We recently ran a survey to get a better understanding of the state of WordPress security. The survey was open to everyone and included several WordPress security-related questions. This report details our findings.
Why this survey?
WordPress security is an essential topic on the minds of many administrators and website owners. Due to its open and iterative nature, it is not always easy to understand whether your efforts go far enough or whether there are areas that require further attention and development. This is especially true when juggling multiple things at once – as is often the case with managing WordPress websites.
To this end, we sought to get a snapshot of the state of WordPress security. While the survey does not cover all aspects, it is still enough to provide an overarching picture of general WordPress security.
How important is WordPress security to you?
The first question we asked looked at the importance of WordPress security to WordPress administrators and website owners. Unsurprisingly, the vast majority of respondents view WordPress security as essential. In fact, 96% of respondents view WordPress security as very important, while 4% of respondents see it as somewhat important.
While the vast majority view WordPress security as very important, the amount of time dedicated to securing WordPress varies considerably. We will look at these figures next.
Total time spent on security tasks
A more significant percentage of administrators spend between one and three hours per month on security tasks, while 35% of respondents spend more than three hours. 22% spend less than one hour per month. While this is the minority, it still represents a considerable percentage of all respondents.
One thing that’s of important note here is that the time spent on security tasks tends to vary over time. Typically, substantial time is spent during the initial setup. Once everything is up and running, less time is generally spent on security-related tasks with a few hours per month enough to cover ongoing maintenance. The size and complexity of the websites can also play a considerable role in how much time is spent.
WordPress hardening and best practices
WordPress hardening is a best practice process that aims to reduce the attack surface of WordPress websites. No agreed-upon standard defines what goes into a hardening exercise; however, this typically involves activities such as restricting the REST API and disabling the file editor, among other things.
When we asked respondents whether they ever undertook any such WordPress security hardening exercise, the vast majority – 85% replied that they had. 28% manually hardened their WordPress website, while 26% used a plugin or service. 31% used a plugin and carried out manual processes. Only 15% of respondents did not undertake any hardening exercises.
Updates and testing
Updates are another critical aspect of WordPress security. WordPress itself, as well as plugins and themes, receive regular updates – or at least they should. Managing these updates is essential as they often include fixes for bugs and security holes present in the current (installed) version.
52% of respondents have auto-updates enabled for components that include WordPress, plugins, and themes, while 48% do not have auto-updates enabled. Of course, not enabling auto-updates is not necessarily a security risk since many administrators opt to test updates before rolling them out to the live environment.
In fact, 25% of respondents always test updates in a test or staging environment, while 26% only test major updates. Furthermore, 32% of surveyed administrators sometimes test updates, while 17% never test updates – regardless of the impact they might have on their websites.
Updates strategy
While both WordPress auto-updates and update testing have their merits, the strategy one uses may depend on the environment. A high-stakes eCommerce website may want to test updates before rolling them out, as an outage may mean a loss of revenue. On the other hand, a website owner who prefers to be hands-off as much as possible may switch on auto-updates to keep their website secure without having to actively manage it all that much.
As such, we thought it would be interesting to see what overall strategy administrators employ when it comes to updates.
| Auto-updates and testing | Percentage |
|---|---|
| Auto-updates enabled and sometimes tests updates | 19 |
| Auto-updates disabled and always tests updates | 16 |
| Auto-updates disabled and only tests major updates | 15 |
| Auto-updates disabled and sometimes tests updates | 13 |
| Auto-updates enabled and never tests updates | 13 |
| Auto-updates enabled and only tests major updates | 11 |
| Auto-updates enabled and always tests updates | 9 |
| Auto-updates disabled and never tests updates | 4 |
While the majority of people have some form of auto-updates enabled, many administrators still carry out some form of testing before deploying updates to their live environment. In fact, only 17% of all respondents never test updates.
Security plugin usage
Survey participants were also asked about using their usage of security plugins. A particular focus was placed on firewalls, 2FA, WordPress activity logs, and password security plugins.
The vast majority of respondents have a firewall plugin installed in their environments, with 81% stating they have one or more installed. Conversely, 19% do not have any firewall plugins installed.
2FA is not as popular as firewalls, despite companies like Microsoft and Google rallying behind this more secure way of logging in to WordPress. In fact, only 64% of respondents use 2FA on their website, while 36% do not.
Activity log plugins are just as popular as 2FA plugins, with 65% of respondents using one.
When it comes to password security, 38% of respondents trust their users to use secure WordPress passwords. On the other hand, 40% use a WordPress password security plugin, while 22% are considering using one.
Top plugins
| Top three firewall plugins | Top three 2FA plugins | Top three activity log plugins |
|---|---|---|
| WordFence – 49% | Wordfence – 25% | WP Activity Log – 42% |
| Sucuri – 7% | WP 2FA – 22% | Simple History – 7% |
| iThemes security – 2.5% | iThemes – 2.5% | Activity Log – 7% |
Drawing conclusions and a way forward
The results show strong interest in WordPress security, which is encouraging. Equally, many administrators and website owners are taking action to ensure their websites are secure. Yet, some work still needs to be done.
While 2FA, in one shape or another, has been around for quite some time, it still needs to catch up. Firewall plugins continue to enjoy massive popularity, and as good as they are, they cannot protect WordPress websites from credential breaches. This makes 2FA plugins essential to the overall security of WordPress websites.
It has to be said that this is but a snapshot of how WordPress administrators and website owners view security. It is also important to note that the questions in this survey cover but the basics of WordPress security. If you’re serious about protecting your websites, make sure you follow our blog, where we cover numerous topics on WordPress security.
Hi, Interesting but I can’t agree with your conclusion regarding 2FA. In my experience running membership sites introducing 2FA, when compulsory, is a disaster. It immediately loses a large percentage of your members. They simply will not accept the added friction. Even when people do have mobile phones they do not always have them handy when viewing the website.
I think the move to using biometrics such as Face, Fingerprint or pin are much better. Yes there is an overhead in setting it up but once done the user no longer needs to remember their password or use a password manager ( Also very good but again a really hard sell to users ) for day to day interactions.
iThemes is now offering this login mechanism, hopefully more platforms do too.
Basically the permanent logon for facebook is the only reason they are so successful. There is just no friction for users, who overlook the associated security issues.
Regards
Alan
Hello Alan,
Thank you for your comment.
As the old adage goes, increasing security decreases usability, while increasing usability decreases security. While great progress has been done in terms of security and usability – one still affects the other, even if not as much as it used to.
On the other hand, new technology always causes some friction. While 2FA is not new, its mass adoption is fairly recent. We are encouraged by the fact that companies like Google are so confident in 2FA that they’re making it mandatory for all users. This will certainly make 2FA more acceptable to users since they will already be familiar with the technology.
While some 2FA methods do requires users to have access to their smartphone, this is not always the case – in fact, our plugin supports multiple methods that do not require a smartphone. We did this to ensure that administrators who use our plugin can include more users.
Biometrics are also a good option; however, these too require the use of a smartphone – or, in some cases, computers with built-in biometrics, which most computers do not have. Without a phone, users will not be able to log in at all – which is not the case with 2FA, thanks to secondary backup options. This makes 2FA far easier to deploy and is more inclusive – our WP 2FA plugin even offers codes over email, SMS, phone calls, and Whatsapp, among others.