We often have clients expressing their concerns about building their site in WordPress, turning to an HTML site as a safe solution. Unfortunately, that is something like always taking the stairs because you got stuck once in a poorly maintained elevator. It is an overreaction to the wrong problem and it just isn’t necessary.
WordPress is more vulnerable to attacks because it is in PHP and because it is open source. And it is a big target because it is the most used platform in the world for building websites. That vulnerability is completely manageable. It is also easy to manage, it doesn’t require extreme measures.
Here’s a list of all the things we do to protect your site:
- Use only tested, well supported and widely used plugins.
- Install WordFence to help monitor and prevent destructive changes.
- Routinely do the updates issued for WordPress and for the plugins (this is the kind of security patches any software requires, plus feature updates).
- Have daily backups that can be easily accessed to restore the site if something happens (a hack, or someone in your company accidentally messes up the site).
- Have a monitoring service in place to tell you if something goes very wrong.
- Use secure passwords.
- Have the site hosted on a properly setup, well maintained and secure server.
- If you want to add another layer of protection you can use a service like SiteLock to lock the site against changes, or even just putting the site on a free CDN like Cloudflare (which also helps speed up the site.
Some of the necessary security measures occur when the site is built. The remainder are a matter of proper maintenance. Most of these would apply equally to an HTML site as well.
Probably 70-80% of our work is in WordPress, and we host or maintain most of our client sites. We have had exactly two instances of our sites being hacked. In one of those cases, someone hacked the email account of the site administrator and used that to gain access to the site. So that didn’t have anything to do with it being WordPress. The other also involved someone obtaining a login to the site through an external means. In each case it took a few hours to put up a backup of the site and change the passwords.
There is no perfect protection against ANY website being hacked. Not when major bank and government websites are being hacked. Your site is not going to be a priority target, the really clever hackers are going after the banks and big retailers – because that of course is where the money is. But specific simple practices will a) make any hack unlikely; and b) allow fast discovery and fast easy restoration in the unlikely case something does happen.
The flip side of this, is all the reasons why WordPress is the most used platform, with literally tens of millions of sites. Compared to an HTML site, it is faster and easier to build a site in WordPress, it is easier to make changes, and it is less subject to becoming obsolete.
So by building the site in WordPress, you get a site which costs less, is far easier to update, and is more durable, against less than 1 chance in a 100 that over the course of a year, your site will be down or have issues for a few hours. You do the math.