We Are kitty Logo
In the news

The Truth About WordPress Security

Authored by Craig Dodd
by Craig Dodd

In recent years, WordPress security has become a hot topic of discussion. As a result, there’s an awful lot of information available that includes both good and bad advice that could lead to questionable decisions when it comes to protecting your website from hackers. 

Studies have shown that it takes professional hackers 20 minutes on average to exploit vulnerable websites with preparation, forcing companies to spend more time ensuring their website and database systems are as secure as possible. And with WordPress accounting for over 37% of all websites, the platform itself is a prime target for attacks. 

Before addressing the security capabilities of WordPress, let’s talk about what security means in a broader sense. The two aspects of website security are confidentiality and integrity. 

  • Confidentiality means that you can control who has access to your data. You may want to permit select individuals within your organisation to access sensitive information on your website, but you probably don’t want the general public to have that same level of access. So, you need a way to determine and define who is granted access and to prevent everyone else from accessing your data. 
  • Integrity means that authorised users and administrators will detect any changes made to your website (or its data). If a hacker makes changes such as additions or deletions of content, the site administrators should be immediately notified of those changes. Hackers will take advantage of unprotected systems, and if users do not regularly change their passwords or use best practices to choose passwords that are unique, it is nearly impossible to prevent hackers from taking over their accounts and making unauthorised changes. The longer a password has been in use, the more likely it is to have been compromised.  

The popularity of WordPress stems from its ability to be tailored for almost any purpose, from brochure websites to fully-featured eCommerce solutions, monolithic or headless. This flexibility has led to WordPress being adopted by big-name brands such as The New York Times, TechCrunch, Forbes, and even WhiteHouse.gov. 

When a website is visited, sensitive information needs to be exchanged quickly, efficiently, and securely between the browser and the website. Any attempt to block or interrupt this exchange could lead to theft of data, which would make it incredibly difficult for IT departments of businesses to find a “set and forget” solution for security. 

By adhering to general best practices, you can make sure that your website is as secure as it can be. For example, regularly updating plugins and themes will help ensure that your site doesn’t have any major vulnerabilities. It’s impossible to eliminate security concerns completely, and there will always be something new out there discovering vulnerabilities in websites. However, by applying basic safety measures, you can reduce the risk. 

So is WordPress secure? WordPress is committed to providing a safe and secure experience for all users. It offers multiple layers of protection against malicious attacks that would otherwise lead to security breaches, with features such as multi-factor authentication and password strength indicators that proactively avoid vulnerabilities. WordPress stacks up favourably compared to other platforms, including Drupal, which is also widely used for web applications and mobile experiences. 

WordPress frequently releases core system patches to maintain security and ensure users do not have outdated versions which are typically more vulnerable to attack. WordPress also includes several advanced protections by default. The WordPress REST API* leverages encryption for data in transit (data actively moving from one location to another) and at rest (data housed physically on computer data storage). The data in transit relies on Secure Sockets Layer (SSL)/ Transport Layer Security (TLS), which are popular cryptography protocols that ensure the integrity and security of communications over the web. At rest, encryption techniques such as transparent data encryption (encryption at the file level) or client-side encryption (encryption applied to data before transmission from a user device to a server.) make sure that data is protected from unauthorized access. 

*The REST API offers HTTP requests to fetch or update data. With a single HTTP request, your website or application can communicate with API servers anywhere in the world to get data from your app. 

Understanding development principles is the key to working securely with WordPress and understanding what the platform can deliver if correctly configured. Here is a simple list of best practices to keep your WordPress site secure: 


  • Keep code up to date
  • Only use plugins or themes from reputable sources to ensure they have been developed based on best practices 
  • Enforce two-factor authentication 
  • Install SSL 
  • Grant access based on user-specific requirements  
  • Set up monitoring to maintain awareness of any file changes made to site code 
  • Use hosting providers that make these processes seamless and provide tools that automatically assist in the management of WordPress sites 


  • Share passwords 
  • Install plugins from unknown sources 
  • Allow file edits in the WordPress dashboard 
  • Make site edits directly to the Production or Live environment – always work within a staging/development environment first, and test
  • Provide admin access to users who do not require it 

Kitty Dictionary 

Monolithic: Out of the box WordPress is monolithic because it serves as a “single solution” front and back end for a website. This monolithic architecture restricts how you can build your site, limiting you to only options that WordPress supports. 

Headless: This describes a decoupled WordPress solution. The backend (management) part is separate from the frontend (interface) of the CMS. You can develop and manage the frontend as a standalone application with any frontend framework. 

Set and Forget: Configured, and then left without further attention. 

If you would like to find out more about how We are Kitty can help you to secure your website, or support your next Web build, please get in touch at hello@wearekitty.com

Authored by Craig Dodd

Craig Dodd

Technical Director