WordPress security is critical to the longevity of any website. This has never been as true as it is now, with leaks and breaches peppering the news on a seemingly daily basis. While we all understand what we need to do to secure our websites, whether vaguely or accurately, statistics often tell a very different story.
This is what we’re here to find out.
Every year, Melapress runs a WordPress security survey to understand real-world statistics. This year has been no exception.
We ran two editions of the survey – one in person at WordCamp Europe and one online.
The in-person survey at WCEU was available to all attendees and offered free of charge. To participate, attendees had to scan a QR code which was promoted at the Melapress booth. Participants could also opt-in to a giveaway that included GoPro and free Melapress licenses We collected 148 responses, accounting for 58.5% of all responses.
The online survey, which asked the exact same set of questions, was promoted through our blog, newsletter, and online adverts. We offered the exact same survey here. We collected 105 responses, accounting for 41.5% of all responses.
All answers were collated into one set of responses and analyzed as one population.
We present the resulting WordPress security statistics here.
Top WordPress security statistics you need to know in 2024
- Many administrators fail to implement security best practices that address their primary concerns
- Two-factor authentication is by far the most widely adopted security measure, outpacing firewalls, which have historically been the most popular.
- Plugins are the preferred method for securing WordPress websites
- Failing to train team members on security best practices significantly increases the likelihood of a security breach
- Over half of those who never experienced a security breach do not have a recovery plan
Get more WordPress security insights
We’re still going through the survey data and will be releasing more insights from our findings. Want to stay in the loop? Subscribe to our newsletter and get:
- New survey insights as they are released
- Participate in future surveys
- Curated content on WordPress security and administration
Mismatch between concerns and best practice implementation
Although the results are in line with expectations, we did see some emerging trends and a few surprises along the way. While things seem to be moving in the right direction, there are some areas that need attention. This includes a mismatch between people’s security concerns and the steps they take to secure their websites.
These are, by and large, quick wins that can be implemented at minimal cost. Continue reading to find out what you might have been missing.
2FA for better security and compliance
When it comes to security best practices, we see a high WordPress 2FA implementation rate, with a 70% adoption rate among respondents. This places two-factor authentication as the most widely adopted security measure, outpacing firewalls, which have historically been the most popular.
While 2FA does offer increased security and is recommended by the likes of Google and Microsoft, there is still a shortfall. Consider this; most regulatory compliance frameworks/legislation require 2FA, yet only 42% of those who are concerned about regulatory compliance install 2FA.
Policies for stronger passwords
A similar area of improvement can be observed among those who place users using weak passwords as one of their primary concerns. While this group accounted for a significant 37% of all respondents, 41% of this group do not enforce any password policies whatsoever.
Considering how easy it is to implement such policies using a plugin like our own Melapress Login Security, this is definitely a sure-fire quick way to alleviate some of the concerns administrators feel when it comes to securing their WordPress websites.
Faster updates with auto-updates
The same pattern can be observed when it comes to auto-updates. This security best practice ensures that updates can be implemented as quickly as possible. However, only 30% of those who are concerned about a security issue with a plugin or theme have auto-updates enabled.
Implementing the necessary measures to address these concerns is an easy enough job, which indicates a possible breakdown in communications or knowledge. Next, let’s look at who is responsible for managing WordPress security among our respondents.
Security responsibilities: Where does the buck stop?
Responsibility is a big word with even bigger connotations. Understanding who is responsible for managing WordPress security can provide us with the insights we need to improve security management.
Out of all those surveyed, 45% keep the management of their WordPress security in-house, while 55% outsource it to a third party. Upon closer inspection, several key differences emerge between the two groups in how security is managed that are worth highlighting.
It shouldn’t come as a surprise that those who outsource tend to rely too heavily on the service provider to secure their site. A big reason for this seems to be unfamiliarity with security products. In fact, 57.9% of those who outsource their WordPress security management feel they are not technical enough to understand security products.
Breach recovery plans are another critical component of WordPress security. These plans provide guidance in the event of a breach incident, ensuring services can be restored as quickly as possible. They also help contain the fallout, which can often include legal action.
Here, it pays to keep everything in-house. Companies that manage their own WordPress security are significantly more likely to have a breach recovery plan, indicating better internal preparedness. In fact, those who manage their WordPress security in-house are 22% more likely to have a breach recovery plan.
Those who manage their WordPress security in-house are 22% more likely to have a breach recovery plan.
While we should acknowledge that respondents who answered that they do not have a breach recovery plan might simply not be aware of it, awareness is a key aspect of a breach recovery plan. In fact, awareness of threats and risk is the foundation of risk management and good security practices.
This becomes even more important when confronted with the fact that 72% of survey respondents reported experiencing at least one security breach. We’ll cover our findings on this topic in a later section.
Teamwork makes the dream work
When it comes to security, all team members are stakeholders, regardless of whether security is managed in-house or outsourced. After all, WordPress websites, like everything else, are only as secure as their weakest link.
While the majority train their team members on security best practices, 21% do not. The repercussions of this lack of training on website security are worth noting. Compared to those who do train their teams, those who do not train their team members are 30% more likely to experience at least one security breach.
Those who manage their WordPress security in-house are 22% more likely to have a breach recovery plan.
Keep in mind that outsourcing does not discharge all security responsibilities to the third party. While those who don’t train team members are 3.5x more likely to outsource to an agency, threats such as phishing remain a concern.
This can be seen in the fact that respondents who do not train employees and outsource to an agency are 13.17% more likely to experience a breach. This difference is less than the entire group who don’t train their employees, signaling that outsourcing to an agency does bridge the skill gap to some extent. However, it’s still substantial. This tells us that, although agencies are doing their job, outsourcing WordPress security doesn’t absolve one from training their staff.
WordPress breaches
Security breaches are more common than one might think, with 72% of respondents reporting at least one breach.
While a security breach is an alarming concern for anyone responsible for the security of WordPress websites, 32.8% of those who have experienced at least one breach still don’t have a breach recovery plan. This figure is even higher among those who never experienced a security breach, at 47.2%.
Once bitten twice shy?
We’ve also seen a correlation between preparedness and detection confidence. 0% of people who have experienced more than one breach and do not have a recovery plan are confident they can detect a security breach. This figure rises slightly to 6.06% for those who have never experienced a security breach and do not have a security breach recovery plan. On the other hand, confidence increases when a breach recovery plan is in place.
Our data tells us that those who have a recovery plan also have detection measures in place, with activity logs being a favorite. 81% of those who have never experienced a breach but do have a recovery plan in place are confident that they can detect a breach. This figure rises to 84% and 91% for those who have experienced one breach and multiple breaches, respectively.
86% of those who use an activity log to track user logins are confident they’re able to detect a security breach.
The missing link between concerns and implemented measures
This year’s WordPress security survey statistics have shown us that there is a general awareness of security protocols, best practices, and threats. However, there is a shortfall in the implementation of measures to counter those very threats website owners and administrators are concerned about.
Considering the fact that 75% of respondents do make use of plugins, bridging this gap should not be too much of an issue. Plugins are a great way of adding functionality, including security measures, to WordPress without too much trouble.
Plugin developers have come a long way since WordPress’ early days. Companies like Melapress not only develop and support enterprise-grade plugins, but they also undergo rigorous testing ensuring performance and security issues are a thing of the past.
Looking to get ahead with your WordPress security? Here are some quick wins that you can implement to improve your security posture.
Quick-win 1: Install plugins to address primary security concerns
Plugins offer a great way to improve the security of WordPress websites. While WordPress is inherently secure, security plugins minimize risk at a very low cost. 2FA and password policy plugins, in particular, can easily be implemented without too much friction.
Quick-win 2: Security ownership
While any good business hires experts to solve the problems they can’t, oversight needs to remain with the business. This ensures that the business’ interests are kept front and center at all times.
Security can be daunting. However, you’ll find many online resources that provide a better understanding of what good WordPress security entails.
While it is not necessary for administrators and website owners to carry out the tasks themselves if they’ve hired a third party, understanding the tenets of WordPress security enables you to ask the right questions and ensure the basics are covered at all times.
More WordPress security statistics
At Melapress, we value transparency in the way we conduct our business. To this end, we wanted to share some background statistics that have not been covered in the article.
2FA is by far the most widely adopted security best practice, with 70% of all respondents confirming its implementation. This indicates a +6% uptake from last year. Password policies also enjoy widespread adoption, with 52% of survey participants adopting this security practice. It is worth noting that such policies have seen a slight decrease in popularity. In last year’s survey, 75% of survey participants acknowledged using password policies.
A significant number of participants also prioritize access restrictions, firewalls, and CAPTCHA. Other measures, such as changing the login page URL, custom roles, and automatic updates, are implemented less often.
When it comes to security implications, we see a concern bias toward immediate and more tangible threats.
Over half of all respondents indicate data theft and loss as one of their primary concerns. Financial and reputational loss trail closely behind; concerns shared by 59% of respondents, followed by website defacement at 45%.
In contrast, access to other parts of the infrastructure and loss of license and fines are less worrisome prospects, concerning 22% and 24% of participants, respectively.
The number of websites under each respondent’s purview is more or less evenly distributed across all segments. The largest percentage of respondents (23%) manage 51 or more websites, with the second largest cohort (22%) managing between two and five websites. This tallies with the number of respondents who indicated they are or form part of an agency.
Trialing close behind are those who manage between six and 15 websites, and 16 to 50 websites at 21% and 20%, respectively. 13% manage just one WordPress website.
Plugins remain the most popular for securing WordPress websites, with 75% using a mixture of free and premium plugins to keep their websites secure. A further 5% use a mixture of plugins and services, while 15% use nothing at all.
The largest group of administrators that do not use any plugins or services to secure their WordPress website are those who manage just one website, at 38%. On the other hand, the least likely group to not use any plugins or services are those who manage between six and 15 websites at just 8%
At 74%, a significant majority of respondents posses an intermediate level of WordPress security knowledge, indicating familiarity with several technical terms. Meanwhile, 15% was able to identify more technical terms, indicating a high level of security knowledge.
In comparison, only 11% of respondents indicating familiarity with very few or basic terms.
Overall, the results suggest a well-informed and highly technical audience with some room for improvement in understanding relevant, technical terms.
The Melapress WordPress Security Survey has been running for 3 years straight. Over this time, the survey has evolved and matured to become what you see today. Even so, we’re fully committed to its continued improvement for many years to come.
If you would like to view previous years’ results, click the links below.
Results from the 2023 WordPress Security Survey
Results from the 2022 WordPress Security Survey