Short answer: Yes, WordPress core is safe when kept updated to the latest version. But there are additional steps users can take to harden WordPress core on their website.
Longer answer: Unlike themes and plugins, there’s only one WordPress core, and it’s maintained by a world-class security team. WordPress stays on top of vulnerabilities in their software and releases security updates to patch their core files. Whenever WordPress releases an update, install it as soon as you can, since the issues each update solves are public knowledge.
Also, there are additional measures on your end to keep WordPress functioning at its safest. These include:
Protecting your login with strong passwords. Additional features like two-factor authentication and plugins to limit login attempts and add captchas are also worth looking into.
Installing a WordPress security plugin that can scan your site for malware, and running scans of your website on a regular basis.
Enabling SSL so visitors can securely connect to your site.
Hosting your website with a secure provider.
For a full list of best practices, you can take to protect WordPress core, see our Ultimate WordPress Security Checklist.
Are WordPress Plugins Secure?
Short answer: Not always. Use only reputable, legitimate plugins, and update them when necessary.
Longer answer: If core files are the heart of WordPress, plugins are…well, basically everything else. They make WordPress infinitely customizable and flexible. The issue is that plugins are made by third parties, and not all are guaranteed to be properly maintained, or even safe in the first place. As a result, plugins are one of the most popular gateways hackers use to enter WordPress-powered websites.
Plugins are necessary for anything beyond the functionality of WordPress core. But, like you wouldn’t download a sketchy file from a sketchier website, be very careful where you source your plugins. We recommend sticking to the WordPress plugin directory and weighing popularity, maintenance frequency, and user reviews in your plugin choices.
Also, even a reputable plugin is still unsafe if not kept up to date. Install updates for your plugins as soon as possible, and stay informed about what developers are fixing and improving.
Are WordPress Themes Secure?
Short answer: Not always. Use a theme that meets WordPress’ standards, and update it when necessary.
Longer answer: Many themes are made by third parties, and thus not regulated or approved by WordPress. Don’t just install a theme because you like that look, as important as that is. Your theme also needs to meet the WordPress standards for code. To ensure this, choose your theme from the official WordPress theme directory or try one that we recommend.
“Keeping your plugins and themes updated regularly are critical to maintaining the security of your WordPress site. You also need to test themes and plugins updates separately, such as on a staging site, before launching them to production. That’s to make sure the updates don’t break existing functionality, or worse, crash the website entirely.” – Alec Wines, Head of Growth at WP Buffs
The Truth About Cybersecurity
One more thing you should know: In an ideal world, knowing the risks and putting the right systems in place would eliminate the chances of being hacked. But being secure is not the same as being immune.
Perfect security is impossible no matter which CMS you decide on, and there will always be risks to hosting content online. The best thing you can do is reduce the risk of attacks. Again, if you take security seriously, you’ll be in great shape. By questioning WordPress’ security in the first place, it shows that you probably already do.