WordPress security — myths and reality

"WordPress is insecure" is the standard hot take. Reality: WordPress core has been safer over the last 5 years than most custom PHP projects. Vulnerabilities exist — but in plugins and themes, not in core.

Where hacks actually come from

• Abandoned plugins — about 60% of cases. Plugin hasn't been updated in 2-3 years, has a known CVE, exploited.
• Nulled themes and plugins — around 20%. Pirated copies often contain backdoors.
• Weak passwords — around 10%. admin/password brute force.
• Old PHP — around 5%. PHP 5.6 stopped getting security updates.
• WordPress core CVEs — under 1%. Core gets patched fast, updates auto-apply.

What to do (15 minutes of setup)

• Enable auto-updates for core, themes, plugins.
• Delete unused plugins and themes. Don't deactivate — delete.
• Install a 2FA plugin (Wordfence, iThemes, or Authy plugin).
• Change admin URL from /wp-admin to something custom.
• Disable XML-RPC if you don't use it.
• Set up daily backups (UpdraftPlus or server-level rsync).
• Add Cloudflare or Wordfence for baseline WAF.

After this, WordPress becomes safer than most "secure" custom PHP sites where nobody monitors dependencies.