Is WordPress a Secure CMS for a Website?

by | Aug 9, 2019 | News, Website Design

When it comes to a Content Management System (CMS) that is used to run a Website, they are all open to potential vulnerability at some point.  Like anything, it’s just a matter of time before your website is targeted. Almost every website that is live on the internet has been the target of a brute force attack, or targeted attack in its lifetime.  Many of these attacks are intended to expose vulnerabilities within the source code and open a backdoor to retrieve stored data or hijack the website.

It is a common misconception that the CMS’ core code is where most of the issues occur.  It is more commonly the case that a dependency such as a theme or a plugin is the source of the vulnerability.  In many cases, if there are bugs within the CMS’ code, they are fixed within hours of being identified by WordPress developers.   Many other leading CMS providers work in the same way, quickly addressing vulnerabilities as they arise.

While it’s easy to bork at the sheer number of attacks targeting WordPress specifically, when you take into consideration the sheer scale of its presence on the internet, those numbers start to fall into proportion.  

WordPress sites make up an incredible 34% of all website CMS’s that are used worldwide (Source: W3 Techs).  With that in mind, the relative number of breaches per instance is actually much lower than the majority of CMS’.

While you will likely see higher hack rates against WordPress websites, this is nothing to with implicit vulnerability of the platform, but rather a consequence of its popularity.  

As both a free and powerful CMS system, it has a substantially higher uptake of implementation by a vast number of amateur developers. Too often instances of WordPress are deployed by inexperienced developers, who unknowingly set it up without implementing the best practices that are essential to a secure WordPress site.

We have collated a few simple methods to increase security and reduce the vulnerability of WordPress when using as the CMS for your website.  Keep in mind that these are only a few starting points – you should consult an expert when it comes to ensuring the security of your site….


  • Do not use Admin as the admin login, remove the default admin account and replace with a unique username, that will prevent many common brute force attacks which will typically target the admin console of a website and cycle through lists of popular passwords.
  • Remove all the preinstalled themes that are included with a default WordPress installation; these are both unnecessary and are where many attacks are initiated from, as they are typically outdated themes with dormant code that can be vulnerable.
  • Remove your WordPress CMS up to date with the latest patches.  This can be automated or can be done manually. It is best practice to create a backup of the website before doing this in case you need to roll back due to an incompatibility caused by the update.
  • Remove any Plugins that are not required or not in use.  These Plugins tend to be left to become outdated if the Plugin developer does not maintain them.  This often happens with Plugins that are free, unpopular or the original developer has lost interest in the Plugin. A common misconception about deactivating a Plugin and leaving it installed on your WordPress installation is that the code is not active. This is partially true, the code may not be actively performing its function, but is still present on your web server and website, which means it is still vulnerable to exploitation.
  • The best advice for website owners is to use a website development company that offers a monthly maintenance agreement for your website. Making sure that it will have developers spend some time each month, backing up your website and applying patches and updates to the Plugins and WordPress CMS.


It is also worth investing in some security Plugins that can provide additional protection for your WordPress website.  Here are a few suggestions:

  • WP Hide & Security Enhancer ( – This is a way to mask the fact that you are running WordPress as your CMS by hiding the WordPress core files, login page, theme and plugins paths from being shown on the front side. Effectively reducing the brute force attacks and attacks that are targeting known vulnerabilities.
  • Wordfence Premium ( – This like adding a Firewall directly to your website and also a Malware Scanner, it works to protect your website and keep it safe from know malicious IP Addresses, malware and has default firewall rules that can be activated on installation. There is a fee for the product, and it is annual, but the protection it offers makes it an excellent investment.

These are some simple but effective ways to make WordPress very secure and also deliver an affordable website that takes advantage of the world’s most popular and easy to use CMS, WordPress.