Don’t Take Our Word for It: Why You Should Take WordPress Security Seriously

By Joe Cress, Technical Implementation Specialist

Learn why you should run regular WordPress scans and basic practices to implement now.

When Matt Mullenweg and Mike Little set out to build a new platform on top of the then b2/cafelog blogging tool when it was discontinued, they probably didn’t know that they were about to start a journey that would eventually benefit millions of users around the globe. And that a whole industry of thousands of developers, designers, writers, bloggers, and web publishers would make their living off it.

WordPress is a free, open-source website creation platform. On a more technical level, WordPress is a content management system (CMS) written in PHP that uses a MySQL database. Known for its ease of use, WordPress is a popular website builder for small and medium-sized businesses. Today, WordPress powers 43% of all the websites on the Internet, including those without a CMS or custom-coded CMS. Or to put it another way, WordPress powers over one-third of the web (that’s according to W3Techs).

Why run WordPress vulnerability scans?

Let’s face it, hackers are getting more sophisticated and more aggressive, evidenced by the rising number of small and medium-sized businesses that are falling victim to cyber attacks—two out of every three last year, according to one study.[1] Trava’s automated assessments that check for vulnerabilities in external and internal environments predict how hackers might get into a system, informing better defenses against cyber threats. And with WordPress as prevalent as it is, that is an important scan to run.

Not convinced? One example of a major hack on WordPress occurred recently in December 2021 when an active attack targeting over a million WordPress sites was uncovered. To put a brighter spotlight on it, 1.6 Million WordPress sites were hit with 13.7 million attacks in 36 hours from 16,000 IPs[2].

The news gets worse. The number of new vulnerabilities has been increasing steadily since WordPressScan first started tracking in 2014. As of April 14, 2021, WordPressScan reported an additional 4,400.3

What will WordPress users uncover from running WordPress scans?

  • Vulnerable theme templates and plugins installed on your website
  • Security holes in your website that can be exploited by hackers
  • Assurance that WordPress is up-to-date

How frequently should you run WordPress vulnerability scans?

Monthly and whenever your website is updated. WordPress sites are regularly updated, and with each update comes potential for a new set of security holes.

WordPress Cyber Hygiene Practices

In addition to regular scans, here are some basic guidelines for cyber security that you can implement now.

  • Plugins/Themes: WordPress core itself is a major culprit, but a significant amount of vulnerabilities come from plugins/themes that are not currently being maintained. Only use plugins/themes from the WordPress plugin respository or reputable third-party developers and keep them updated as frequently as possible. Enable auto-updates for WordPress core and plugins.
  • Password strength / 2FA: Set minimal password length and implement two-factor authentication.
  • User permissions: Use appropriate permissions for users—not everyone needs to be an Admin!
  • Reliable hosting partner: A reliable hosting partner can save a lot of headache if they have security built into their platform. The providers that provide higher security are not cheap.
  • Make reliable off-site backups a high priority. In the case of a cyber event you can restore the site and lock it down until you can figure out how it is being exploited. Consider using a real-time third party backup with easy restoration.
  • WAF: A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. Partnering with a product like Cloudflare can prevent a lot of malicious requests from ever reaching your WordPress site.
  • SSL: This one is a no-brainer. Secure Sockets Layer (SSL) is a security protocol that creates an encrypted link between a web server and a web browser. Get it! Most of them are free.

Regular updates, vulnerability scans, and basic cyber hygiene practices can help find changes that you, WordPress, or your website hosting service have made that can leave your website vulnerable to security threats.

To learn more about vulnerability scans—including a description of each scan type, key insights learned from each scan, and recommended frequency for running each scan—download Trava’s Complete Guide to Vulnerability Scan Types.


[1]2018 State of Cybersecurity in Small and Medium-Sized Businesses report, Ponemon Institute, LLC, November 2018

[2]Chamberlain, Chloe, 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs, Wordfence, Dec 9, 2021. Retrieved Mar 18, 2022;

[3]O’Driscoll, Amy, 25+ cyber security vulnerability statistics and facts of 2021, Comparitech, 14 April 2021. Retrieved 19 July 2021


Get cybersecurity tips, articles, and videos sent straight to your inbox