The Security of the WordPress Platform

Roughly a quarter of all websites on the internet are built on WordPress. You’d think that such popularity would ensure that the platform is flawless and secure! But did you ever wonder that this popularity could be the very cause of security breaches?

Today WordPress sites have become the No. 1 target for hack attempts. Hackers reportedly launch 90,978 attacks on WordPress sites every minute. It is not surprising then, that in the last few years we have faced some of the most catastrophic security threats in the history of cybersecurity. This obviously prompts WordPress users to wonder whether WordPress is secure.

DevOps Connect:DevSecOps @ RSAC 2022

It’s a complicated question that warrants a thorough investigation. WordPress is an excellent website-building platform. It’s maintained by some of the most highly efficient people in the industry. But WordPress does not work in isolation. To build a good website, you need to use themes and plugins that make your website look attractive and navigable, while filtering spam or collecting visitor emails. But these themes and plugins can cause your websites to be compromised. A majority of hacked WordPress sites used vulnerable plugins/themes that caused the site to be compromised.

It’s not difficult to see that the onus of website security lies not only in WordPress but also with a number of other factors. The security of a WordPress site involves three very significant factors:

  1. The people creating and maintaining WordPress, WordPress websites and themes/plugins.
  2. The time dedicated to creating a WordPress site.
  3. The budget for creating a WordPress site.


Factor 1: The People

Certain people are responsible for holding the first line of defense for keeping WordPress and its corresponding system safe.

Team WordPress: The Core WordPress team shoulders the responsibility of keeping the WordPress safe and its users free from security threats. Besides hiring some of the most dedicated people, WordPress invites involvement from the WordPress community to find vulnerabilities in the platform. The organization offers a responsible way to inform it about newfound vulnerabilities in the system. This makes sure that the WordPress team becomes immediately aware of a security issue and ca address it right away.

Plugin and Theme Developers: Unlike WordPress, most theme and plugin developers have no such responsible disclosure system. Vulnerabilities in theme and plugins are not easily or immediately found. There are both free and fee-based themes/plugins. Free themes are not maintained as well, and sometimes they are abandoned in pursuit of other monetary rewarding projects. It’s not always feasible for developers to maintain themes and plugins they’ve created, and abandoned plugins/themes are often responsible for website security breaches—they are not maintained; therefore, they’re not updated regularly, which leads to vulnerability. And a vulnerable theme or plugin is a gateway to your site for people with malicious intentions.

WordPress Website Owners: Website owners tend to think that because they are paying for a website to be built, the site will be immune to security problems. It’s a flawed thinking; money can’t make your website hack-proof, but it can make minimize the risk of a security breach. Vigilance on the part of the website owner (such as keeping your website up to date) goes a long way in keeping the WordPress site safe.

Factor 2: The Time

Time often dictates the quality of a product. A service built in a hurry can never match up to a service build with deliberation.

Team WordPress: WordPress, being the world’s No. 1 website-building platform, is manned by the best brains in the world. The people who maintain the platform follow planned calendars to execute their work in an orderly fashion. That way, they have enough time to build a great product and maintain it. Besides releasing new versions periodically, WordPress also performs reviews and beta tests that run for months on end. The time they are able to dedicate ensures that the service they offer is top-notch.

Plugin and Theme Developers: Being a competitive market, plugins and theme developers are constantly in a rush to make their product feature-rich in the shortest amount of time. In this race, quality suffers. And as we know, low-quality plugins and themes are vulnerable to malicious attacks. Breaching them is comparatively easy and, once breached, they become gateways to the WordPress site using them.

Many free versions of plugins and themes are low-quality products, easy to breach, causing compromise of sites. Developers who are not getting paid for a plugin or theme they are building are likely to dedicate less time to enhancing or maintaining the plugin/theme. They may have a full-time job that keeps them busy and pays their bills, making investing time in a product that brings no monetary benefit is impractical.

WordPress Website Owners: Starting a website has never been easier. One can create a WordPress website with a really low budget and can get the site up and running within a few hours. But in their bid to meet deadlines, site developers often skip necessary security audits. The result? A weak site vulnerable to attacks from hackers. WordPress alone can’t be blamed when a site gets compromised. In a world where productions need to be faster and the cost cheaper, safety often takes a backseat. In consequence, websites get hacked.

Factor 3: The Budget

Like time, budget too, dictates how secure a website can be. Oftentimes, finance decides how much time a developer can spend building a website or a plugin/theme.

Team WordPress: WordPress spends hundreds of thousands of dollars of investment each year, employing the best programmers, developers and engineers to enhance and maintain the platform. At the time this writing, the open source CMS supports more than 60 million websites, and maintenance at this level requires substantial resources. WordPress puts substantial effort into elevating and maintaining the CMS.

Plugin and Theme Developers: Paid plugins themes often are more secure than their free counterparts. There are a few reasons behind it. A developer who is working to create a free product may abandon the product anytime. That leaves you, the user, in a tight spot because switching to the different plugin or theme requires investing time and effort. If you keep using an abandoned theme/plugin, know that there will be no maintenance, therefore no updates. When an error occurs, you won’t get any support, either.

Sometimes developers may lose interest in the free product they have built, or they are not able to dedicate enough time to maintaining the product. If the service is a paid one, there is a chance the developer could focus on the product alone. Financial security could help bring in more developers to maintain the theme/plugin better. This is why often it’s recommended to use paid plugins over free ones.

WordPress Website Owners: Creating a website today is not as difficult as it used to be. Practically anyone with money and knowledge of the internet can build a WordPress site. But while price is not always an efficient marker of quality, the effort that goes into creating a good website is directly related to the budget. Cheap labor comes at the price of quality; if you employ a cheap developer, you are likely to get a site vulnerable to security breaches.

People who want their websites built without having to pay much also don’t want to spend much on plugins and theme. They often opt for using free themes and plugin. Again, free products are often vulnerable and cause a threat to the security of a website.


The WordPress environment is a volatile ecosystem. The key to keeping your website safe is vigilance. Using WordPress security plugins, keeping your site updated and investing reasonable time and expense in creating and maintaining your site are required to keep your WordPress site secure.

Have questions regarding the security of your website? Please leave a comment below.

Akshat Choudhary

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Akshat Choudhary

Akshat Choudhary is the founder and CEO of BlogVault, MigrateGuru & MalCare. He loves building products that solve real problems for real people and has been building systems and products since 2005. His core beliefs behind building any product are to make sure the end-user doesn’t need assistance… and to assist them in the best possible manner if they need it.

akshat-choudhary has 1 posts and counting.See all posts by akshat-choudhary