Many web development companies base their websites on WordPress, the most popular Content Management System (CMS) on the internet which in 2020 powered approximately 40% of all websites. Unfortunately, WordPress is also the most hacked CMS on the internet: in 2018, 90% of hacked CMS websites were WordPress websites. The problem with WordPress is a combination of its popularity, its complexity, and the fact that many web development companies do not properly maintain WordPress websites.
A website hack wastes time, energy, and money, threatens your authority and reputation, and may even threaten data associated with your site visitors and users. If you run a business or community organisation, you should at least consider a more secure alternative such as a serverless website for example.
It is difficult to quantify the number of threats your WordPress site may face, as WordPress is built on a complex stack involving a server operating system, web server software, and database software ... all of which requires continuous updating. In addition, there are a number of WordPress-specific security and vulnerability issues you should be aware of, and which you should ensure that your web developer is taking appropriate steps to mitigate.
Unauthorized Logins: Wordpress's admin login page and admin account are widely known, making WordPress vulnerable to brute force password attacks.
Undefined User Roles: WordPress has multiple user roles, but the administrator role is the default. This increases an attacker who gains access to the backend is likely to gain administrator access.
Outdated Core Software: Security vulnerabilities are found in Wordpress software on an almost weekly basis. Unfortunately, many web developers simply do not patch these security vulnerabilities in a timely manner (or at all).
Outdated Themes and Plugins: Again, many WordPress installations are left unpatched and unmaintained by their developers. Themes and plugins can have as many security vulnerabilities as the core Software.
Structured Query Language (SQL) Injections: Poorly written and maintained plugins that do not correctly validate user input make the WordPress vulnerable to maliciously crafted input designed to compromise its database.
Cross-Site Scripting: Poorly written and maintained plugins also make WordPress vulnerable to malicious cross-site scripting (XSS) attacks which interfere with the website's front-end rather than the database.