Most Common WordPress Security Misconceptions

As we’ve covered the basics of WordPress security, it’s time to address some common myths and misconceptions. The internet is brimming with SEO content offering various security tips. While some advice is excellent, other suggestions are debatable, and some are outright misinformation.

Today, let’s explore some myths, misconceptions, and misinformation I’ve encountered across different blogs, communities, and groups. Although this list could be endless, I’ll focus on those I’ve seen most frequently and that could be most harmful if followed.

Hackers Don’t Care About Your Small Website

Nearly 10 years ago, I regularly conducted incident response for companies whose websites had been hacked. The most common question was, “Why would hackers target our company?” This question arose with every small company I spoke to.

The answer is simple. In most cases, hackers aren’t interested in your company but are interested in your website. The majority of attacks are opportunistic. Hackers target flaws in popular software to take over as many websites as possible, regardless of ownership.

Hiding That Your Website Runs on WordPress

If WordPress websites are targeted randomly, concealing your site’s WordPress foundation should make it invisible to attackers, right? Not exactly. This misconception is widespread, and there are even plugins designed to obscure a site’s WordPress base.

This misconception stems from a misunderstanding of how attacks are conducted. People tend to believe that all attacks are targeted, with hackers creating a “target list” of WordPress sites to hack in a highly organized attack.

In reality, the opposite is true. Attackers are racing against time, aiming to exploit vulnerabilities before websites are updated. Spending time creating a target list does not benefit them. Instead, they launch attacks against every public IP address, harvesting as many sites as possible.

Keep the Plugins Up to Date and You’re Safe

This piece of advice is commonly seen in various groups and communities. Discussions often arise where someone asks which security solutions to use, and a community member responds, “You don’t need security solutions; just keep your plugins up to date.”

While keeping plugins up to date is crucial, claiming that it is the panacea for WordPress security is misleading.

We’ve tracked every security vulnerability in the WordPress ecosystem. Over the past few years, the number of vulnerabilities left unfixed by developers remains at about 30%. This means that nearly one-third of vulnerabilities cannot be patched with an update. Stats here: https://patchstack.com/database/statistics/wordpress

Furthermore, do you update every plugin within a few hours of its release? Do you have auto-updates enabled for all plugins? If not, you’re already at a disadvantage.

Use Only Server-Side WordPress Security

This argument has gained traction in recent years, especially after a research article last year showed that WordPress malware scanning plugins are regularly tampered with and bypassed by hackers.

This conclusion is an oversimplification. In reality, security should be layered across the network, server, and application (WordPress site). Relying solely on server-side WordPress security is inadequate.

Some measures, such as two-factor authentication (2FA), session management, virtual patching, and WordPress-specific hardening, must be implemented within the WordPress application. These cannot be effectively managed at the server or network levels.

Conclusion

A wealth of advice circulates in various communities and websites. Much of it is AI-generated, which may sound convincing but can be technically inaccurate. There are many other minor myths within the WordPress ecosystem, so feel free to share the ones you’ve encountered in the comments!