Home Blog Blog Progress for WordPress Security and WordPress: It’s time to fix the image

Security and WordPress: It’s time to fix the image

Joost de Valk

|

A lot is happening in the WordPress world right now.

Automattic has drastically reduced its contributions to WordPress’ core. People are being banned and then unbanned from the community. The lawsuit with WP Engine still lingers in the background. And the project’s leadership is still being questioned, both quietly in DMs and more loudly in blog posts.

But while all of that brews in the background, another problem quietly persists: people think WordPress is insecure.

That perception is not new, but it is becoming more damaging. And unfortunately, the recent drop in contributor hours, visible community tensions, and negative press coverage are doing nothing to fix that narrative. If we want WordPress to remain the dominant force on the web, it’s not just the product we need to improve. We need to overhaul its public image, too.

Feeling secure ≠ Being secure

There’s a subtle but critical difference between actual security and perceived security.

Take crime in the Netherlands. Crime rates have gone down significantly over the last two decades. But if you ask people whether they feel safe, many will say “no.” Media coverage, isolated incidents, and political narratives have painted a picture that doesn’t match reality. And yet, people act on that picture, not the stats.

The same is true for WordPress. Just because people feel WordPress is insecure doesn’t mean it actually is. WordPress core is secure. It’s been hardened over the years, and significant vulnerabilities are extremely rare. But that nuance doesn’t show up in most headlines.

Why WordPress seems insecure

There are a few key reasons for this persistent perception:

  • WordPress is big: With over 40% market share, WordPress is a natural target. Any security issue, even in a niche plugin, has potential reach and makes for good headlines.
  • Open ecosystems are easy to scrutinize: Vulnerabilities in plugins and themes are reported publicly, often before they’re exploited. This is actually a strength, but it doesn’t always look like one.
  • Security companies and plugins capitalize on fear: Some vendors frame WordPress as fundamentally insecure, only fixable if you buy their plugin or monitoring service. Fear sells.
  • The media loves drama: “Another WordPress plugin vulnerability” is a recurring story. Rarely does a patch or fix get equal coverage.

As a result, even well-run, fully updated WordPress sites are tarred by association. Unfortunately, perception often beats reality in boardrooms, agency pitches, and procurement checklists.

A community that’s not helping itself

To make matters worse, the recent news from the WordPress ecosystem hasn’t helped.

  • Automattic’s contributions to core have plummeted, which signals, intentionally or not, that even WordPress’s most prominent backer is backing off.
  • Layoffs and contributor burnout raise questions about sustainability.
  • Community drama and a high-profile lawsuit further undermine trust.
  • A concerted marketing approach does not exist. The media corps “experiment” got shut down the other week, with no clear replacement.
  • And, as I’ve experienced myself, contributors who challenge the status quo can find themselves sidelined.

These things combined reinforce a harmful image, whether it’s true or not: WordPress is old, chaotic, and riddled with security risks.

Time for a makeover

WordPress doesn’t just need technical improvements (because, let’s face it, it needs that too). WordPress needs a reputational makeover. 

We need to tell the real story:

  • WordPress core is secure and actively maintained. 
  • Plugin vulnerabilities are a function of openness, not carelessness.
  • Transparency is a sign of strength, not weakness.
  • WordPress remains the most flexible, extensible, and community-driven publishing tool on the web.

We must also show (and make sure) that this is a living, evolving platform and not something in slow decline. Let’s change the narrative, promote the wins, and invest not just in security but also in how we talk about it. Because if people don’t feel safe using WordPress, they won’t, no matter how secure it actually is.

3 responses to “Security and WordPress: It’s time to fix the image”

  1. Daniele Besana Avatar
    Daniele Besana

    Great post!
    From my humble point of view: we saw malware removal requests going down in the last year.
    I think this happened because of Hosts improving security, auto updates, better WordPress security plugins…

    Reply
  2. David McCan Avatar
    David McCan

    My perception is that core is secure in that, as you said, security alerts are rare. However, I think that leadership attitude and actions can also be strengthened. For example, I’d like to see 2FA added, keys in the options table encrypted by default, XML-RPC deactivated by default, when you log out all sessions are terminated, lock down the REST API for users by default, and so on. There are a large number of these types of steps that are easy wins and/or need to be done and are seen as best practices. There are also a number of security issues in Trac that are considered low priority, but could be pursued for hardening.

    Reply
  3. Julian Song Avatar
    Julian Song

    Over the year, I learn that most security issues are caused by human error.

    For example, today my client’s marketing agency installed a nulled plugin. Their reason was that they wanted to try the plugin…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Looking for our logo?

You're in the right spot!
Go to our logo & style page.