The results from Melapress’ 2023 WordPress Security Survey are in, and we’re very excited to share our findings with you.
Like we do every year, last month, we launched our WordPress security survey. This year, however, we did things a little differently by holding our usual online survey and one in person at WCEU 2023. The questions were exactly the same, and we are very thankful for the enthusiastic participation we had in both versions of the survey. We anonymized the results and combined them into one dataset, from which we derived the results shown in this report.
The purpose of this survey is to get a picture of the security posture of WordPress websites among its users, which includes WordPress administrators and website owners from all walks of life. The questions are quite different from the ones we asked last year, giving us a different perspective on the same topic.
Without further ado, let’s get to it.
The WordPress security survey results
We asked a total of nine questions related to essential WordPress security, which questions are reproduced below, along with the results.
SSL/TLS certificates (WordPress HTTPS)
TLS is an acronym that stands for Transport Layer Security (protocol). It supersedes SSL (Secure Socket Layer), which was initially developed by Netscape and last updated in 1996. In a nutshell, TLS is used to get an HTTPS secure connection when visiting a WordPress website.
WordPress SSL/TLS secures the traffic between visitors and the server. Visitors can tell that the website is secured with TLS when they see a padlock next to the URL – a sign that anything they send to the server (including passwords and potentially payment information) is encrypted and thus safe from prying eyes. TLS certificates also authenticate the website, ensure data integrity, and help with SEO (Search Engine Optimization) efforts.
We asked, do you use SSL certificates for your WordPress websites?
Not having a TLS certificate can be very harmful. Users, customers, and website visitors have learned to look for the padlock sign. It can also hold you back from ranking, meaning fewer people will find your website. Unencrypted WordPress traffic also increases the risk of passwords being stolen. It comes as no surprise, then, to see that the vast majority of respondents use TLS. In fact, over 97% use TLS, with fewer than 3% not using it.
When it comes to securing networks and network devices, firewalls enjoy a notoriety that few other security solutions do. While they are not the silver bullet many people think they are, they, nevertheless, can help WordPress administrators prevent intrusion, control access, and even comply with certain privacy laws.
Firewalls for WordPress websites come in all shapes and sizes, which allows administrators to choose the one that best fits their infrastructure requirements.
We asked, do you use a firewall for your WordPress websites?
|Do you use a firewall?||Percentage|
|Yes, a WAF plugin||37.5%|
|Yes, an online service||31%|
|Yes, at infrastructure level||17%|
The vast majority of respondents use some sort of firewall, with only 14.5% using no firewall at all. Firewall plugins are the most common type of firewall, with 37.5% indicating they use this type of firewall. This result should come as no surprise since they’re the most accessible type of firewall to install and configure.
CAPTCHAs are one of the best countermeasures we have against spam and certain types of automated attacks. At its core, CAPTCHA is a test that is designed to be simple for humans but impossible for bots, thus filtering out unwanted traffic.
Newer versions of CAPTCHA, such as ReCAPTCHA V3, integrate seamlessly into WordPress forms when using a plugin and are not intrusive at all – contributing to a smooth user experience without compromising security. CAPTCHA 4WP also offers ReCAPTCHA V3 failover, ensuring false positives do not lead to visitors and customers falling through the cracks.
We asked, do you use CAPTCHA for your forms?
With 77% of respondents indicating they use CAPTCHA on their WordPress website, the results speak to the effectiveness of this tool.
WordPress updates are, in many ways, the most basic security measure anyone managing a WordPress website can undertake. They are completely free and address security concerns that might be present in the current version.
One can argue that forgoing updates can mitigate any other security measure in place – depending on what issues the updates are fixing. The most secure door in the world isn’t going to keep anyone from coming in if the building it leads to is in tatters.
We asked, how often do you update WordPress and plugins?
|How often do you update WordPress and plugins?||Percentage|
|As soon as I've tested updates in my staging environment||48.5%|
|As soon as updates are released||41.25%|
|Whenever I remember||8.5%|
|WordPress has updates?||1.75%|
The majority of respondents have a WordPress update strategy, with 48.5% testing updates in a staging environment before deploying to the live environment and 41.25% installing them on their live environment as soon as they become available. 8.5% install updates irregularly, while 1.75% are not aware that WordPress releases updates.
Passwords are a basic tenet of WordPress security; however, not all passwords are born equal. Simple passwords are a security risk since they give a false sense of security. What might have been considered a secure password a few years ago can be cracked in a few seconds, and administrators and users need to be aware of this if we want to keep our data safe. One way to accomplish this is by using a password policy.
Password policies set guidelines or rules as to how long and complex a password needs to be. Generally speaking, WordPress password policies can be enforced orally by asking users to ensure passwords are complex enough or automatically through Melapress Login Security. Using a plugin has the added benefit of ensuring that passwords meet the criteria set.
We asked, do you have a password policy?
75% of respondents have some sort of password policy. Highlighting the importance strong passwords play in good WordPress security. 25% of those who answered the survey, however, do not have a password policy in place.
WordPress two-factor authentication, also known as 2FA for short, adds an extra layer of security to WordPress login pages by requiring a second authentication in addition to the standard username and password combination. The idea behind 2FA is simple yet very effective – a bad actor may steal or guess a password, but it is improbable they will also access the user’s phone – which is one of the more common types of 2FA.
2FA has been proven time and again to be effective in stopping the majority of breaches. It is easy to implement, taking mere minutes to configure and deploy.
We asked, do you use 2FA?
The majority of survey participants indicated that they use two-factor authentication on their WordPress website. Of those who do use 2FA, 29% answered that all users have 2FA configured, while 37% answered that only some users use 2FA. In contrast, 34% of respondents do not use 2FA at all.
Adding 2FA to your WordPress website is a breeze, thanks to our WP 2FA plugin. Get started with the free 14-day WP 2FA trial and benefit from better security today.
Backups are something akin to insurance – they might not protect you from a breach, but you’re surely going to be happy to have one should something happen.
While there are different ways to take a WordPress backup, backup frequency is arguably more important. While any backup is better than no backups at all, the ideal frequency must account for factors such as website update frequency and traffic volume.
We asked, do you take backups of WordPress sites?
At 65%, the vast majority of respondents take daily backups, followed by weekly (17%) and monthly (12%). 3% of respondents take irregular backups, while a further 3% do not take any backups at all. These statistics show how vital backups are and how seriously WordPress administrators and website owners take them.
Inactive users on WordPress
Inactive users are those users who are no longer active on your WordPress website. The timespan that must pass before a user is considered inactive differs from website to website, depending on factors such as average visit frequency for users with the same role.
Either way, inactive WordPress users can pose a security risk. It will likely go unreported if they suffer a breach since the legitimate user would not notice something is amiss. They also take up resources unnecessarily, however minimal they may be.
We asked, do you disable inactive user accounts?
The majority of respondents do deactivate inactive user accounts; however, most undertake this through a manual process. Manually deactivating user accounts is still safer than not deactivating them at all. However, this risks inactive accounts falling through the cracks. While this might be fine on WordPress websites with a handful of accounts, it can become an issue when there are thousands of accounts.
A WordPress activity log can be a preventative and troubleshooting tool. Keeping a record of user and system activities can help administrators spot suspicious activity before it becomes an issue. And should something happen, an activity log makes it easy to track what events occurred before the problem manifested itself.
WP Activity Log, in particular, can keep a log of a wide range of activities and even tracks events on 3rd party plugins, ensuring comprehensive records across the board. In terms of security, this protects you from internal threats while offering additional benefits such as easier troubleshooting and compliance.
We asked, do you keep a log of user and system activity?
Most respondents keep a log of user and system activity, accounting for 63% of all responses. However, at 37%, the number of those who do not maintain an activity log is not minimal. With logs being akin to an insurance policy rather than an outright deterrent, it doesn’t always enjoy the same popularity as other solutions – yet, those who do have WordPress logs enjoy benefits such as easier troubleshooting, better incident response times, and threat prevention.
WP Activity Log offers you unprecedented views on user and system activity on your WordPress websites, including 3rd party plugins such as WooCommerce, MemberPress, Yoast SEO, and many others. Get started with a free, no-commitment WP Activity Log 14-day trial and benefit from easier troubleshooting, better compliance, and smoother incident prevention.
WordPress security survey conclusions
Keeping your WordPress websites secure is critical to the success of any website – large or small. While it’s encouraging to see so many adopt basic security best practices, more needs to be done to bring awareness to this important topic.
It’s also important to acknowledge that WordPress security goes beyond basic best practices. To this end, it is very important to ensure continuous monitoring and management of security tools and processes for a healthier, successful WordPress website.