WordPress security — myths and reality

"WordPress is insecure" — everyone has heard it. The real statistics say something different: properly configured, it's safer than most custom builds.

WordPress security — myths and reality

"WordPress is insecure" is the standard hot take. Reality: WordPress core has been safer over the last 5 years than most custom PHP projects. Vulnerabilities exist — but in plugins and themes, not in core.

WordPress security — myths and reality
Real sources of WordPress hacks per WordFence statistics.

Where hacks actually come from

  • Abandoned plugins — about 60% of cases. Plugin hasn't been updated in 2-3 years, has a known CVE, exploited.
  • Nulled themes and plugins — around 20%. Pirated copies often contain backdoors.
  • Weak passwords — around 10%. admin/password brute force.
  • Old PHP — around 5%. PHP 5.6 stopped getting security updates.
  • WordPress core CVEs — under 1%. Core gets patched fast, updates auto-apply.

What to do (15 minutes of setup)

  • Enable auto-updates for core, themes, plugins.
  • Delete unused plugins and themes. Don't deactivate — delete.
  • Install a 2FA plugin (Wordfence, iThemes, or Authy plugin).
  • Change admin URL from /wp-admin to something custom.
  • Disable XML-RPC if you don't use it.
  • Set up daily backups (UpdraftPlus or server-level rsync).
  • Add Cloudflare or Wordfence for baseline WAF.

After this, WordPress becomes safer than most "secure" custom PHP sites where nobody monitors dependencies.

Learn more about our competence
Web development, AI, automation — what we build and how.