Since the platform arrived on scene, WordPress security has been a hot topic of discussion with musings the platform can be vulnerable to attacks. There are lots of articles both for and against WordPress, but having worked with several different Content Management Systems on various server setups, I believe that WordPress is as secure as any other CMS.
WordPress is currently the number one most used CMS in the world – 2,645 of the top 10,000 websites on the web use it . WordPress usage is so popular, that it’s more than every other CMS combined. Mind boggling.
Using the number one CMS certainly has its advantages – but as you may figure, being #1 can also draw some unwanted attention and makes WordPress and its popular plugins common targets. If a hacker can expose a single vulnerability, knowing that WordPress runs most websites, the hacker can target a huge number of websites possible in one fell swoop. But this fact alone doesn’t mean WordPress is an insecure platform – addressing what fuels the rumors of WordPress being an insecure platform is more the issue. Security of websites today relies mainly on two things: the development and support of the software powering the site, and the person or persons who built, run and maintain the site.
The WordPress Community
WordPress is an open source software, with the support of hundreds of developers. The community has a good reputation for fast responses and remedies to any vulnerabilities which have been discovered in the past. Problems are resolved by updates which are normally released within a few hours of the problem being identified. With millions of users and hundreds of developers, the platform is always being tested on a massive scale and it’s completely free. As such, any security issues are found and subsequently resolved by the community in a short space of time.
Running a WordPress Website
Keep WordPress & Plugins Up-To-Date
The latest updates and security patches that are released by the WordPress community and plugin developers are negated if website owners don’t update the CMS and installed plugins promptly.
Perhaps the most important thing is the plugins. Plugins are bits of code that extend and add functionality to WordPress, but they can sometimes cause problems. In Q1 2016, Securi found that three outdated plugins were the reason behind 25% of WordPress hackings  (Find out which outdated plugins were responsible here). I recommend only installing the plugins that are really necessary for your purpose from trusted sources.
In terms of the server on which the WordPress site is hosted, there are a few precautions and options the site owners(s) can configure to help maintain the security of their WordPress install. A few things the site owner(s) should do is relocate the wp-config.php file to a folder that is not publicly available. You could remove ‘file editing’ access too, and locate your WordPress install in a version control system such as a git or svn repo.
If you are maintaining one or more WordPress sites, do some ‘housework’ and always remember to shut and lock the doors. All the things mentioned in this article will help keep your site secure.