Close
Close

Top 10 WordPress Security Myths

This guest post is by Anders Vinther of The WordPress Security Checklist.

WordPress Security is about as sexy as cleaning your house. And as a serious blogger, you already know that securing your site properly is not a trivial task.

That makes it a fantastic topic for myth fabrication.

In this post, I’ve compiled the top ten WordPress security myths for your easy consumption, followed by a light sprinkle of facts to debunk the myths.

Here are the myths:

  1. WordPress is not secure.
  2. Nobody wants to hack my blog.
  3. My WordPress site is 100% secure.
  4. I only use themes and plugins from wordpress.org so they are secure.
  5. Updating WordPress whenever I log in is cool.
  6. Once my WordPress site is setup my job is finished.
  7. I’ll just install xyz plugin and that’ll take care of security for me.
  8. If I disable a plugin or theme, there is no risk.
  9. If my site is compromised I will quickly find out.
  10. My password is good enough.

Myth 1. WordPress is not secure

When people experience security problems with their WordPress sites, they tend to blame WordPress. However, the WordPress core is very secure. And when a security hole is found, the development team is very quick to respond.

The most frequent causes for compromised WordPress sites are in fact:

  • outdated software
  • insecure themes and plugins
  • bad passwords
  • stolen FTP credentials
  • hosting problems.

For more on this topic, see WordPress Security Vulnerabilities.

Myth 2. Nobody wants to hack my blog

Most hacking attempts are automated. There are rarely personal or political motives behind WordPress hacking—more often the motives involve financial gain.

Maybe you’re thinking, “But I don’t have anything for sale on my site. I don’t have credit card information or any other sensitive information. What could they possibly steal from my site?”

What you do have is resources.

Possible ways to exploit your site are:

  • the insertion of spam links in your content to boost SEO for other sites
  • through malware infections of your visitors computers, e.g. to steal their financial information
  • redirecting your traffic to other sites.

For more details, see Are Small Sites Targeted For Hacking?

Myth 3. My WordPress site is 100% secure

No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.

That is why you need a backup and recovery plan. If disaster strikes, you need to have a good backup available, and a plan for how to restore your site.

For more, see:

Myth 4. I only use themes and plugins from wordpress.org so they are secure

The WordPress Team reviews themes and plugins before they are included in the wordpress.org repository. However they do not have the resources to review updates.

Themes and plugins are developed by programmers from all over the world. Their experience and programming skills vary greatly, and so does the quality of their work. Even the best programmers make mistakes and all software contains bugs. Just pick a random plugin, look at the change log and you will see that bugs are routinely discovered and fixed. Even the best plugins developed by the most renowned people could contain undiscovered security risks.

Is it safer to get your themes and plugins from wordpress.org? Absolutely.

Is it guaranteed that there are no security problems with themes and plugins from wordpress.org? Absolutely not.

For more information, see:

Myth 5. Updating WordPress whenever I log in is cool

You need to keep WordPress core, plugins, and themes updated at all times. Whenever a security update is released the whole world can see what the problem was. This obviously exposes any site that has not been updated. Unless you log in to your WordPress admin dashboard every day, you’ll need a plugin that will notify you when updates are available.

More information can be found in the article, Update Notifications.

Myth 6. Once my WordPress site is set up, my job is finished

Having a WordPress site is an ongoing commitment—it’s like having a dog. As a bare minimum your WordPress blog needs to be maintained when new updates come out. This is crucial even if you do not write new posts or otherwise update the content.

If you simply leave your WordPress site behind like an abandoned holiday pet, chances are that you will be helping the bad guys carry out their malicious schemes to control the world. So if you will not or cannot keep your WordPress site updated, it’s better if you take it down!

Myth 7. I’ll just install xyz plugin and that’ll take care of security for me

You do need security plugins. And you need the right mix of security plugins. However, keeping your WordPress site secure goes well beyond what you install on your site.

Other factors you need to consider include:

  • securing the computer you use to connect to your hosting account (anti-virus, malware and firewalls)
  • creating and managing strong passwords
  • using Secure FTP to access your hosting account
  • protecting sensitive WordPress files from access from the internet
  • off-site WordPress monitoring.

Myth 8. If I disable a plugin or theme, there is no risk

All files that exist in your WordPress folder are accessible from the internet unless you specifically protect them. This means even disabled themes and plugins can be exploited if they are vulnerable.

The best practice is to remove anything you do not use. Or, at a minimum, make sure you keep de-activated themes and plugins updated.

Myth 9. If my site is compromised I will quickly find out

Professional hackers are not interested in you finding out that your site has been compromised. Therefore you might not find out what has happened until quite some time after a hack has occurred—if you find out at all.

Some types of hacks that are difficult to spot include:

  • redirection of all traffic coming from a search engine (so if you enter the URL in your browser or use a bookmark, everything will look normal)
  • the inclusion of hidden text in your posts and pages.

You need some kind of off-site monitoring of your WordPress site. For more details, see:

Myth 10. My password is good enough

Unless your WordPress admin password looks something like LR!!g&6uTFL%MD8cyo, you need to change your password management strategy. And make sure you do not reuse passwords on multiple websites.

Amazingly password and 123456 are still the two most used passwords! To find out more about this issue—and how to solve it—see:

Don’t get caught out!

Getting WordPress security right is not trivial. That’s probably the reason why too many bloggers stick their heads in the sand when it comes to protecting their valuable assets.

While you do need to be pro-active and take action WordPress Security is by no means an impossible task. The same way you would add an alarm to your car and get a guard dog for your house you need to secure your website. Don’t get caught with sand in your ears, nose, and mouth when the hackers come knocking on your door. Act now!

Check out ’s free WordPress Security Checklist, which is all about protecting your WordPress assets properly and sleeping well at night.

About Guest Blogger

This post was written by a guest contributor. Please see their details in the post above. If you'd like to guest post for ProBlogger check out our Write for ProBlogger page for details about how YOU can share your tips with our community.

Problogger.net runs on the Genesis Framework

Genesis Framework

The Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple - start using Genesis now!

Comments

  1. Tom White says:

    #2, that one I like, I have met quite a few people who thought that and when they got their bloggs(and not only bloggs) hacked, they nearly cried…

    A bit relating to that, a year or so ago I read somewhere how someone was hacking old forums by getting the admins email adress and with some service they delete the email after some time of inactivity, so you could potentialy get admins password when you re-create his email. Thos were nearly dead forums, but still had some activity and since they were quite old, they tended to be a bit more trusted. And whoever got into the forums they just blasted their users with various offers and got loads of sales.

    Basically you should always have you stuff secure, since it can be profitable to somebody.

  2. Good post! Evidently, WP security is a problem from the number of sites with the “This site may be compromised” warning.

    I am curious to learn more about “hosting problems” as a “frequent cause for compromised WordPress sites.” I strive to follow all the rules, best practices, rules of thumb and so on for passwords, SFTP, plugins, updates, etc. but I occasionally run into problems. Does Anders (or anyone else) have suggestions for checking out a hosting company or red flags to look for regarding hosting-based security vulnerability?

    • @Anders great post on wordpress security issues and suggesting ways to handle them as well.

      @Roger Harris I use a system called http://infinitewp.com/ you install a script which allows you to monitor your wordpress website or multiple websites. It tells you when themes or plugins are out of date and you can update straight from their interface. It also allows you to back up websites and all of this is for free. Their premium add ons are really worth it as well.

    • Anders says:

      @Roger It is very difficult as an outsider to gain information about the security level of a hosting company.

      A common way is to search for “hosting company hacked”, “hosting company security vulnerability” etc. However from those results you will not be able to tell if the sites were hacked because the site owners had not secured their sites or because of a hosting vulnerability.

      Do GoDaddy, Bluehost, Hostgator, etc have a lot of hacked sites because they have a lot of customers?
      Or because they attract a lot of beginner WordPress users, who do a one click install and start blogging?
      Or is their security infrastructure not hardened properly?

      Without the proper data it is impossible to draw a conclusion.

      Often people with hacked sites are very quick to blame their hosting. However without hard evidence this does not make much sense.

      In the “hosting problems” category I would also add self managed servers. Unless you know how to security harden a LAMP stack and you have the time to keep updating it I would recommend a managed solution. This will give you more time to focus on your business and your sites will be more secure.

      My advice would be to secure your own sites as best as possible. If you continue to have security problems hire a company like sucuri.net to clean the site and locate the problem. If they point to the hosting company or if the problem continues then consider changing host.

  3. The WordPress Team reviews themes and plugins before they are included in the wordpress.org repository. However they do not have the resources to review updates.

    Actually, the theme review team reviews all theme updates as well as the initial upload to the repository.

    • Anders says:

      Justin, thanks for the clarification!

    • Alan Tay says:

      I will say all your points up there are awesome, Anders but I stand at Justin side on the reviewing updates of a WordPress.org themes and plugins.

      In fact, the point #4 should not only point to the WordPress.org while I believe other Premium themes and plugins should happen as well as being said, ‘Even the best programmers make mistakes…’. It will be good to remind people that even they are using Premium theme or plugin, they should be aware of security threats as well.

      And from my point of view, things from WordPress.org has more end users ( = more testers) due to the reason that it is free and it should have a better security over the paid one if the plugins is a useful one and many developers are working on it.

      • Anders says:

        @Alan – I completely agree with you: point #4 is valid for all sources of plugins and themes. WordPress.org is the most reputable source of wordpress assets… implying that if this holds true for wordpress.org it would also hold true for any other provider of WordPress assets.

        Thanks for clarifying that point.

  4. I had quite an ordeal with a hacker last month.. first time I’ve ever dealt with that. My hosting company couldn’t nail it down either but the hacker was using sql injection and we couldn’t block him out for the longest time!

    I had to do a complete machine wipe because it was suspected my ftp info was being transferred through some .exe on my machine, which must have been true because right after, the problem went away.

    Very frustrating! Great post, Anders. Security should be a top priority of any blog, for sure!

  5. Good post.
    When I first began playing with WordPress I had a few different domains and bam! they got hacked almost instantly. The problem that I had, being a newbie, was using the username admin. Crazy move.
    Thats the best tip out there. Don’t use admin. :)

  6. This article is a timely reminder for us not to get complacent. It is always good to keep our assets (websites, blogs etc.) secure as they are built from our hard work. If a hacker is truly determined to hack into our sites, there are countless ways to do so. Better that we keep up with the security than to regret later.

  7. Ian Eberle says:

    I never thought about using free themes before… For example, you can search for “elegant themes free” on Google and find tons of sites offering them as a free download when they are $39 on ElegantThemes.com. I have never downloaded any of these themes since it is stealing, but that’s a great way for hackers to get into WordPress sites. I try to stick to using WordPress frameworks like Ultimatum and Thesis to make my blogs and if I don’t do that, I will download the theme from a reputable website.

    Thanks for sharing these tips!

  8. Folks would still use 123456. Its amazing what people are careless on, and what they care about.

  9. Insiya Hussain says:

    Thanks for the resources – this stuff is pure gold! Just setting up a WP side so it comes at a good time.

  10. OMG! I still think that hacking is manual and hacker aren’t interested in small blogs. So ridiculous until reading this post. Thanks for your useful facts!

  11. Jeff says:

    Interesting, I got scared today because I got an email that was saying someone had tried to reset my password. It freaked me out and I’m not sure if it was just someone who ended up on the admin page and clicked the link or if someone is really trying to get in….

    Either way, great article I will learn to be careful

  12. Steve says:

    Great direction about wordpress security! your this discussion will surely help to so many people those wanan know the about wordpress security & I would say you must forward your this valuable discussion on others nework as well as people come in touch for wordpress security

  13. Brad Dalton says:

    4800 Aussie sites evaporate after hack http://www.smh.com.au/technology/security/4800-aussie-sites-evaporate-after-hack-20110621-1gd1h.html

    If you’re not taking full backup and storing it away from your server, you’re taking a big risk.

    Password protect you wp-admin folder, update themes and plugins and install an all in one security plugin like Wordfense that covers the 7 most common ways WordPress is hacked.

    I wrote a great post about this recently.

    Don’t think your host will protect you because they won’t unless they’re fully managed.

  14. Nice post Anders.

  15. We have setup wordpress blog on our website hoping that its lot secure than other CMS’s. However after reading your article it made me think otherwise. However this article is really helpful and i will ensure that i keep in mind all your points hereafter. Just going to move this link into my bookmarks. Phew !

  16. Jimi Ellis says:

    With my head full of what articles, what content, what is SEO and all the other information researched as a newbie the last thing i thought of was security. When you make your first site it’s like part of the family and quite upsetting when someone hacks it, as soon as i put my site up (a couple of weeks ago) it was riddled with someone else’s Links! Security is as important as every other aspect to a website. jimi.

  17. Ayaz says:

    Hi Anders! Great post and love reading this. I have a question what method do you prefer to do security of your wordpress website or blog? plugin or any manual coding to do the work?

    Would appreciate your answer. Thanks for sharing great information though :-)

    • Anders says:

      In general I find it is easier to maintain sites using plugins instead of manual coding. It depends on how many blogs you have and your skill level.

      The drawback with plugins is that some of them add functionality you do not want.

      Finding a good combination of security plugins for example can be quite a challenge. This is where The WordPress Security Checklist comes into the picture.

  18. shane diet says:

    Who says WordPress is not secure. he does’t know anything. Yes wordpress can be hacked but soo easily. 90% time due to faulty or broken theme cause hacking of blog.

  19. Share, share share! I know so many people that believe each and everyone of these myths to be true.

  20. I spend quite a bit of time on the WordPress security problem and your post is right on. Really the whole problem can be summed up in one word…. Apathy.

    You, as a site owner really are the first, best, and last line of security. It is up to you to follow best practices to prevent problems and if you are attentive you will notice any problem long before Google does. As the developer of Better WP Security I do know that plugins can assist with security but they can never replace an attentive site owner.

  21. Great info. I have to say #10 stood out to me. Having a strong password is easy to do if you don’t make it personal. I find when I key in random number and symbols I have less of an issue.

  22. I think your statements have contradiction as you said wordpress is not safe and again you said wordpress blog 100% safe. Well, I have made my website on wordpress and I think this is very useful module I have which allow me to manage my site very well.
    Thanks for the post!

  23. Oliver says:

    interesting info. :)

  24. Maria says:

    One of my clients had their WordPress site hacked last year. This is one of those clients that didn’t deem it important to keep his theme and plugins updated. He also didn’t want to pay me to do so. Well, he paid a high price as his site was down for a week and it cost him several bucks to get a security company to resolve the issues.

    A lot of people fall into the traps of Myth 7, 8, and 9! Great article! we all need this clarification and reminder.

  25. I agree with you on the part about passwords. Passwords are never actually secure. Hackers are all over and it is very easy to hack into other computers to retrieve information that may actually be vital.

  26. Bobbie Hurst says:

    I actually love the myths and the detail with which you have explained them. What caught my eye is the manner in which you neutralized the contradiction between #1 and #3; Thumbs up for putting this up.

  27. Brad Jones says:

    Good post, I agree there is a lot of myths out there and you covered them well. Most blogs as you said are hacked for a couple of main reasons, the first is outdated software and the other is a weak password, especially one that stays the same forever, you need to change it every now and then :-)

    As for keeping updated and installation, there is a myth out and about that if you use the easy installation process that many cPanel webhosts provide such as Softaculous in my case that it is not as secure, this is untrue, when going through the instal process you have the ability to not only change the default admin user name but you also get to choose the name, location and even the prefix used in the database in order to secure your installation as much as possible.

    The best part about using Softaculous is that when an update becomes available it will contact you to let you know a Softaculous installation is in need of update and usually accompanies it with a one click update process.

  28. First of all I would like to say excellent blog! I had a quick question which I’d like to ask if you don’t mind.

    I was curious to know how you center yourself and
    clear your thoughts before writing. I have had a tough time clearing my mind in getting my thoughts out.
    I truly do enjoy writing but it just seems like the first 10
    to 15 minutes are usually wasted simply just trying to figure out how
    to begin. Any ideas or tips? Kudos!