32 WordPress Experts Predict the Future of WordPress Security
That’s the number of hack attempts made on WordPress site EVERY SINGLE MINUTE! ????????????
With every new mass malware attack, the entire community goes into panic mode.
Everyone has the same question, where is security really headed in the WordPress ecosystem?
So, we decided to check directly with WordPress experts on what the future holds in terms of security for WordPress.
Let’s take a peek into the future with these WordPress Security sorcerers:
“WordPress operators will realize that “security” is an end-to-end challenge, not something that can be solved with individual solutions alone. Each piece does matter — 2FA, security plugins, network-level protection, WAFs, DDoS blockers, hosting platforms — but without a comprehensive plan, there will be critical holes. For example, most companies don’t think about social engineering like attackers impersonating customers on the phone, or the prevalence of invisible snooping over Wifi networks.”
“One of the biggest changes coming to WordPress is GDPR. While it is focused on privacy, it will have, I hope, a serious positive impact on security. As WordPress embraces the GDPR, it will help developers make sure that their plugins don’t hold on to data any longer than necessary. It will help site owners be more explicit up front about what they’ll do with the data they capture, and as a result, will also capture less personal data.”
“Employing best security practices as a user can go a long way. Keeping plugins, themes, and core up to date is probably one of the most important things. As well as changing your WordPress login URL, using complex passwords, two-factor authentication, etc.”
“We developers should also continue raising awareness and keep on improving our products. We have the responsibility to bridge the gap – WordPress website owners do not need to be security experts to protect their websites. So in 2018, we will certainly see easier to use plugins and services and more people adopting security solutions, resulting in more secure WordPress websites!”
“For most people, you website is one of your most important assets and its time the people take their website security very seriously. Security for WP site is much more then preventing the wrong people from logging into your website. As WordPress continues to gain market share it will become more crucial to have comprehensive security in place that involves known good backups paired with a tool that will proactively keep your site safe and secure.”
“A few things are about to happen in the WordPress world that has the potential to increase security concerns. Gutenberg will bring new code to WordPress. It uses the REST API which adds a new layer of code that can introduce new risks. Drag and drop builders continue to gain prominence, which increasingly has more features. This means fewer third-party plugins will be used to add those features. As some areas of WordPress become more secure, other areas are opening up security concerns. Site owners, developers, and hosts will need to update quickly and often to protect themselves.”
“Wordpress is becoming more and more popular and as more people enter the world of blogging it’s likely that security issues are going to grow. However, a lot of that can be mitigated with education by showing people the right way to take care of their WordPress site from day #1 which is often missed. Often basic things like keeping core, plugins and themes updated are ignored and I’m sure some of the other experts in this roundup are guilty of that.”
“In the recent Pagely survey of the biggest pain points for WordPress users, security came in at the second position, with 41% of respondents considering it a major issue. This shows wide awareness of the problems associated with WordPress security. At the same time, with our own experience running MalCare, we do see that while there is a clear desire for better security, it remains a challenge for most. There is no silver bullet you can use to solve all your security needs, but rather you need to do many things correctly. Also it is not a one time process but an ongoing effort.”
“I’m hopeful that awareness and understanding of security in and around the WordPress space will grow in the coming years. I think WordPress is in a good place overall security-wise, with regular security patches and easy and default auto-updating. But the need for users and administrators to stay current, safeguard privacy, and stay aware of new threats is as real as ever. The GDPR coming into effect has made a lot of people aware of the privacy issues, whether in Europe or outside of it. And I hope that interest expands out into serious considerations of security of sites they administer and services they use.”
“I think with the community support behind it, WordPress stands a much better chance to come out as a better open source script than others with all the new cybersecurity threats that come its way. I also predict that more companies will jump into the WordPress handsfree management space where they’ll take care of managing the WordPress sites and their security for you. It’s a growing niche and rightly so.”
“I see the future of security for WP sites is much like mobile first web design, we need security first implementations rolled out before the site is even built. Requiring SSL by default and not giving the site owner the option of doing it or not. Forcing security patches on the sites that web hosts are hosting and not waiting for the site owner to run an update that could affect the entire server and all the site hosted on it. Best practices for security need to be rolled out automatically to users sites.”
“In my mind, the future of security for WordPress is a platform. We’ve already seen this growth and evolution in the enterprise with the rise in managed hosting solutions and platform offers that combine regular maintenance with the kind of development support needed for large, bespoke builds. We are starting to see this scaling down so that this thinking is now baked into the type of shared hosting and cloud solutions more common for solopreneurs and small businesses. In this day and age, we can no longer afford for security to be an afterthought. ”
“I think that security for WordPress sites will evolve on 2 different tracks. First, on the platform side, I think WordPress core will become more robust as more money and developers flow into the community. However, I think that attacks on plugins and themes will become more frequent and more sophisticated. As the WordPress “brand” becomes more damaged from these attacks – there will be more of a push for a vetted plugin & theme repository. It will evolve sort of like Android & the Google Play Store. This process may take a while though.”
“I think that right now the WordPress project needs to get serious about security. We should end support for PHP 5, insecure HTTP and hash passwords with a better algorithm. In addition, WordPress core should start verifying that plugin and theme download files are correct. That last one is something that is being worked on and I’m excited for.”
“The future of WordPress is likely merging with managed server hosting. Likewise, the future of security for WordPress is becoming more closely tied to managed platforms and interactive monitoring. The software can’t necessarily defend itself; you need savvy, remote parties to scan for exploits and potential infiltrations. There are a handful of players in this space already. My point is that the future will see an even stronger focus on both managed WordPress and professionally-managed security.”
“Security for WordPress has come a long way since I started Better WP Security (now iThemes Security). At the time the focus was in keeping people out without much regard to what we were keeping them out of. Today, with names like Sucuri and Sitelock in the space, we can turn from just how we keep people out to why. In the coming months and years, the question of security for WP sites will evolve to look at privacy as something just as important and this newer focus will serve to help us all.”
“Securing WordPress sites will become even more important in the future than it is now. With rapidly advancing technologies at hand like freely available libraries for building neural networks (to name just one), I believe we’ll see more advanced attacks on WordPress sites. Luckily, companies like MalCare did recognize this trend and are providing not just extensive information about increasing security on WordPress sites – but also provide services that are easy to use for users that aren’t tech-savvy.”
“The vast majority of WordPress hacks occur due to outdated WordPress versions, installing poorly developed plugins and themes, and using insecure passwords (or logging in through public networks). It’s our duty, as professional WordPress vendors, to keep educating prospects and clients on the best password and login management strategies out there.”
“In the next year or so, I can see more hosts taking an active stance in protecting WordPress installations. They have a vested interest in the security of the platform, as often they are the first to blame when WordPress gets hacked. You’ve seen it in the last few years, with acquisitions of popular security plugins in the WordPress’ space. I can see in the next year and beyond more hosts having dedicated WordPress plugins to aid security on their servers, contributing patches to the core as well as other awareness activities such as talking at conferences and training workshops. This can only be a good thing for the WordPress community.”
“Data = Gold. People and organizations are investing more and more in acquiring data. It informs their business models and decisions. Those with malicious intent, who make profits on stealing data and hacking websites, are getting more sophisticated. Opportunities to profit from stolen data and the tools to support them are growing every day. I see that WordPress will continue developing with an eye toward security-first coding standards.”
“With the introduction of Gutenberg and its reactive frontend, we’ll see an increased usage of the WordPress REST API and a gradual shift from server-side logic to client-side logic. This will reveal new attack vectors on the WordPress platform and present fresh challenges that the best practices, processes, and tooling need to tackle. I expect we’ll see a transitional phase with a few hiccups before the WordPress ecosystem has adapted to this new reality.”
“Being a website owner who had been hacked in the past, I am a firm believer in website security. I’ve seen many WordPress community and developers trying hard to release new updates and patches to solve the security vulnerability, and we as end users need to play our parts too. No matter how big or small your website is, we need to take actions to fortify our base (our website).”
“Security is an increasingly crucial issue in 2018 with hackers graduating every day from courses offered on sites like Udemy. All it takes is one little hack to bring your site down or make it a zombie for the evildoers. You have to be vigilant. In addition to employing computer security software, WordPress users must stay on top of their core and plugin updates. If you are not taking care of the security of your WordPress website, then the hackers will surely win.”
“WordPress certainly has plenty of holes – the fact that people are installing plugins from unknown developers is a major security hole, regardless of any other security technology implemented. The future of security for WordPress involves automated AI tools and plugins checking for vulnerabilities, accidental or deliberate, inside other code. It’s not feasible for human site-owners to check all the code of all the plugins and themes they install, so AI will fill that gap.”
“I see the WordPress landscape has been severely affected by the many versions that it has put out in the past, and the vulnerabilities that have plagued webmasters and site owners everywhere. It’s become a big problem. Needless to say, security is a big concern for WordPress going forward and a big opportunity for security companies to take a big piece of that market. I think we’ll see many great innovations come from this which will make security not only easy to implement but effortless to maintain. You certainly cannot run a WordPress site nowadays without thinking a little bit about security, or you’ll get hacked pretty quickly. ”
“We’ll continue to see more efforts to improve security by taking some of the responsibility away from website owners. As more and more people migrate to fully-managed or partially managed hosting solutions, you’ll see the shifting of server management (and therefore security at the server level) to the host. At the same time, we’ll see the implementation of tools by the website owner, such as 2fa continue to expand as well.”
“I think generally the biggest problem in WordPress security is the complexity. Although WordPress core is a very secure product, there are still many ways in which a WordPress website can be compromised. Closing all possible points of entry takes the technical knowledge that especially beginners and casual users often don’t possess. That’s why for them security is often an overwhelming topic. Consequently, what I’d like to see are solutions that take the complexity out of it.”
“Although security exploits seem inevitable, the WP security team and the community do an excellent job of figuring out such exploits and pushing out updates as soon as possible to patch such security vulnerabilities. Most issues surrounding security for WordPress could be resolved just by keeping the core software and plugins up to date. The challenge then for WordPress security in 2018 and beyond is to make users aware and help them upgrade to the latest versions.”
“Encourage users to add a strong firewall with your security plugin. Most of the great ones do cost, but the investment is worth it. Some of us in security are seeing content injections like a unique pharma spam link or content injection code on each post and page. If you have a site with over 1000 pages, a 1000 variations of content injections kind of suck to encounter.”
“Security for WordPress is becoming a bigger and bigger issue, and this will continue for the foreseeable future. This means that everyone that uses WordPress and especially businesses need to become security aware. Having a website that is rarely if ever updated, which uses just a simple login for administrative access and that is never backed up… just doesn’t cut it anymore. Modern-day WordPress websites need to incorporate cutting-edge security measures.”
“Security for WordPress will continue to be of high priority to WordPress webmasters however with improvements to the WP update system and more and more bespoke security plugins and services available the amount of time and resources needed to keep a WordPress site secure will be reduced. However, even with software improvements, best practice will still remain important in the future such as using strong passwords, renaming admin accounts, using SSL, removing old user accounts and keeping software up-to-date.”
“Security for WordPress is becoming hard these days due to the affordability of cloud hosting solutions and one-click WordPress installations some of these come with. I think WordPress should encourage its users to opt for cloud hosting rather than recommending shared hosts like Bluehost as their recommended hosting provider.”
“Website security is one of the most concerned topics for a web developer especially agencies like TechAbout. For WordPress users, it must be very serious. There are thousands of plugins and themes available in the market and any of these can be vulnerable to your site. So, to protect the WordPress sites, we should follow the best practices and take strict measures to make your sites unhackable. I see more secure WordPress sites in the future.”
Website security today is of paramount concern. The experts think the future is bright, that no matter how hackers evolve, the community is committed to keeping the platform secure. Website owners have a role to play in using the best security practices or using pre-configured WordPress security solutions.
Thank You Experts
We’d like to thank all WordPress influencers who took the time to contribute to this roundup. Now it’s your turn. Share this roundup with your friends who are concerned about the future of WordPress security.
You may want to have a look at some of our popular blog posts on website security practices – A Beginner’s Guide to WordPress Security, How to Run a Website Security Audit, and Why Updates Are Very Important for WP Security.
Check out this interesting post on 20 WordPress Security Tips To Secure Your Website in 2018.
If you have any queries with regards to WordPress security, reach out to us. We’d be happy to answer all your questions.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.