Title: Security issues with WordPress? Last modified: January 29, 2017 --- # Security issues with WordPress? * Resolved [damonsh](https://wordpress.org/support/users/damonsh/) * (@damonsh) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/) * Hi, * am new to WordPress and want to know more about it. I have heard some concerns about there being security issues with WordPress. * Are there still security issues with WordPress or was this something with earlier versions? Under what conditions are there security issues? Is it to do with installing 3rd partly plugins? Or not implementing it in the correct way? Or other things? * Thanks. Viewing 15 replies - 1 through 15 (of 18 total) 1 [2](https://wordpress.org/support/topic/security-issues-with-wordpress/page/2/?output_format=md) [→](https://wordpress.org/support/topic/security-issues-with-wordpress/page/2/?output_format=md) * Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * (@sterndata) * Volunteer Forum Moderator * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8713847) * Is WordPress secure? As of right now, yes. Tomorrow? Someone may find something. The security team will put out an update that gets automatically applied to your site. That’s how things are with software. It’s a running battle between the good guys and the bad guys. * Security also comes from using strong passwords, not logging in on unsecured connections (i.e., do not log in at Starbucks unless your site has SSL), using correct file permissions, and a decent security plugin. * [leejosepho](https://wordpress.org/support/users/leejosepho/) * (@leejosepho) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8713875) * The terms “secure” and “security” mean different things to different people, and the fact that WordPress is well-written in relation to “security” — no major flaws or vulnerabilities to be exploited — does not mean your self-hosted site is secured by WordPress. I use BulletProof Security to “harden WordPress” and much more… [https://codex.wordpress.org/Hardening_WordPress](https://codex.wordpress.org/Hardening_WordPress) [https://wordpress.org/plugins/search.php?q=bulletproof](https://wordpress.org/plugins/search.php?q=bulletproof) [https://www.google.com/search?q=harden+wordpress](https://www.google.com/search?q=harden+wordpress)… and I also have the stand-alone version of NinjaFirewall out in front of everything at my hosting account: [https://wordpress.org/plugins/search.php?type=term&q=ninjafirewall](https://wordpress.org/plugins/search.php?type=term&q=ninjafirewall) * There are various other options, of course, but just do not let the idea that WordPress is “secure” lead you to believe WordPress covers your needs related to site security. - This reply was modified 9 years, 4 months ago by [leejosepho](https://wordpress.org/support/users/leejosepho/). * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8713915) * I moved this out of “Developing WordPress” and into “Fixing WordPress”. You weren’t asking a coding question. * leejosepho’s reply is very good and you should read those articles. * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8714374) * I’m pretty sure all recent documented breaches of WP sites have been through vulnerabilities introduced through plugins or themes. In a few cases these have been zero day vulnerabilities, but mostly they are from plugins or themes that HAD a vulnerability that had been patched, but the site owner failed to implement the patched version. * Besides the excellent recommendations above, use only themes and plugins from reputable sources that are regularly maintained and updated. * Finally, be sure to keep good, regular backups of the site. Regularly confirm the backups are actually usable _before_ you need them. While good backups make recovery painless, it’s no excuse to take security lightly. You still do not want your site to be the source of spam and pharma redirects no matter how easy it is to restore your site. * Thread Starter [damonsh](https://wordpress.org/support/users/damonsh/) * (@damonsh) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8715079) * Thanks a lot for the information! * Thread Starter [damonsh](https://wordpress.org/support/users/damonsh/) * (@damonsh) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8715080) * Thanks a lot, will check those articles! * [leejosepho](https://wordpress.org/support/users/leejosepho/) * (@leejosepho) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8715943) * > I’m pretty sure all recent documented breaches of WP sites have been through > vulnerabilities introduced through plugins or themes… > Besides the excellent recommendations above, use only themes and plugins from > reputable sources that are regularly maintained and updated. –bcworkz * Yes, and those are the kinds of things I think about while thinking about WordPress security. Site security (a different matter) is about having (at least in my own case) a Firewall out in front of WordPress and then adding a plugin such as BulletProof Security to guard all the gates and doors, but then I would never use a theme or plugin that did not come through wordpress.org unless I was absolutely certain its author was up to par with the low level of vulnerability already present in WordPress. - This reply was modified 9 years, 4 months ago by [leejosepho](https://wordpress.org/support/users/leejosepho/). * [whitefirdesign](https://wordpress.org/support/users/whitefirdesign/) * (@whitefirdesign) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717495) * It’s worth noting here that security plugins don’t necessarily provide much, if any, protection against vulnerabilities. We have done four tests of them to see if they could protect against exploitation of real vulnerabilities that existed in other plugins. In only one instance did one, NinjaFirewall (WP Edition), provide protection that wasn’t easily bypassed and that came with the tradeoff that Editor- level and below users could not upload media through WordPress anymore. BulletProof Security provided no protection in any of the tests. - This reply was modified 9 years, 4 months ago by [whitefirdesign](https://wordpress.org/support/users/whitefirdesign/). - This reply was modified 9 years, 3 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). - This reply was modified 9 years, 3 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). * [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717580) * Uh well your opinion is biased. So you should state something to that effect. Also your tests do not include all/every possible BulletProof Security code that is available and the test parmeters seemed skewed in favor of your plugin. Nothing personal, I don’t blame you for using this tactic – just noting facts. * > Alternatively, if your are using NinjaFirewall (WP/WP+ Edition), our WordPress > WAF, you are protected against it. - This reply was modified 9 years, 4 months ago by [AITpro](https://wordpress.org/support/users/aitpro/). * [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717632) * Oops. I misread the article. This is not an obvious sales pitch article and link. I reread the article and it is completely unfounded and frankly ridiculous because the test parameters are not any sort of valid security test parameters. I could make up stuff too, but why bother. 😉 * Obviously whoever posted that junk does not know anything about website security at all. - This reply was modified 9 years, 4 months ago by [AITpro](https://wordpress.org/support/users/aitpro/). - This reply was modified 9 years, 4 months ago by [AITpro](https://wordpress.org/support/users/aitpro/). * [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717666) * Normally I would just ignore ridiculous junk like this, but in reality this is a disservice to average folks. Why? Because that information is misleading either intentionally or unintentionally due to an unqualified person reporting some junk that just makes people worried about nothing. * [whitefirdesign](https://wordpress.org/support/users/whitefirdesign/) * (@whitefirdesign) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717672) * [@aitpro](https://wordpress.org/support/users/aitpro/) * Our opinion is based on the testing we have done, which we have cited here. * As mentioned in the linked posts for the tests, “We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability.” If there is something you think we missed in your BulletProof Security plugin please let us know, so that we can improve future tests. If you think the results are incorrect for your plugin please get in touch with us, so that we can take a look at that. * We didn’t test any of our plugins, since they don’t claim to protect against the exploitation of vulnerabilities, so it isn’t clear how we could have skewed the testing in any of their favor. * [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717687) * Oops again. Guess I should have checked WhoIs first. I see that this is your website. Sorry about negating your article, but unfortunately it is not valid information. * [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/#post-8717721) * [@whitefirdesign](https://wordpress.org/support/users/whitefirdesign/) – What I question is your test parameters themselves. They seem too general/broad and not realistic. Security plugins are not supposed to block anything that appears to be normal functionality in another WordPress plugin, otherwise security plugins would end up breaking most WordPress plugins normal functionality. So your test parameters need to factor in a realistic attack vector that excludes any normal functionality in any other plugins. There a lot of other things that you also have to factor into the test environment equation that I will not go into. In a nutshell, your test parameters and environment are simply not realistic. - This reply was modified 9 years, 4 months ago by [AITpro](https://wordpress.org/support/users/aitpro/). * [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/page/2/#post-8717758) * I’ll just use this one test example that you did: * > For each of the tested plugin we set up a fresh install of WordPress 4.7, installed > the version 2.0 of Delete All Comments, and installed the latest version of > the security plugin. We tried to enable any feature of the plugin that could > possibly have an impact on stopping exploitation of the vulnerability. * The problem here is that the Delete All Comments plugin has a coding mistake/ security vulnerability. Most if not all WP security plugins will not interfere with the normal functionality of another WP plugin for the reason I stated above. So basically the basis of this test is no good. What of course is the only solution is the Delete All Comments plugin would need to fix the bug. Viewing 15 replies - 1 through 15 (of 18 total) 1 [2](https://wordpress.org/support/topic/security-issues-with-wordpress/page/2/?output_format=md) [→](https://wordpress.org/support/topic/security-issues-with-wordpress/page/2/?output_format=md) The topic ‘Security issues with WordPress?’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 19 replies * 7 participants * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/) * Last activity: [9 years, 4 months ago](https://wordpress.org/support/topic/security-issues-with-wordpress/page/2/#post-8718081) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics