A Look at WordFence’s 2015 WordPress Security Survey

Posted on January 20, 2016 at 1:27 am

Tags: ,

No Comments

WordPress vulnerabilities are real. They can leave your site open to attack by hackers and malware, and leave you looking for a WordPress Hacked Fix. WordPress security issues can often raise many questions and the answers aren’t always apparent. Exactly what are those vulnerabilities? Who are those that are vulnerable? Are the activities you’re doing with your WordPress website more likely to leave your site open to attack?
In order to help answer these questions and give insights on WordPress security issues, WordFence has produced a WordPress Security Survey about WordPress users and their knowledge of WP security. The results are telling and they can help us all improve the security of our WordPress websites. Let’s take a look at the survey and it’s results.

About the WordFence WordPress Security Survey

WordFence has created their first annual WordPress Security Survey, where they asked thousands of WordPress users questions about their own experience with WordPress and security, and included questions about their own security habits. 7,375 WordPress users responded to the survey. Their Infographic shows the results.

The overwhelming majority of those responded were in the US, are age 40-49, have an intermediate level of expertise in security, are either advanced or expert WordPress users, manage two or more sites, and spend four hours or less supporting those sites.

Most of the websites were business or corporate without eCommerce, with the next being a blog, followed by personal website, and then business site with eCommerce. The majority of the sites were customized. Most of the users had created a site within the last 12 months, redesigned a site within the last 12 months, and only use the WordPress platform for all their websites.

The most popular type of plugin used was for security with contact forms being a close second, followed by SEO and antispam. Favorite plugins included popular names such as WordFence, Yoast Seo plugin, Akismet plugin, Contact Form 7 plugin, Jetpack plugin, WooCommerce plugin, Gravity Form plugins, BackupBuddy plugin, and more.

A Look at Their "Security Attitudes" Survey Results

surveyreport_section4_crop

The revealing part of the WordPress Security Survey is the results from the security attitudes. This section looked at the respondent’s attitudes toward security and their experiences with hacks. The Infographic from their article is seen above.

35.4% of the users were very concerned about security. 27% were extremely concerned and 25.4% were only moderately concerned. 38.9% of respondents had their websites compromised within the last 12 months. Considering many of them had more than one site, that’s a lot of websites to be hacked or exposed to malware.

One issue was how the site owners were alerted to the problem. Most users were alerted to the compromise when they visited their site. Imagine if they don’t visit their sites every day. Their sites could go several days with security issues and do a lot of damage to their businesses and their readers’ computers. It doesn’t take long to tear down the respect and credibility that they’ve spent so much time and effort in building.

Others were alerted by their hosts, visitors to their websites, a malware scanner, monitoring service, Google flagging the site as harmful, a drop in traffic, the web-browser alerting them of the hack, using a remote scanner, or other tools or methods. In other words, they were not pro-active in monitoring their sites, but instead they were reactive to problems after someone, or something, else told them about it.

When you consider concern vs compromise, most users were in the very concerned category and they were compromised the most. Next were those that were extremely concerned. They were compromised far less than those that were very concerned. Those that were moderately concerned had far less compromises than those that were extremely concerned. Those who’ve experienced website compromises have the highest level of concern because they’ve had to deal with it first-hand.

Those with the highest level of experience and expertise with using WordPress are also those with the greatest concern. Those with intermediate and then advanced experience are next, falling into the very concerned category.

66% say that a compromised WordPress website could have an affect on their income. Many of us make our living online. If our websites suffer then our business will suffer. This goes to show just how crucial web security really is. It doesn’t just affect our computers, but also our reputation and livelihood.

The most common steps they take to keep their WordPress websites safe include:

  • Keeping WordPress up to date
  • Keeping plugins up to date
  • Keeping themes up to date
  • Use an intrusion and detection system
  • Use strong passwords for all user accounts
  • Use plugins from reputable sites
  • Use a reputable host provider
  • Use themes from reputable sites
  • Store backup files offsite
  • And lots more…

Looking at the Results

The results of the survey are telling. Specifically the security attitudes of WordPress users and their experience. The results show that the security habits of the majority of WordPress users was good, but there is a lot of room for improvement. Websites are being hacked far more often than they should be considering that over half the users consider themselves advanced or experts in using WordPress.

Keeping your site safe starts with something as simple as keeping WordPress, your plugins, and your themes up to date. Updates are crucial. WordFence shows that half of all plugin vulnerabilities are XSS and securing FTP, and even popular plugins are not immune to new vulnerabilities. If you miss a single update your site is at risk. Your website could be placed on anyone’s list of WordPress hacked sites, and this damage to your reputation can be hard to overcome. Security starts with keeping your site up to date.
Don’t wait until your browser or your readers tell you there’s a problem. Use some sort of detection system to alert you of when you’ve been hacked. Follow best practices, Be proactive in your WordPress security measures, and don’t wait to deal with a problem later. It won’t go away on its own and the longer you wait the more harm it can do.

If your WordPress site has been hacked then you can either try to clean it yourself or ask for a WordPress Hacked Fix

Images from: https://www.wordfence.com/learn/2015-wordpress-security-survey/

Your Turn. What do you think of WordFence’s 2015 WordPress Security Survey? Do you agree with the results? Do you have any security issues to add? Let us know in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *