01-16-2020, 06:13 AM
The Wordpress core as in the software itself with its default theme and nothing else additional 3rd party is actually quite secure because it has a somewhat big development team behind it and even the community helps a lot by reporting bugs. So if you setup a fairly stock Wordpress blog without any 3rd party themes or plugins and use a good password the chance to get hacked is really small (still might be hidden bugs that hackers might discover and you might fall first as victim to these new bugs). Of course since usually bugs and security holes are patched quite fast it is always recommended to keep up to date. That'll reduce the chance to get hacked again.
However once you add 3rd party content the chance of getting hacked is I would say turning into an unknown equation. You might wonder why? Well, all this 3rd party stuff is usually not updated and maintained so well and plugins often contain amateur security issues that could have been avoided (TL;DR: no one does proper QA on what they seem to release). And as fancy as themes look nowadays... many of them are not themes (CSS/JS/IMG/FONTS) anymore. They all contain a lot of code mostly for this and that function and this code is very faulty often. You might be as up to date as possible with those plugins and still get hacked by masses because simply no one really either reports the issues with the theme/plugin and no one fixes it. Only some real big plugins or themes (usually actually provided by WP devs Automatic or other big design/code sites) are maintained somewhat properly. And even with that you sometimes get literally news article on IT sites about popular Wordpress themes or plugins having some serious security holes that have left thousands of blogs open to attacks for a long time.
3rd party content for Wordpress is a big issue in terms of security and bugs. It's a big like the wild west. Everyone does what they want without real consequences. No one seems to help each other with things other than developing code or themes but not really fixing/reporting issues. Some kind of QA is missing as in plugins and themes with easy to avoid issues pass through and are allowed on the Wordpress Extend site where everyone can download and install them. And all of this is usually simply out of control for the average Wordpress user that uses it as just what it is "a tool".
I have had experience myself with this 3rd party stuff being not secure. In the past a blog that I hosted since 2009 was hacked once due to a faulty plugin (yes everything was up to date) and the hackers implemented a fake Microsoft Outlook site. I got rid of the plugin and removed all traces of the hack and everything was fine again. So you see sometimes once plugin is enough... and you're up for it really big (heads up to Strato for not going ape and simply absolutely suspending the service without a chance to fix it). And before anyone starts: we use strong passwords, the server is always up to date, login is only possible via SSH public key and we even use 2FA on the Wordpress Admin. Reason for the hack was another plugin and it was easy to figure out by simply searching for "wordpress hacked and showing outlook phishing site" or a similar search term (it was years ago by now so I don't remember what I searched for on Google to get clues and tips but it was easy to find). I found a nice article on a Wordpress site where that hack was discussed and everyone had this one thing in common: the plugin that had security holes.
@deanhills can share his fair experience with his blog getting hacked despite being up to date and all setup properly.
However once you add 3rd party content the chance of getting hacked is I would say turning into an unknown equation. You might wonder why? Well, all this 3rd party stuff is usually not updated and maintained so well and plugins often contain amateur security issues that could have been avoided (TL;DR: no one does proper QA on what they seem to release). And as fancy as themes look nowadays... many of them are not themes (CSS/JS/IMG/FONTS) anymore. They all contain a lot of code mostly for this and that function and this code is very faulty often. You might be as up to date as possible with those plugins and still get hacked by masses because simply no one really either reports the issues with the theme/plugin and no one fixes it. Only some real big plugins or themes (usually actually provided by WP devs Automatic or other big design/code sites) are maintained somewhat properly. And even with that you sometimes get literally news article on IT sites about popular Wordpress themes or plugins having some serious security holes that have left thousands of blogs open to attacks for a long time.
3rd party content for Wordpress is a big issue in terms of security and bugs. It's a big like the wild west. Everyone does what they want without real consequences. No one seems to help each other with things other than developing code or themes but not really fixing/reporting issues. Some kind of QA is missing as in plugins and themes with easy to avoid issues pass through and are allowed on the Wordpress Extend site where everyone can download and install them. And all of this is usually simply out of control for the average Wordpress user that uses it as just what it is "a tool".
I have had experience myself with this 3rd party stuff being not secure. In the past a blog that I hosted since 2009 was hacked once due to a faulty plugin (yes everything was up to date) and the hackers implemented a fake Microsoft Outlook site. I got rid of the plugin and removed all traces of the hack and everything was fine again. So you see sometimes once plugin is enough... and you're up for it really big (heads up to Strato for not going ape and simply absolutely suspending the service without a chance to fix it). And before anyone starts: we use strong passwords, the server is always up to date, login is only possible via SSH public key and we even use 2FA on the Wordpress Admin. Reason for the hack was another plugin and it was easy to figure out by simply searching for "wordpress hacked and showing outlook phishing site" or a similar search term (it was years ago by now so I don't remember what I searched for on Google to get clues and tips but it was easy to find). I found a nice article on a Wordpress site where that hack was discussed and everyone had this one thing in common: the plugin that had security holes.
@deanhills can share his fair experience with his blog getting hacked despite being up to date and all setup properly.
![[Image: zHHqO5Q.png]](https://i.imgur.com/zHHqO5Q.png)
