WordPress is the web’s most popular content management system, but how secure is it?
The general consensus is that WordPress itself is secure, but when you install poorly-coded plugins on your site and barely keep things up to date, vulnerabilities become likely.
In this post, I examine how secure WordPress is and what you can do to keep your site safe.
Is WordPress Secure? An Overview
WordPress is a content management system (CMS) that allows you to manage web content, including web pages and blog posts, without needing to code them yourself.
Statistics show that WordPress is used by 42.8% of all websites on the web (W3Techs), so it’s only natural for developers and general users alike to not only be interested in WordPress but also be concerned about some of the security vulnerabilities it faces.
Related: Best Practices for Better WordPress Security
The truth is that in spite of its popularity, WordPress is actually very secure. It uses clean, quality code that goes through rigorous testing by developers from all over the world, and it’s designed to keep itself up to date in order to install security patches as soon as they’re available.
In fact, according to data from WPScan, only 1% of WordPress vulnerabilities originate from WordPress core itself.
It’s the other 99% that leads to WordPress having such a poor reputation for security; 93% of these vulnerabilities are caused by plugins while 3% are caused by themes.
The conclusion is that WordPress is secure but can be exploited through insecure themes and plugins along with negligence from users.
How Do WordPress Sites Get Hacked?
WordPress sites typically get hacked through exploits caused by:
- Poorly-coded third-party themes and plugins
- Outdated themes and plugins
- Outdated WordPress core files (meaning a site hasn’t updated its WordPress version in quite some time)
- An insecure hosting environment
- Insecure login credentials
Like I said, the biggest security risk in WordPress comes from plugins, typically free plugins not maintained by WordPress themselves.
WordPress is an open-source CMS, which means anyone can create code for it and package it as a theme or plugin.
When you install a theme or plugin, you’re actually injecting hundreds of lines of new code into your site. If that code is not secure or is intentionally malicious, your site becomes at risk of being exploited.
Furthermore, the code that makes up WordPress itself is called “WordPress core,” which receives several updates every year. Some updates are major, but most are minor, containing key security patches to keep WordPress’ code in line with new security techniques and to safeguard it against new threats.
However, negligible site owners don’t install security updates in a timely manner. Some don’t install security updates at all. This leads to their sites getting hacked through exploitations targeting outdated code, further perpetuating the idea of WordPress being an insecure CMS.
Finally, the web host and login credentials you choose to support your site play important roles in security as well.
If you don’t choose a host carefully, you could potentially wind up with a host that leaves your server vulnerable to external (and even internal) attacks.
As for your login credentials, if you don’t choose a secure username and password, don’t use multifactor authentication, don’t secure the email address associated with your WordPress account, your website can become hacked through unauthorized access.
Why WordPress Has Such a Poor Reputation for Security
We’ve come to the conclusion that WordPress’ security vulnerabilities can be summarized as user error. So, why does WordPress itself get such a bad rep when it comes to security?
It comes down to WordPress’ popularity and how negligible developers know site owners to be.
Because WordPress is the most widely used CMS on the web by a large margin, it’s the most common target for attacks as well.
When you combine that knowledge with the fact that WordPress also allows you to customize your site with third-party themes and plugins, you begin to understand why it’s such a common target for exploitations.
What are the Biggest Security Risks in WordPress?
These are the biggest security risks that leave WordPress sites vulnerable to attacks:
- Third-party plugins
- Poor maintenance practices
- Insecure login practices
- Incorrect permissions configuration
Let’s discuss each of these threats in depth.
1. Third-Party Plugins
WordPress has a lot of functionality built in, but the beauty of this CMS is that it allows anyone to develop code for it and make it available for other WordPress users through plugins.
Because this code must be maintained by the developer who originally created it and not by WordPress themselves, the responsibility of keeping a plugin secure falls on two parties: the developer of the plugin and the site owner who installs it.
The developer must maintain the plugin by updating its code to patch security flaws and implement bug fixes. The site owner must keep the plugin up to date by installing these security patches.
If you recall from earlier, 96% of WordPress vulnerabilities originate from plugins, according to WPScan.
Patchstack and Wordfence also research and disclose security vulnerabilities in WordPress. Their data suggests that 91% and 96% of security vulnerabilities in WordPress originate from plugins respectively.
How to Use Third-Party Plugins Safely
Just because third-party plugins have the potential to create security flaws in your site’s code doesn’t mean you need to necessarily steer clear of them. You just need to be more careful about which plugins you install on your site.
Patchstack’s data shows that the majority of vulnerabilities occur in free plugins from WordPress.org and premium plugins from Envato.
The company has a bug bounty program where their own developers and members of their community collectively discover and disclose vulnerabilities in WordPress products.
In 2025, more than 6,800 vulnerabilities were detected by the program. Of that number, 71.02% were reported for free plugins from WordPress.org while 22.56% were reported for premium plugins from Envato.
This means you mostly need to be careful about plugins you install directly from the official WordPress plugin directory and are much better off opting for plugins with positive reputations.
Still, there are thousands of decent free plugins in the directory. Refer to these tips to keep yourself safe while using them:
- Choose plugins that have received positive reviews recently
- Choose plugins that have been updated within the last 12 months
- View the plugin’s support threads on WordPress.org, and choose ones where developers respond to customer queries
- Keep plugins up to date
- Audit plugins annually, and remove plugins that have not been updated or have diminished in quality
2. Poor Maintenance Practices
Even popular themes and plugins are at risk of being exploited. That’s why a proper maintenance schedule is a must when using WordPress.
If you’re deadset on using WordPress but don’t want to maintain your own site, hire a dedicated maintenance service to handle WordPress updates for you.
Related: 6 Best WordPress Maintenance Services & What to Look for
And in case you’re wondering what I mean by “poor maintenance practices,” it mostly boils down to:
- Not keeping themes and plugins up to date, especially third-party themes and plugins
- Not keeping WordPress up to date
- Not auditing themes and plugins at least once a year
WordPress updates itself automatically to install security patches, so you don’t need to worry about those.
However, you should be installing WordPress core, theme and plugin updates as soon as they’re available. Create a weekly, bi-weekly or monthly update schedule to keep yourself on track.
Finally, audit your themes and plugins at least once a year.
Make sure each one has been updated by its developer at least once in the last 12 months. Read through recent reviews and support threads as well to ensure it still has a positive reputation.
You may even want to do a quick Google News/social media search to ensure the developer still has a positive reputation outside of WordPress.org.
3. Insecure Login Practices
If hackers can’t access your site by exploiting insecure code, they might try to crack your login information.
Your password will be easier to break if you don’t hide the WordPress login page, use the default “admin” username, and use a password that’s easy to guess.
Follow these tips for better login security:
- Hide the WordPress login page with a plugin like WPS Hide Login
- Use a secure username that is not the word “admin,” your email address or your name verbatim
- Use a secure password that contains lowercase letters, uppercase letters, numbers, special characters and at least 12 characters
- Generate and store a secure password with a password manager
- Add a CAPTCHA box to your login form to screen for bots who do find your login page
4. Incorrect Permissions Configurations
Sometimes hacks and other malicious behavior can occur when bad actors gain access to your site through authorized channels.
Authorized channels are user accounts that are allowed to log into your site. Unfortunately, if you don’t have proper permissions configurations set up, you might be giving certain users more access to your site than originally intended.
This mostly happens when an admin leaves a project, but the site owner fails to delete that admin’s account.
You might also accidentally give contributors too much access by giving them higher WordPress roles.
For instance, guest authors should be given the Author user role while content managers should be given the Editor user role.
If you have a membership site, your members should be given the “Subscriber” user role if your membership plugin does not create a new “Member” role.
0 Comments