WordPress security plugins help improve the security of WordPress sites, but they’re no substitute for an understanding of basic security precautions. Any web application is vulnerable if its developers and users don’t follow security best practices. WordPress is no different, and because WordPress is used by millions of non-technical users, it’s reasonable to assume that many of them won’t understand the complexities of web application security.
WordPress security plugins exist — in part — to help non-technical users limit the risk, without asking them to become security experts. But no WordPress plugin can make a site invulnerable to hackers, and it’s important that WordPress site owners understand at least the basics of web application security to keep themselves safe. It’s perfectly possible for WordPress to be secure. In fact, it’s relatively easy to create a secure WordPress site, but you need to know a few commonsense rules.
Bringing easy web publishing to everyone is a core goal of the WordPress project, and it’s been remarkably successful. Anyone with an idea can publish content on a site over which they have complete control. But, however easy it is to create a WordPress site — and modern WordPress hosting companies make it very easy indeed — the user still has some responsibility to educate themselves about security. The vast majority of hacked WordPress sites are the result of user error: the user chooses a bad password for their admin account or they fail to update a plugin with a known vulnerability.
However well-designed and feature-rich a security plugin is, it won’t protect users against many of the mistakes that hackers exploit. WordPress security plugins like WordFence and iThemes Security make it much easier to secure a WordPress site, and I’d strongly advise any non-technical WordPress user to install a security plugin, but WordPress users should understand that installing a security plugin isn’t the end of their security responsibility.
This isn’t a WordPress problem: it’s web application problem. Web applications like WordPress, Joomla!, Drupal, and Magento are immensely complex pieces of software. No one has figured out how to make software that’s both feature-rich and completely without bugs. Software bugs, and hence software vulnerabilities, come with the territory — and, unfortunately, so do hackers and criminals.
Installing a security plugin won’t protect you against these vulnerabilities. WordPress and WordPress plugin developers try hard not to introduce bugs, and when bugs are found, they’re squashed very quickly. To be protected, you have to update and understand why you have to update.
Many classes of vulnerability aren’t caused by software bugs, but by simple user errors. Nothing the developers can do will stop you using “miaow” as your admin password, although the WordPress interface will tell you it’s a bad idea. Security plugins won’t help you out there either, although they can limit your exposure to brute force attacks that take advantage of bad passwords. You need to know that using a simple password isn’t a good idea.
Web application security is a partnership between developers, hosting providers, and users. Users have to do their part, and installing a security plugin a great first step, but it won’t get you all the way to a secure site on its own.