WordPress security survey results 2022

Last updated on September 06th, 2022 by WP White Security. Filed under WordPress Security

Wordpress Security Survey Results

We recently ran a survey to get a better understanding of the state of WordPress security. The survey was open to everyone and included several WordPress security-related questions. This report details our findings.

Why this survey?

WordPress security is an essential topic on the minds of many administrators and website owners. Due to its open and iterative nature, it is not always easy to understand whether your efforts go far enough or whether there are areas that require further attention and development. This is especially true when juggling multiple things at once – as is often the case with managing WordPress websites.

To this end, we sought to get a snapshot of the state of WordPress security. While the survey does not cover all aspects, it is still enough to provide an overarching picture of general WordPress security.

How important is WordPress security to you?

The first question we asked looked at the importance of WordPress security to WordPress administrators and website owners. Unsurprisingly, the vast majority of respondents view WordPress security as essential. In fact, 96% of respondents view WordPress security as very important, while 4% of respondents see it as somewhat important.

While the vast majority view WordPress security as very important, the amount of time dedicated to securing WordPress varies considerably. We will look at these figures next.

Total time spent on security tasks

A more significant percentage of administrators spend between one and three hours per month on security tasks, while 35% of respondents spend more than three hours. 22% spend less than one hour per month. While this is the minority, it still represents a considerable percentage of all respondents.

 

One thing that’s of important note here is that the time spent on security tasks tends to vary over time. Typically, substantial time is spent during the initial setup. Once everything is up and running, less time is generally spent on security-related tasks with a few hours per month enough to cover ongoing maintenance. The size and complexity of the websites can also play a considerable role in how much time is spent.

WordPress hardening and best practices

WordPress hardening is a best practice process that aims to reduce the attack surface of WordPress websites. No agreed-upon standard defines what goes into a hardening exercise; however, this typically involves activities such as restricting the REST API and disabling the file editor, among other things.

When we asked respondents whether they ever undertook any such WordPress security hardening exercise, the vast majority – 85% replied that they had. 28% manually hardened their WordPress website, while 26% used a plugin or service. 31% used a plugin and carried out manual processes. Only 15% of respondents did not undertake any hardening exercises.

Chart 3

Updates and testing

Updates are another critical aspect of WordPress security. WordPress itself, as well as plugins and themes, receive regular updates – or at least they should. Managing these updates is essential as they often include fixes for bugs and security holes present in the current (installed) version.

52% of respondents have auto-updates enabled for components that include WordPress, plugins, and themes, while 48% do not have auto-updates enabled. Of course, not enabling auto-updates is not necessarily a security risk since many administrators opt to test updates before rolling them out to the live environment.

In fact, 25% of respondents always test updates in a test or staging environment, while 26% only test major updates. Furthermore, 32% of surveyed administrators sometimes test updates, while 17% never test updates – regardless of the impact they might have on their websites.

Updates strategy

While both WordPress auto-updates and update testing have their merits, the strategy one uses may depend on the environment. A high-stakes eCommerce website may want to test updates before rolling them out, as an outage may mean a loss of revenue. On the other hand, a website owner who prefers to be hands-off as much as possible may switch on auto-updates to keep their website secure without having to actively manage it all that much.

As such, we thought it would be interesting to see what overall strategy administrators employ when it comes to updates.

Auto-updates and testingPercentage
Auto-updates enabled and sometimes tests updates19
Auto-updates disabled and always tests updates16
Auto-updates disabled and only tests major updates15
Auto-updates disabled and sometimes tests updates
13
Auto-updates enabled and never tests updates13
Auto-updates enabled and only tests major updates11
Auto-updates enabled and always tests updates9
Auto-updates disabled and never tests updates4

While the majority of people have some form of auto-updates enabled, many administrators still carry out some form of testing before deploying updates to their live environment. In fact, only 17% of all respondents never test updates.

Security plugin usage

Survey participants were also asked about using their usage of security plugins. A particular focus was placed on firewalls, 2FA, WordPress activity logs, and password security plugins.

The vast majority of respondents have a firewall plugin installed in their environments, with 81% stating they have one or more installed. Conversely, 19% do not have any firewall plugins installed.

2FA is not as popular as firewalls, despite companies like Microsoft and Google rallying behind this more secure way of logging in to WordPress. In fact, only 64% of respondents use 2FA on their website, while 36% do not.

Activity log plugins are just as popular as 2FA plugins, with 65% of respondents using one.

When it comes to password security, 38% of respondents trust their users to use secure WordPress passwords. On the other hand, 40% use a WordPress password security plugin, while 22% are considering using one.

Top plugins

Chart 5

 

 

Top three firewall pluginsTop three 2FA pluginsTop three activity log plugins
WordFence - 49%Wordfence - 25%WP Activity Log - 42%

Sucuri - 7%WP 2FA - 22%Simple History - 7%
iThemes security - 2.5%iThemes - 2.5%Activity Log - 7%

Drawing conclusions and a way forward

The results show strong interest in WordPress security, which is encouraging. Equally, many administrators and website owners are taking action to ensure their websites are secure. Yet, some work still needs to be done.

While 2FA, in one shape or another, has been around for quite some time, it still needs to catch up. Firewall plugins continue to enjoy massive popularity, and as good as they are, they cannot protect WordPress websites from credential breaches. This makes 2FA plugins essential to the overall security of WordPress websites.

It has to be said that this is but a snapshot of how WordPress administrators and website owners view security. It is also important to note that the questions in this survey cover but the basics of WordPress security. If you’re serious about protecting your websites, make sure you follow our blog, where we cover numerous topics on WordPress security.

One comment

Alan Jacobs 27/09/2022

Hi, Interesting but I can’t agree with your conclusion regarding 2FA. In my experience running membership sites introducing 2FA, when compulsory, is a disaster. It immediately loses a large percentage of your members. They simply will not accept the added friction. Even when people do have mobile phones they do not always have them handy when viewing the website.
I think the move to using biometrics such as Face, Fingerprint or pin are much better. Yes there is an overhead in setting it up but once done the user no longer needs to remember their password or use a password manager ( Also very good but again a really hard sell to users ) for day to day interactions.
iThemes is now offering this login mechanism, hopefully more platforms do too.
Basically the permanent logon for facebook is the only reason they are so successful. There is just no friction for users, who overlook the associated security issues.
Regards
Alan

Leave a Reply

Your email address will not be published.

Our other plugins