FREQUENTLY ASKED QUESTIONS

Is WordPress secure?

WordPress itself is secure — the core system has a dedicated security team and is regularly updated. The problem lies elsewhere: 43% of all websites on the internet run on WordPress, making it the largest target for automated attacks. Most WordPress site compromises do not stem from a hole in the WordPress core, but from unupdated plugins, weak passwords and administrative neglect. This is a configuration problem, not a platform problem.

Where 90% of WordPress hacks originate

Attack source	Share of incidents	How to prevent it
Unupdated plugins	~56%	Automatic updates or monitoring
Weak passwords (brute force)	~8%	Strong password + 2FA + login attempt limit
Unupdated themes	~6%	Remove unused themes, update active ones
Compromised hosting credentials	~8%	Account isolation, unique FTP/cPanel passwords
Vulnerable WordPress core	~0.5%	Automatic core updates
Phishing / social engineering	~9%	2FA, administrator training

WordPress security checklist — the minimum every site should have

Updates: WordPress core, all plugins and themes updated within 7 days of a security patch release at the latest. Automatic core updates should be enabled. Unused plugins and themes — deleted, not just deactivated (deactivated plugins can still be vulnerable).

Passwords and access: a unique, strong password for the admin account (minimum 16 characters, password manager), two-factor authentication (2FA) for all accounts with administrator and editor roles, changing the default username from "admin" to anything else, and a login attempt limit (Limit Login Attempts Reloaded plugin or Wordfence's built-in protection).

SSL/HTTPS certificate — why this is not optional

SSL is the absolute security minimum without which a site should not operate. HTTPS encrypts the connection between the browser and the server, protecting against data interception (especially important for login and contact forms). Google marks sites without HTTPS as "Not Secure" in the browser bar and ranks them lower in results.

Let's Encrypt certificates are free and supported by most hosting providers (one click in cPanel). There is no excuse for not having SSL in 2025. Additional security comes from HSTS (HTTP Strict Transport Security) and correctly configured security headers — Content-Security-Policy, X-Content-Type-Options, Referrer-Policy.

Backups — the only thing that saves you when everything else fails

Backups are the last line of defence. Regardless of how well-secured a site is, backups must exist. The 3-2-1 rule: 3 copies of data, on 2 different media, 1 off-site (e.g. in the cloud). A backup stored only on the same server as the site will not protect you if the server crashes or an attacker deletes the files.

Frequency: daily database backup (content changes frequently), weekly file backup (changes less often). Plugins: UpdraftPlus or BackWPup configured to send to Google Drive, Dropbox or S3. Test your backup at least once per quarter — do a test restore in a local environment so you are confident the backup works before you need it.

Security plugins — which ones make sense and which are just marketing?

Wordfence Security is the most widely used WordPress security plugin, with an application firewall (WAF), malware scanner and IP blocking. The free version is sufficient for most sites. The paid version (~€110/year) adds real-time attack signature updates instead of 30-day-delayed ones — worth it for e-commerce sites or those handling sensitive data.