We recently conducted a survey to better understand the state of WordPress security. The survey was open to everyone and included several questions related to WordPress security. This report details our findings.
Why this survey?
WordPress security is a top topic on the minds of many website administrators and owners. Due to its open and iterative nature, it’s not always easy to understand if your efforts are going far enough or if there are areas that need further attention and development. This is especially true when juggling multiple things at once, as is often the case with managing WordPress websites.
For this purpose, we sought to obtain a snapshot of the security status of WordPress. Although the survey does not cover all aspects, it is sufficient to provide an overall picture of general WordPress security.
How important is WordPress security to you?
The first question we asked was about the importance of WordPress security for WordPress admins and website owners. Unsurprisingly, the vast majority of respondents consider WordPress security to be essential. In fact, 96% of respondents rate WordPress security as very important, while 4% of respondents rate it as somewhat important.
While the vast majority consider WordPress security to be very important, the amount of time spent securing WordPress varies widely. We will then see these numbers.
Total time spent on security tasks
A larger percentage of administrators spend between one and three hours per month on security tasks, while 35% of respondents spend more than three hours on security. 22% spend less than an hour per month. Although this is a minority, it still represents a considerable percentage of all respondents.
One important thing to note here is that the time spent on security tasks tends to vary over time. Typically, considerable time is spent on initial setup. Once everything is up and running, less time is typically spent on security-related tasks with a few hours per month sufficient to cover ongoing maintenance. The size and complexity of websites can also play a huge role in time spent.
WordPress hardening and best practices
WordPress hardening is a best practice process that aims to reduce the attack surface of WordPress websites. No agreed standard defines what happens in a hardening exercise; however, it usually involves activities such as restricting the REST API and disabling the file editor, among others.
When we asked respondents if they had ever undertaken such a WordPress security hardening exercise, the vast majority – 85% said yes. 28% manually boosted their WordPress website, while 26% used a plugin or service. 31% used a plugin and performed manual processes. Only 15% of respondents did not undertake any hardening exercises.
Updates and testing
Another critical aspect of WordPress security is updates. WordPress itself, as well as plugins and themes, receive regular updates – or at least they should. Managing these updates is critical as they often include fixes for bugs and security vulnerabilities present in the current (installed) version.
52% of respondents have enabled automatic updates for components that include WordPress, plugins, and themes, while 48% have not enabled automatic updates. Of course, not enabling automatic updates is not necessarily a security risk, as many administrators choose to test updates before deploying them to the live environment.
In fact, 25% of respondents always test updates in a testing or staging environment, while 26% only test major updates. Additionally, 32% of admins surveyed sometimes test updates, while 17% never test updates, regardless of the impact they might have on their websites.
While WordPress auto-updates and update testing have their merits, the strategy used may depend on the environment. A high-stakes e-commerce website may want to test updates before rolling them out, as an outage can mean lost revenue. On the other hand, a website owner who prefers not to intervene as much as possible can enable automatic updates to keep their website secure without having to actively manage it.
As such, we thought it would be interesting to see what overall strategy admins are using when it comes to updates.
|Automatic updates and tests||Percentage|
|Automatic updates enabled and occasionally tests for updates||19|
|Automatic updates disabled and always testing updates||16|
|Automatic updates disabled and only tests major updates||15|
|Automatic updates are disabled and sometimes test updates||13|
|Automatic updates enabled and never tests for updates||13|
|Automatic updates enabled and only tests major updates||11|
|Automatic updates enabled and always testing updates||9|
|Automatic updates disabled and never tests for updates||4|
While the majority of people have some form of automatic updates enabled, many administrators still perform some form of testing before deploying updates to their live environment. In fact, only 17% of all respondents never test updates.
Using the security plugin
Survey participants were also asked about their use of security plugins. Special emphasis was placed on firewalls, 2FA, WordPress activity logs and password security plugins.
The vast majority of respondents have a firewall plugin installed in their environment, with 81% saying they have one or more installed. Conversely, 19% have no firewall plugin installed.
2FA isn’t as popular as firewalls, despite companies like Microsoft and Google embracing this more secure way of logging into WordPress. In fact, only 64% of respondents use 2FA on their website, while 36% do not.
Activity log plugins are just as popular as 2FA plugins, with 65% of respondents using one.
When it comes to password security, 38% of respondents trust their users to use secure WordPress passwords. On the other hand, 40% use a WordPress password security plugin, while 22% plan to use one.
|The Three Best Firewall Plugins||The three best 2FA plugins||Top Three Activity Log Plugins|
|WordFence – 49%||Wordfence – 25%||WP Activity Log – 42%|
|Sucuri – 7%||WP 2FA – 22%||Simple story – 7%|
|iThemes Security – 2.5%||iThemes – 2.5%||Activity Log – 7%|
Draw conclusions and a way forward
The results show a strong interest in WordPress security, which is encouraging. Likewise, many website administrators and owners take steps to ensure the security of their websites. Yet there is still work to be done.
While 2FA in one form or another has been around for a while, it still needs to catch up. Firewall plugins continue to enjoy massive popularity, and no matter how good they are, they cannot protect WordPress websites from credential breaches. This makes 2FA plugins essential to the overall security of WordPress websites.
It must be said that this is just an overview of how WordPress administrators and website owners view security. It is also important to note that the questions in this survey only cover the basics of WordPress security. If you are serious about protecting your websites, be sure to follow our blog, where we cover many WordPress security topics.
The results of the post WordPress 2022 security survey appeared first on WP White Security.
*** This is a WP White Security Security Bloggers Network syndicated blog written by WP White Security. Read the original post at: https://www.wpwhitesecurity.com/wordpress-security-survey-results-2022/