WordPress is the most popular content management system on the planet: 27% of all websites are built on WordPress. But does WordPress have security issues? Let’s talk about website security and eight practices to make WordPress secure for a credit union website.

People often judge a credit union by its website. Your website is your biggest branch and most frequent touch point with members. If your website gets hacked, relationships will be compromised. For these reasons, choosing a secure content management system is extremely important.

There are many CMS alternatives. At the forefront of these alternatives is WordPress because it’s 10 times more popular than any other CMS on the planet (source: w3techs.com). Compared to other CMSs, WordPress has the most plugins, themes and developers, as well as the largest community of users helping users. But does the popularity of WordPress come at a price? Does popularity also mean more hackers and vulnerabilities?

Is WordPress Secure?

The question, “Is WordPress secure?” is actually somewhat misleading. That’s like asking, “Is the Microsoft Windows operating system secure?”

Microsoft Windows is the most popular operating system in the world. Microsoft has done its part to make the Windows system secure, but some people use PCs insecurely. Ultimately, the security of a PC is determined by the user, not Microsoft. If you protect your operating system, it will be secure.

Similarly, WordPress is the most popular content management system on the planet for many good reasons. Its popularity means there are some people who use it insecurely. So yes, a WordPress site can have security issues, but that does not mean all WordPress sites are inevitably insecure. Nor does it mean that the WordPress system is insecure. For example, Boxeldercu.com is a 2016 CUNA Diamond Award-Winning website and it’s built on WordPress; it’s a very secure website. (You can read about Box Elder’s website on bloomcu.com.)

At its core, WordPress is extremely secure (see wordpress.org/about/security). In fact, when compared to competitors, WordPress is probably the most secure content management system on earth. While the popularity of WordPress does mean more people are trying to hack it, WordPress has been remarkably successful at resisting attacks. If you study the history of WordPress security, you’ll see that WordPress software is NOT the security issue you should be worried about (source: managewp.com/is-wordpress-secure). The security threat you should be worried about is yourself. WordPress users are the security issue, not WordPress.

The truth is, no website on earth is 100% secure, no matter what CMS it’s built on (or not built on). Yet, the popularity of WordPress yields an unmatched advantage: When threats arise, the biggest CMS community in the world works together to provide solutions, fast. Having the largest CMS community to help you resolve issues is a huge advantage WordPress has over other CMSs.

The best anyone can do to secure a website is minimize security threats by following eight practices. Below, I explain eight things you can do to make a WordPress site secure, but first let’s take a look at some brands that use WordPress.

The World’s Biggest Brands Use WordPress

27% of all websites are built on WordPress. That might seem unbelievable because there are hundreds of millions of websites in the world, but it’s true. The smart folks at W3Techs have been tracking the usage of content management systems on the web since 2011. W3Techs uses a very specific methodology to provide these numbers.

Below are some brands that use WordPress:

Walt Disney: Walt Disney is one of the most well-known brands in history. Walt Disney relies on WordPress. WordPress Website: thewaltdisneycompany.com

Glad – Don’t get mad, get Glad. I bet this brand is glad they use WordPress for their website. WordPress Website: www.glad.com

NFL: The NFL uses WordPress to share sports news and insights. WordPress Website: blogs.nfl.com

Canada: Yeah, Canada – you read that correctly. Canada uses WordPress to share news – lots of news. WordPress Website: o.canada.com

Motley Crue: If you like 80s rock music maybe you’re heard of Motley Crue. These hair-metal rockers use WordPress to share news, sell tickets and swag, and connect with fans. WordPress Website: www.motley.com

Martha Stewart: Martha Stewart uses WordPress to share content with the world. WordPress Website: www.themarthablog.com

Target: Ahhh. Target, my favorite place to shop for socks, patio decorations and canned salsa. Target uses WordPress to share content. WordPress Website: pulse.target.com

Gateway Bank: Gateway Bank uses WordPress to maintain their responsive website. It’s a beautiful WordPress website. WordPress Website: gcbaz.com

What are the chances of these brands using WordPress if it’s insecure? Answer: No chance. World-class brands have the option to use any CMS they want. They use WordPress because it’s the best CMS and it’s secure. Making WordPress safe for credit union websites is a matter of following eight security practices.

8 Practices to Make WordPress Secure for Credit Union Websites

Instead of developing a website in-house, most credit unions hire a vendor that specializes in website design and development. If a company depends on WordPress for the success of its business and clients, you can feel more confident that the company will make sure your WordPress website is secure. If you select a vendor with a history of using WordPress, they are more likely to follow the eight security practices below.

Whatever vendor you work with, make sure the eight practices below are followed.

1. Keep Your Website Updated

Each new version of WordPress brings new features and bug fixes, but also addresses known security concerns. It’s easy to forget about your website over time, but the internet changes every day and your website needs to change with it. When you skip or forget about updates, back doors open for hackers.

If you cannot stay on top of updating your website, you should find someone to manage it for you. If you use dedicated WordPress hosting, your host might update WordPress automatically, which is a helpful security feature. (For example, we host our WordPress websites on WP Engine because they specialize in WordPress hosting and automatically update WordPress sites.)

2. Host Your WordPress Website on Secure Servers

Forty-one percent of successful WordPress attacks happen because of insufficient security on hosting servers (source: wpwhitesecurity.com). Website hosting these days is very affordable, but it’s never a good idea to host your site on $5 per month servers. Never do that! Most cheap hosting services are easy targets.

Hosting on WP Engine protects our websites with many security features that give us peace of mind: Automatic WordPress updates, real-time threat detection, enterprise-grade servers and a team of professionals whose mission is to ensure my websites are never, ever compromised. WP Engine’s hosting is not the cheapest, but it’s still very affordable. Their security features are well worth the price tag.

3. Create Unique Usernames and Passwords

Eight percent of hacks occur because the front door is left wide open: hackers guess usernames and passwords with brute force attacks. A brute force attack is when a hacker uses software to repetitively guess various username and passwords until they find a winning combination. They first try common usernames and passwords. For example, if your username is “admin” and your password is “password” then your website could be hacked in a matter of seconds.

Fortunately, there is a very simple solution to prevent brute force attacks: Create unique usernames and passwords. Make your passwords strong (when you create a password in WordPress, WordPress tells you how strong it is) and don’t use easy-to-guess usernames like “admin” or “administrator.” You don’t have to create a crazy password you can never remember. Instead, consider making your password a sentence or phrase you can easily remember – include capital letters, punctuation, numbers and even spaces in your passphrase.

Here’s a nifty tool to help you create more secure passwords: howsecureismypassword.net

4. Limit Login Attempts

Limiting login attempts minimizes the risk of brute force attacks because brute force is a process-of-elimination strategy. Usually, several thousand login attempts are required for a brute force attack to succeed. Therefore, limiting login attempts makes it almost impossible for a hacker to guess your username and password.

There are several WordPress plugins that can you help you limit login attempts, but before choosing a plugin, read tip #5 below.

5. Use Trusted Third-Party Plugins Only

One allure of WordPress is the millions of seemingly wonderful plugins you can instantly install on your WordPress website. However, more than half of WordPress security breaches happen because of vulnerable plugins. Some of the most popular plugins in the WordPress community have caused widespread compromises, sometimes because plugins were outdated and other times because plugins were poorly developed.

You should only install a plugin if it meets these criteria in the WordPress Plugin Directory:

  • Last updated: Within the past three months
  • Active installs: 10,000+
  • Ratings: At least four out of five stars

To keep a plugin secure, you must always keep it up-to-date. Updating plugins is really important! Also, you should never use a plugin on WP Engine’s blacklist (“Disallowed Plugins”). We love WP Engine because it automatically removes harmful plugins and updates installed plugins as soon as updates become available.

6. Use a Premium WordPress Security Plugin

While vulnerable plugins can make your website insecure, other plugins are built to bolster security.

The plugins below can help you monitor and protect your WordPress website:


Last updated: One week ago

Active Installs: 1+ million

Ratings: 4.9 out of five stars

iThemes Security

Last updated: One week ago

Active installs: 700,000+

Ratings: 4.7 out of five stars

Sucuri Security

Last updated: One month ago

Active installs: 200,000+

Ratings: 4.6 out of five stars

BulletProof Security

Last updated: One month ago

Active installs: 100,000+

Ratings: 4.7 out of five stars

7. Back Up Your Website Every Day

Backing up a website is the ultimate disaster insurance for a site. If you back up a website, you can instantly restore an uncompromised version of the site from a previous save point. That’s why you should back up your website every single day.

Dedicated WordPress hosts like WP Engine automatically back up websites daily. If your hosting provider doesn’t provide daily website backups, here are some safe plugins you can use:



8. Use a Content Distribution Network

A content distribution network is a network of servers around the world that host and deliver your website to users. CDNs distribute the risk of a website attack across many servers. If you host your website on a CDN, an attack will only hit a single server which will immediately stop serving your site. Website traffic is then re-routed to a secure instance of your site on another server. This re-route happens so fast that no one is likely to notice a change on the website.

Our preferred WordPress host, WP Engine, offers CDN service through its partner, NetDNA. (You can also check out MaxCDN.)

Bonus: Not only does a CDN give you better security, but you’ll also get performance advantages like a faster website.

Extra Credit

In addition to the eight essentials above, you can take security even further. Here are 10 more steps you can take if you need to protect all the gold in Fort Knox.

  1. Adjust installation settings
  2. Identify and patch WordPress theme vulnerabilities
  3. Use correct file permissions
  4. Turn off PHP error reporting
  5. Protect WordPress using .htaccess
  6. Disable XML-RPC
  7. Use two-step authentication
  8. Hide your login page
  9. Remove the WordPress version number
  10. Scan your website regularly 

To learn about these extra credit security practices, read WordPress Security: The Ultimate Guide.

I did not expound on these 10 extra credit practices because there’s a cost threshold to consider. Like anything else in life, implementing security practices has benefits and costs. For example, we all might like to own Lamborghinis if they were given to us as gifts. However, we know that owning a Lambo isn’t completely necessary; it’s kind of overkill. Instead, if we each won $1 million in a lottery, most of us would not buy Lamborghinis. Most of us would use the money in other ways more aligned with our interests.

Similarly, executing every website security practice would certainly be a good thing, especially if someone is going to do it for free. Unfortunately, few people love website security enough to do it for free. That means implementing these extra credit security features comes with a cost. If you believe the extra cost is worth it, then eat your heart out. If I were to recommend just one of the extra credit security practices that would give you the best bang for your buck, it would be “identify and patch WordPress theme vulnerabilities.

So, is WordPress Secure for Credit Union Websites?

Yes. WordPress is very secure. Many credit union websites are built on WordPress. But a WordPress website is like any other website: Administrators must follow good security practices to keep a website safe. Therefore, a better question is, “Will YOU make your credit union website secure?”

If you follow the eight security practices explained above you’ll have one of the most secure websites in the world. Here’s a condensed security checklist to follow:

  1. Keep your website updated
  2. Host your WordPress website on secure servers
  3. Create unique usernames and passwords
  4. Limit login attempts
  5. Use trusted third-party plugins only
  6. Use a premium WordPress security plugin
  7. Back up your website every day
  8. Use a content distribution network


Derik Krauss is co-founder of BloomCU. He can be reached at 844-334-3837 or derik@bloomcu.com.