This guest post is by Anders Vinther of The WordPress Security Checklist.
WordPress Security is about as sexy as cleaning your house. And as a serious blogger, you already know that securing your site properly is not a trivial task.
That makes it a fantastic topic for myth fabrication.
In this post, I’ve compiled the top ten WordPress security myths for your easy consumption, followed by a light sprinkle of facts to debunk the myths.
Here are the myths:
- WordPress is not secure.
- Nobody wants to hack my blog.
- My WordPress site is 100% secure.
- I only use themes and plugins from wordpress.org so they are secure.
- Updating WordPress whenever I log in is cool.
- Once my WordPress site is setup my job is finished.
- I’ll just install xyz plugin and that’ll take care of security for me.
- If I disable a plugin or theme, there is no risk.
- If my site is compromised I will quickly find out.
- My password is good enough.
Myth 1. WordPress is not secure
When people experience security problems with their WordPress sites, they tend to blame WordPress. However, the WordPress core is very secure. And when a security hole is found, the development team is very quick to respond.
The most frequent causes for compromised WordPress sites are in fact:
- outdated software
- insecure themes and plugins
- bad passwords
- stolen FTP credentials
- hosting problems.
For more on this topic, see WordPress Security Vulnerabilities.
Myth 2. Nobody wants to hack my blog
Most hacking attempts are automated. There are rarely personal or political motives behind WordPress hacking—more often the motives involve financial gain.
Maybe you’re thinking, “But I don’t have anything for sale on my site. I don’t have credit card information or any other sensitive information. What could they possibly steal from my site?”
What you do have is resources.
Possible ways to exploit your site are:
- the insertion of spam links in your content to boost SEO for other sites
- through malware infections of your visitors computers, e.g. to steal their financial information
- redirecting your traffic to other sites.
For more details, see Are Small Sites Targeted For Hacking?
Myth 3. My WordPress site is 100% secure
No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist.
That is why you need a backup and recovery plan. If disaster strikes, you need to have a good backup available, and a plan for how to restore your site.
For more, see:
- WordPress Backup – The Plugin and The Plan
- How To Restore A WordPress Site
- The WordPress Rescue Plan