“WordPress security” is one of the most Googled search terms for the keyword WordPress and there is a reason why. But, before we answer the burning question, “Is WordPress insecure or susceptible to hacks” let’s explore why this is such a popular topic in the first place and what parts of this statement are true.

What’s True?

While it is true that WordPress has gotten a bad wrap for being “insecure”, it’s important that we consider all information before jumping to conclusions.

WordPress is by far the most popular content management system (CMS) in the world. This makes it a prime target for bad actors. But, any website is prone to hacks including websites built with Joomla, Drupal, Wix, Shopify, and many others. The only difference between those guys and WordPress is how much more popular it is.

But, don’t blame WordPress for its popularity. There are reasons it’s so popular in the first place. Ease-of-use, an ever-growing development community, seemingly endless plugins, and the ability to customize sites with no coding knowledge are just a few of those reasons. However, that’s not to say this isn’t a topic of concern. Too many people don’t take their WordPress security seriously.

So, for all intents and purposes, let’s answer the question: Is WordPress insecure?

If you’re only interested in finding the answer and dipping out, here are the important points:

  1. WordPress is the most popular content management system (CMS) on the planet and continuously growing in popularity.
  2. As with any widely-popular technology, it’s an equally popular target for attacks.
  3. WordPress websites aren’t inherently insecure, unless they are.
  4. The more steps you take to protect your website against attacks, the more secure “WordPress” is.

WordPress Is As Safe As You Make It

The truth is, other content management systems and website builders are just as vulnerable to malicious attacks when compared to WordPress. Actually, in some cases, there could be worse options. (I’m looking at you, Drupal.) But, that’s not a reason to panic. As with any website, the steps you take to keep your WordPress site safe and secure are far more important than theorizing whether or not WordPress is more or less safe than other options on the market.

So, let’s answer the question…

Is WordPress inherently unsafe?


But, that doesn’t mean you don’t need to protect your WordPress website from attacks. Here are some ways you can do that.

What can I do to ensure my WordPress site remains secure?

Install a Valid SSL Certificate

HTTPS encryption is essentially mandatory if you want to rank well in Google Search and keep your website user’s information safe. It’s also one of the best ways to protect your WordPress website against database vulnerabilities and form-based attacks. At Site Assembly, it’s a requirement.

Setting up an SSL certificate requires a bit of expertise. We like to work with globally recognizable WordPress. security brands such as Comodo and Symantec who offer Site Seals that act as “verification” that your website is protected. Think ADT signs for homes. But, there are other options available such as LetsEncrypt’s FREE AutoSSL certificate which is available at Site Assembly, free of charge.

From a technical standpoint, SSL certificates work by encrypting user data collected and shared on your website. This includes back-end administrator data as well as front-end data collection such as user forms and newsletter signups. As long as the certificate is set up correctly, it is unquestionably the first step you should take to secure your WordPress site.

Plugin Management for WordPress Security

Updating and managing your plugins are one of the easiest ways to protect your WordPress website against attacks. Many times, vulnerabilities found within plugins are how hackers penetrate a WP site.

All plugins on your site with updates available should be updated immediately! If you have any premium plugins installed on your site, you may need to renew your license to update to the newest version.

As with any website updates, make sure you have an available backup just in case an update breaks your site.

To access your plugins, click Plugins in WP Admin. You’ll find a list of all your installed plugins along with any update notifications.

Pro tip: You should also uninstall any plugins you’re no longer using.

Choose a Secure WP Admin Username and Password


I cannot emphasize this point enough! Instead of choosing a simple WP Admin username such as admin or webmanager, choose something more complex with lots of upper- and lowercase letters and numbers. An example of a strong WP Admin username is X0LewQ3hg7


There are tools out there to generate strong passwords, but whether you choose your own or use a free online tool, choosing a complex password is an absolute must!

Here are a few pointers on choosing a strong password:
Use sentences combined with special characters instead of single words and numbers. A password such as IknowYouWantTo_but_GoodluckGuessingThis1! is a lot harder to guess programmatically than Password123 or your birthday. Get creative and have some fun with it.

Use secured password generators. This one’s not as fun as coming up with cool sentences, but it is just as effective in protecting your website from attacks. We’re biased as to which password generator we prefer, so we’ll let you decide. There are plenty to choose from.

Add Google ReCaptcha to Enhance WordPress Security

Google ReCaptcha is a security framework that helps web hosts decipher between human and automated access to websites. There are a couple of good plugins that make it easy to set-up Google ReCaptcha on your WordPress site.

Once you’ve chosen a plugin, follow the instructions in the plugin Settings page to complete ReCaptcha integration.

Install a Web App Firewall (WAP)

Sucuri and Wordfence are two of the top WordPress security plugins. Both are easy-to-use, simple to set up, and offer a wide range of security features to keep your WordPress website protected against brute force attacks, phishing scams, unwanted redirects, database vulnerabilities, and more! This is not a plugin analysis post, but if you’re interested in one, let us know!

Choose a Web Host That Prioritizes WordPress Security

Not all web hosts make your website’s security a top priority. In fact, most web hosts don’t offer WordPress security features like round-the-clock malware scanning, free hack repairs, and daily offsite backups. That’s because it’s expensive to run security on a server. Site Assembly, on the other hand, makes your website’s security one of our three top priorities. Speed and scalability are equally as important, but none of it matters if your website’s security is abysmal.

Without security, you cannot have a successful website. So, talk to your web host today about which security measures they take. Or, talk with a Site Assembly Site Expert now to secure your WordPress website. Click here to contact a sales rep now!

View All Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Meet Your WP Support Team

We’re here to help you kill it online so you have more time to do things offline! And we have FUN doing it! We’ll start by build you a beautiful, high-performing website built for speed and conversions. We’ll work with you on your business goals to develop a clear plan of action.

We’ll optimize your site’s page speed, host it on our high-performance cloud servers, update your site regularly, back it up weekly, keep it secure and bug-free, and provide unmatched WordPress optimization services, all with the help of our really great WP Experts.