Is WordPress Safe? Why the World's Most Popular CMS Is Actually the Most Secure Choice

I got a call from an accountancy firm in Limerick last year. "We have been hacked. It is WordPress. Everyone told us WordPress was not safe."

I asked three questions. What version of WordPress are you running? How many plugins do you have, and when did you last update them? What is your admin password? The answers: WordPress 5.8, released in 2021. Twenty-three plugins, nine of which had not been updated in over a year. The admin password was the firm's name followed by 123.

WordPress did not fail that business. Everything around it did.

The Headline WordPress Cannot Shake

"WordPress gets hacked a lot." You have heard it. Your IT-savvy nephew has said it. Some web designer trying to sell you a Squarespace site has definitely said it.

Here is what that claim is actually based on. Sucuri, one of the largest website security firms in the world, reported that WordPress accounted for the vast majority of CMS-related infections they cleaned in 2024, somewhere around 96%. That sounds damning until you remember that WordPress powers approximately 43% of every website on the internet, according to W3Techs. It is not just the most popular CMS. It is the most popular website platform, full stop.

Saying WordPress gets hacked the most is like saying Toyotas are involved in the most road accidents when Toyota sells the most cars. The number tells you about market share, not about engineering.

That Limerick firm? They showed up in those statistics. Not because WordPress failed, but because nobody was managing their WordPress.

Where the Vulnerabilities Actually Live

Patchstack, which operates the largest WordPress bug bounty programme in the world, published their annual security report covering 2024. The findings are stark. Around 96% of all WordPress ecosystem vulnerabilities were found in third-party plugins. About 4% were in themes. And WordPress core itself? Seven vulnerabilities across the entire year, none severe enough to pose a widespread risk.

Seven. In a platform used by nearly half the internet.

The WordPress Security Team, as documented on wordpress.org, consists of over 50 trusted experts including lead developers and security researchers. They work with HackerOne for responsible disclosure. They backport security fixes to older versions. And automatic security updates have been enabled by default since WordPress 3.7, which shipped back in 2013. That is over a decade of automatic patching baked into the platform.

The core is not the problem. The core is one of the most battle-tested pieces of software on the internet. When nearly half the web depends on your code, you cannot afford to be sloppy. And the WordPress team is not sloppy.

What Actually Gets Sites Hacked

Every compromised WordPress site I have investigated in twenty years of hosting infrastructure traces back to the same three causes.

Outdated plugins. A plugin that has not been updated is a door left unlocked. Patchstack found that in 2025, roughly one in five heavily exploited vulnerabilities were being actively attacked within six hours of disclosure. Six hours. That Limerick firm had nine outdated plugins. Nine unlocked doors, left open for months.

Weak credentials. Brute force attacks against WordPress login pages are among the most common attack vectors on the internet. If your password is your business name, your dog's name, or anything a human could guess in ten attempts, it is not a password. It is a welcome mat. The firm's password would have fallen to an automated attack in seconds.

Hosting with no security layer. This is the one that genuinely frustrates me. A shared hosting provider running hundreds of sites on the same server with no firewall rules, no intrusion detection, no automatic updates, and no backup verification. One compromised site on that server can cascade to every other site sharing the environment. The provider charges EUR4 a month and delivers EUR4 worth of security, which is none.

The NCSC and Munster Technological University published a joint report in late 2025 finding that cyber resilience among Irish businesses is, in their assessment, "critically low." That is not because local firms are careless. It is because most of them are running websites on infrastructure that offers no real protection, and nobody has explained the alternative.

Who Manages Your WordPress Matters More Than Which CMS You Choose

WordPress on its own is secure. WordPress on cheap shared hosting with nobody watching is a liability. The platform is not the variable. The environment is.

On a properly managed hosting stack, WordPress becomes one of the most secure platforms you can run a business website on. The criteria are straightforward: server-level security hardening that stops threats before they reach WordPress, intrusion prevention that blocks brute force attempts automatically, automatic updates that close vulnerability windows, verified nightly backups that mean a worst-case scenario is a rollback not a rebuild, and staging environments that let you test changes before they touch production.

Web60 provides all of this on enterprise-grade Irish infrastructure for EUR60 per year. All data stays in Ireland. Security hardening, fail2ban, nightly backups, staging environments, automatic updates, all included. Not an add-on. Not a premium tier.

Picture the alternative. Your site gets compromised at 11pm on a Friday. Your host has no intrusion detection, nobody notices until a customer rings Monday morning to say your checkout page is redirecting to a pharmaceutical spam site. No verified backup to restore from. You are not restoring. You are rebuilding from scratch. Every page, every product listing, every customer testimonial. Gone.

That is not a WordPress problem. That is a hosting problem. And it is entirely avoidable.

One honest caveat: no platform is immune to zero-day vulnerabilities. Between the moment a new vulnerability is discovered and the moment a patch is deployed, there is always a window. Patchstack's data shows that window can be as short as a few hours for heavily targeted plugins. Managed hosting narrows it with automatic updates, intrusion detection, and security hardening, but does not eliminate it entirely. Anyone claiming their platform is 100% unhackable is selling fantasy. The goal is making your site harder to compromise than the thousands of unmanaged installations attackers will target first.

And I should be fair about this. If you are running a large enterprise with a dedicated security operations team, custom applications, and complex compliance requirements, bespoke infrastructure with full-time security staff genuinely makes sense. That is a different scale of operation entirely. But for the vast majority of Irish businesses, a properly managed WordPress stack delivers enterprise-grade security without the enterprise price tag.

The Security Question, Reframed

WordPress does not have a security problem. It has a reputation problem, built on years of people blaming the platform for failures that belong to outdated plugins, lazy credentials, and hosting providers who could not secure a garden shed.

The core is maintained by over 50 security experts. It patches itself automatically. It powers roughly 43% of the internet, including government sites, major publishers, and organisations far more security-conscious than any of us. If you want the complete picture of WordPress security and backup best practices, it is worth understanding just how robust the ecosystem has become when it is properly managed. A properly hardened WordPress environment with nightly backups, automatic updates, and real intrusion prevention is one of the most secure foundations any business website can sit on.

The question was never whether WordPress is safe. The question is whether the people managing your WordPress are up to the job.

Sources

• Patchstack, State of WordPress Security 2025 Report
• W3Techs, WordPress usage statistics
• WordPress.org, Security Team and practices
• Sucuri, SiteCheck Mid-Year 2024 Report
• NCSC Ireland, National Cyber Risk Assessment 2025