredictable — and longer-lasting. You could end up losing valuable data or even your whole website if you don’t have a recent backup.
Additional reading: Backing up your WordPress site
It’s not unheard for a server to overheat or catch fire. This could happen for various reasons, but as far as you’re concerned, it’s once again an unexpected issue that can lead to total disaster if you’re not prepared. If you’re prepared (that means having back-ups) it can be just an inconvenience. You’re in charge of whether it will be a disaster or inconvenience, starting right now.
Other potential hosting issues include poor customer service. Your needs may outgrow their capabilities, or they may be not providing the kind of quality you expect. It’s a good idea to have your backups ready and handy so that you can make a quick switch of hosts, should the need arise.
Issue #3: Someone or Something Messes Up Your Website
It could be you, or it could be your webmaster, but it’s also quite possible that your website could get inadvertently screwed up while you’re adding a plugin, upgrading a theme, or updating to the latest version of WordPress.
If you’re not prepared, you could lose your whole website. You should always back up your site before doing any kind of updates! I know it’s boring and the grown up thing to do and you want to install a shiny new plugin right now, but back up first.
Issue #4: A Disgruntled or Clumsy Employee
This may not be an obvious issue, but it can be a real threat. Whether you work with a virtual assistant, or you have an employee in your office who works on your WordPress website, you hopefully know that it’s important to limit their capabilities within WordPress to match their responsibilities (and the level of trust you have in them).
For example, there is no real reason one of your regular contributing authors should have admin rights and be able to change your site’s theme or install new plugins.
Okay, we’ve looked at the potential issues that your WordPress website might have. Let’s unpick them a bit more.
Yes, WordPress is free and hackers have easy access to it, but who are we kidding? Hackers love a challenge and they can just as easily download pirated / cloned copies of ANY website design software they want. The fact that WordPress is a free, open source platform makes it actually more secure.
Most website software programs are designed by just one company with a limited number of employees. WordPress has one creator as well, but the community that works on the program to various degrees is huge.
Thousands of people are involved in doing things like updating the software, creating plugins and making easy-to-use templates. It’s a tremendous community effort.
This means that as soon as there is a problem, someone finds it almost immediately. And when they do, the creators of WordPress work hard and fast to solve the issue, and each time, they also release a brand new Security Update.
Just compare that dedication to other companies whose updates are much less frequent, and whose community is much, much smaller, and you’ll see the advantage and value of WordPress Website.
As Bob shares here – Don’t use Admin as your login name
Hosting. For me hosting isn’t something that should be “cheap” but something that should have excellent support and communication. Where possible it’s service hours and maintenance hours should be compatible with your business requirements. Things like “routine work” that happens in your peak traffic time is something you should be aware of but is likely to be tucked away in the small print.
Additional reading: avoid WordPress Hosting hell
Messing up your WordPress website. You are more likely to mess up your WordPress website than anyone else. You are more likely to screw something up than get hacked. Yes, you are a bigger danger to your websites security than a hacker. Adding a rogue plugin or not configuring one correctly can cause all kinds of problems.
Additional reading: When plugins go nuts
Another issue I frequently see is people adding code and adjusting code to the framework of their site and not to the child theme. When the framework is upgraded, the customisation is lost and they think they have been hacked…
People. People is the toughest one to write about, like me you might want to believe that no one could or would do something to your blog. But it’s better to be safe than sorry. Limit the access that authors and contributors have, restrict what they can do and don’t let them have admin rights unless they really, really, really need it.
Additional reading : WordPress user roles
As you can see, there are many variables and a combination of hosting, site admins and people going plugin crazy can cause vulnerabilities in your WordPress website and whilst you can secure and protect your site from some of these things, you can’t protect it against all of these things.
You just have to do your best when it comes to plugins and people, and be sensible about security because it can be a combination of all these things that make your website vulnerable, and not just using WordPress.
photo credit: hojusaram