listen up

We often get asked about how secure WordPress is. I can tell you hands down, at the core, it is as secure as anything can be. We recently found a site we made a custom theme for 8 years ago. It was still running WP version 2.5. It has never been updated. This site had zero plugins, and since the theme was custom, there were no un-needed javascript files.
So for 7 – 8 years, this site sat there, getting traffic, doing it’s job, and zero issues. Zero. Now this is a pretty unique case. It’s on a dedicated server with strict security, no plugins, no e-commerce, etc. Granted as soon as we found this relic we updated it ASAP. But I honestly think it could have gone on longer, barring any server changes like PHP upgrades that would have conflicted with the core.

Whats the big take away here?

WordPress powers 50% of all sites (2015 stats for world wide usage), this means it can be a huge target for hackers. The thing is, these hackers get in through known exploits. Most of the site compromises we see, are plugin or do-it-all premium themes. These are full of fancy little bells and whistles, that get hacked.

Doesn’t Factor1 use plugins?

Yes, we do. But we try to keep them to the bare minimum, and only use trusted plugins. We know the plugins we use well, and we build our sites in such a way that we are not dependent on a plugin to function. If tomorrow a plugin needed to be removed, we could drop it in a heart beat and the site would be fine 98% of the time.

The moral of the story.

You get what you pay for. If you spend $50 on a theme, even $100, and load it up with a few plugins, security needs to be the highest risk in your mind. I’d run daily backups, security scans, and tight settings on Wordfence or similar plugin. I’d also run all theme and plugin updates weekly at a minimum.