With WordPress now powering a reported 20%+ of ALL websites online it is becoming a victim of it's own success.
With such a huge potential market for hackers small and large the investment required to learn how to try and hack WordPress sites is now far more valuable than even 12 months ago. The potential return on investment in time spent gaining access to and compromising WordPress websites makes it well worth it.
I am now getting clients saying things like:
" I don't want a WordPress site as it is insecure"
"Everyone I know that has a WordPress site has been hacked at least once"
And on average we are getting at least one new client coming to us with a hacked WordPress website.
So what's going on? Is there something wrong with WordPress?
In short no. WordPress is only as good as the developer that installs the software and builds the site, and to some extent the host that hosts it.
The WordPress software itself is very secure, and is monitored and updated regularly by a dedicated group of people who work hard to maintain this brilliant product.
The issue is with many developers not understanding, or even caring it seems, about website security. WordPress needs to be setup and secured correctly and you need to have the skills and experience to achieve that. WordPress also need to be kept up to date. As soon as security updates are released they need to be implemented. WordPress has done a great job in making auto updated available and (most of the time) seamless. This helps a lot but cannot replace good security, good backups and regular checking and updates of WordPress and plugins / themes.
When looking at adding a new piece of functionality to the site you need to make sure you review plugins and code carefully to ensure they are well developed by a trusted and knowledgeable developer. If you install a plugin that is out of date or no longer supported it has the potential to introduce security holes into your site. The same applies for themes, if your site is running on a theme it may need to be updated to support new versions of WordPress. If it is not built by a knowledgable developer it may also expose security issues on the site.
With many hosts now offering "one click installs" of WordPress and other software, along with the wide range of themes and plugins it can seem a simple task to setup a WordPress site. The issue comes with all of this being done without the deeper knowledge required to secure the site and make it as hard as possible for someone to hack. For this reason I would always recommend you engage a WordPress professional to review your completed site (at the minimum) to apply a security profile and recommend any changes to keep your site secure.
With these elements in place WordPress is and will continue to be an excellent and secure platform to run your website off.