Skip to main content
Rob Harris
Written by: Rob Harris
Length: 5 min read
Date: 30 Apr 2024

WordPress is powering 42% of all websites on the internet which unfortunately makes it an easy target for hackers to try and break into your website. For this reason WordPress often gets a bad reputation for not being secure as there’s a lot of horror stories scaring individuals and businesses away from this content management system (CMS). 

Every year hundreds of thousands of WordPress sites get hacked and compromised. In 2019, 94% of cyber attacks against a CMS powered website were WordPress. 

Sounds scary, right? 

You are probably wondering why do people still use WordPress, well let me assure you that there is some good news. Hackers aren’t penetrating due to vulnerabilities within the latest WordPress core version. Instead all of the sites that do get hacked do so because of  preventable issues such as insecure passwords, vulnerable plugins and not keeping things updated. 

As a result, answering the question “is WordPress secure?” requires some detailed explanation and different topics will be covered. These include:


How can WordPress be hacked?

Here are the main routes hackers take to get into your website:

  • Brute force attacks - Bots attack your website looking for weaknesses. This means that the bot accesses your site's login page and forces every number of possible login combinations until it is successful.

  • Cross-site scripting (XSS) - The most common vulnerability for WordPress websites are insecure plugins. These allow hackers to inject scripts to send malicious code to the user’s browser.

  • Backdoors - A backdoor vulnerability is a hidden passage where hackers can gain access via abnormal methods. Once exploited, hackers can cause havoc on your server even causing cross-site contamination attacks which are hosted on the same server.

  • Pharma hacks - This is an exploit used to insert rogue code and SEO spam in outdated versions of WordPress websites. This causes the search engines to return ads for pharmaceutical products, for instance, which then leads to the search engines blocking the site and marking it as spam.


Is WordPress safe to use?

WordPress is secure as long as website security is taken seriously and the best practices of prevention are followed. The best practices for keeping your WordPress website secure are to: 

  • Use strong passwords.

  • Install safe reputable plugins and themes. 

  • Host your website with a secure provider.

  • Keep everything updated regularly. 

But where do the vulnerabilities lie within the core files, plugins and themes? Here’s a round up of each of the components within the WordPress ecosystem which can lead to a security issue.  


Is the WordPress core secure?

In short, the answer is yes. The WordPress core is the most secure part of the system as long as it is updated to the latest version. It is maintained by a world class security team who always stay on top of patching any known vulnerabilities. Once an update from WordPress has been released, it is wise to install and update it straight away.


Are WordPress plugins secure?

As good as WordPress plugins are, some are not always secure and are the biggest source for potential hacks. Plugins make WordPress infinitely customisable and solve many problems with a few clicks of a button. The issue is that the plugins are made by third parties and not safeguarded by WordPress so there is always the possibility of vulnerabilities within their code.

It’s best to use as few plugins as possible as with each install you are increasing your vulnerability risk. Stick to reputable plugins with good reviews, lots of downloads and a recent update time period.  


Are WordPress themes secure?

Although the majority of WordPress themes are secure, some are not which means you should be careful about what you pick. Many themes are built and maintained by third parties which can be bought from market places such as Theme Forest. This means that they are not regulated or approved by WordPress, unless you use a theme from the official WordPress theme directory. As with plugins, it’s best to do your research about a theme before making any decisions.


Summary: is WordPress secure?

While no software is 100% secure, WordPress has plenty of security features in place within the core which prevent most known hacks. As long as you follow the best practices of securing your WordPress site, then your website should remain hack free. 

If you have any concerns about the security of your website then contact us here at FINALLY we will be happy to help.

Frame 158 (1)


Fill out the form and one of our team will reach back out to you soon. Alternatively, use the live chat to speak directly with us.

Millie Collier Marketing Manager