Are WordPress sites easy to hack?

One of my many job duties is helping to back up and upgrade the WordPress websites we manage. While there are several reasons we do that on a regular basis, the main reason is security.

WordPress has been around since May of 2003. While it has definitely evolved over time, so have the efforts of hackers.

Which begs the question: Are WordPress websites easy to hack?

They can be! Any site that’s not set up right or not maintained correctly can be an easy target for hackers. Let’s look at why that is and what you can do about it.

The popularity of WordPress

When it comes to computers, Windows has traditionally been the most used desktop operating system. As a result, it’s been a bigger target for hackers.

The same thing is true with WordPress. WordPress is by far the most popular CMS—content management system—out there, powering over 63% of all websites. By comparison, the second place CMS powers just over 4% of all websites.

That means WordPress is a huge target, regardless of how secure it is.

How WordPress sites get hacked

WordPress has three main points of entry for hackers:

• WordPress itself
• Plugins
• Themes

The reason WordPress has those three components is so your website is customizable. WordPress powers everything, the plugins add functionality, and the themes control the look and feel.

For better or worse, you can download plugins and themes a million different places online. It can be hard for the average person to know whether a plugin, theme, or an entire website is reputable or not.

If you download a shady theme or plugin, you’re running a risk! It may have an accidental security hole if it hasn’t been kept up to date. Or it may even have an intentional back door for hackers.

Even if you do get a reputable theme or plugin, often the original author will move on and stop updating it. That can also lead to accidental security holes that can be exploited by hackers.

Keeping your WordPress website secure

So how do you keep your website secure? The starting point is to keep WordPress, your theme, and your plugins updated on a regular basis. We recommend backing everything up, upgrading it, then backing it up again. You should do that once or twice a month, if not more often.

For backups, we like to use a premium plugin, BackupBuddy from iThemes. If you’re looking for a free option, UpdraftPlus is a very reputable option. And if you end up liking it a lot, they also offer a paid version.

If you need to take your security to the next level, you can install a security plugin like Sucuri Security or iThemes Security. Both have free and paid versions. Beware, there are a lot of settings in there, and if you don’t know what you’re doing you may accidentally lock yourself out of your own website.

And if you need something even more secure, you can sign up for a paid service through Sucuri that provides a firewall and fixes your site if it is ever hacked.

For most, regular basic maintenance provides a good level of security. If you need help with that, we have a guide to maintaining a WordPress website that you can check out.

In the end, you control how secure or insecure your website is by what you install on it and how well you maintain it. If you invest no time or money in maintaining your WordPress website, then it won’t be very secure.