I talk to many inexperienced WordPress site owners about site security. People understand there’s a risk their site will be hacked, and they want to do whatever they can to make it secure, but they often don’t understand the scope of the risk and what’s required of them if their site is to stay safe.

Keeping a WordPress site secure isn’t difficult, but without an understanding of the basics, it’s easy to make mistakes. I’d like to have a look at five of the most common security misconceptions I’ve heard from new WordPress site owners and explain why experienced site owners think differently.


1. WordPress Updates are Optional

Unless you’re a developer, you may think software updates exist just to add new features to applications. In many cases, that’s true. When your iPhone nags you to update, it’s a fair bet that things are going to change. It’s the same in the WordPress world: updates mean changes and often new features.

But updates have another important job: they fix security vulnerabilities. Security vulnerabilities are caused by mistakes in the code. Updates fix those mistakes. If you don’t install updates when they’re released, your site is vulnerable. Updates should be installed as soon as possible, even if you don’t care about new features.


2. A Good Password is Enough to Keep Your Site Secure

I’m going to assume you know enough not to use a password like “password” or “ilovematt” on your WordPress site. Passwords like this take fractions of a second for hackers to guess.

But even if you and everyone who uses your site has a hard-to-guess password (which they probably don’t), you should consider using two-factor authentication. Two-factor authentication is the easiest way to make your WordPress site much more secure.


3. If My Site was Hacked, I’d Know About It

On the contrary, if your site has been hacked, you’ll probably see nothing different. Online criminals play the long game. They don’t want to steal your data or deface your site immediately: they want to infect your site’s users with malware and use its bandwidth and storage for as long as possible.

Criminals are sneaky; they go to great lengths to hide their malware. You can’t assume that everything is fine because it looks fine. If you want to be confident that your site is clear of malware and backdoors, use a malware scanning service like Sucuri or Wordfence.


4. My Site is Too Small to Interest Hackers

Criminals are interested in your site regardless of how many visitors it receives. The more users, the better, but every site on the web has resources that criminals can use for DDoS attacks and other nefarious activities. They scan the web looking for vulnerable sites, including sites that have never received a single visitor and sites that haven’t even completed the installation process. Being small is no guarantee of security.


5. WordPress is an Insecure CMS

All this might make you think that WordPress is inherently insecure. In fact, that’s not the case. Any software on the web is potentially vulnerable, and that includes all content management systems. But if you look after your WordPress site, follow the security best practices I’ve mentioned in this article, and take sensible precautions, your WordPress site could be on the web for many years without ever falling prey to criminals.


Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: blog@thesecurityawarenesscompany.com.

Graeme Caldwell

Writer and Content Marketer at Nexcess
Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured on top publications across the net, from TechCrunch to TemplateMonster. For more content, visit the Nexcess blog and give them a follow at @nexcess.