We recently conducted a survey to better understand the state of WordPress security. The survey is open to everyone and includes several WordPress security-related questions. This report details our findings.
Why conduct this investigation?
WordPress security is an important topic on the minds of many administrators and website owners. Due to its open and iterative nature, it’s not always easy to understand if your efforts are far enough along, or if there are areas that need further attention and development. This is especially true when dealing with multiple things at once – as is the case with managing a WordPress site.
To do this, we’re trying to get a snapshot of the security state of WordPress. While the survey doesn’t cover everything, it’s still enough to provide an overview of overall WordPress security.
How important is WordPress security to you?
The first question we asked was about the importance of WordPress security to WordPress administrators and website owners. Not surprisingly, the vast majority of respondents consider WordPress security to be of paramount importance. In fact, 96% of respondents think WordPress security is very important, while 4% think it’s somewhat important.
While the vast majority of people consider WordPress security to be very important, the time spent securing WordPress varies widely. We’ll look at these numbers next.
Total time spent on security tasks
A larger percentage of administrators spend one to three hours per month on security tasks, while 35% of respondents spend more than three hours. 22% spend less than an hour a month. While this is a minority, it still represents a sizable percentage of all respondents.
One thing to note here is that the time spent on security tasks tends to vary over time. Usually, a lot of time is spent during the initial setup. Once everything is up and running, the time normally spent on security-related tasks is reduced and ongoing maintenance can be completed in just a few hours per month. The size and complexity of a website can also play a considerable role in how much time is spent.
WordPress Hardening and Best Practices
WordPress hardening is a best-practice process designed to reduce the attack surface of a WordPress site. There is no accepted standard defining what an intensive exercise should be; however, this typically involves activities such as restricting REST APIs and disabling file editors.
When we asked respondents if they had ever conducted any such WordPress security hardening exercises, the vast majority (85%) responded that they did. 28% manually hardened their WordPress site, while 26% used a plugin or service. 31% use plugins and perform manual processes. Only 15% of respondents did not engage in any reinforcement exercises.
Update and test
Updates are another key aspect of WordPress security. WordPress itself, as well as plugins and themes, receive regular updates — or at least they should. Managing these updates is critical, as they often include fixes for bugs and security holes that exist in the current (installed) version.
52% of respondents have auto-updates enabled for components including WordPress, plugins, and themes, while 48% do not. Of course, not enabling automatic updates is not necessarily a security risk, as many administrators choose to test updates before rolling them out to live environments.
In fact, 25% of respondents always test updates in a test or staging environment, while 26% only test major updates. Additionally, 32% of admins surveyed sometimes test updates, while 17% never test updates—regardless of the impact they might have on their site.
While both WordPress automatic updates and update testing have their advantages, the strategy used may depend on the environment. High-risk e-commerce sites may want to test the update before rolling it out, as outages could mean lost revenue. On the other hand, website owners who want to be as hands-off as possible might turn on automatic updates to keep their site secure without actively managing it.
So we thought it would be interesting to see what overall strategy admins employ when updating.
|Automatic update and testing||percentage|
|Enable automatic updates, sometimes test updates||19|
|Disable automatic updates and always test updates||16|
|Disable automatic updates and test only major updates||15|
|Disable automatic updates, sometimes test updates||13|
|Enable automatic updates, never test updates||13|
|Enable automatic updates, test only major updates||11|
|Enable automatic updates and always test updates||9|
|Automatic updates are disabled and updates are never tested||4|
While most people have some form of automatic updates enabled, many administrators still do some form of testing before deploying updates to their live environment. In fact, only 17% of respondents have never tested the update.
Use of security plugins
Survey participants were also asked about their use of security plug-ins. Pay particular attention to firewalls, 2FA, WordPress activity logs, and password security plugins.
The vast majority of respondents have firewall plug-ins installed in their environment, with 81% saying they have one or more installed. Conversely, 19% did not have any firewall plug-ins installed.
Although companies like Microsoft and Google support this more secure way to log in to WordPress, 2FA is not as popular as firewalls. In fact, only 64% of respondents use 2FA on their website, while 36% do not.
Activity log plugins are as popular as 2FA plugins, with 65% of respondents using one.
When it comes to password security, 38% of respondents trust their users to use secure WordPress passwords. On the other hand, 40% use a WordPress password security plugin, and 22% are considering using one.
|Three major firewall plug-ins||The first three 2FA plugins||Top 3 Activity Log Plugins|
|WordFence – 49%||Wordfence – 25%||WP Activity Log – 42%|
|Sukuri – 7%||WP 2FA – 22%||Simple History – 7%|
|iThemes Security – 2.5%||iThemes – 2.5%||Activity Log – 7%|
Conclusions and the way forward
The results show a strong interest in WordPress security, which is encouraging. Likewise, many administrators and website owners are taking steps to keep their websites safe. However, some work still needs to be done.
While 2FA has been around in one form or another for a while, it still needs to catch up. Firewall plugins continue to gain popularity, and as good as they are, they fail to protect WordPress sites from credential leaks. This makes 2FA plugins vital to the overall security of your WordPress site.
It has to be said that this is just a snapshot of how WordPress administrators and site owners view security. It’s also important to note that the questions in this survey only cover the basics of WordPress security. If you are serious about securing your website, be sure to follow our blog where we cover numerous topics on WordPress security.
The post WordPress 2022 Security Survey Results appeared first on WP White Security.
*** This is a security blog network syndicated blog by WP White Security by WP White Security. Read the original article: https://www.wpwhitesecurity.com/wordpress-security-survey-results-2022/