WordPress users have a common enemy when it comes to security. Themselves.

At least that's the contention of a new survey by CodeGuard, which shows WordPress users own lack of security knowledge may be putting their sites at risk. CodeGuard CEO David Moeller claims users aren’t up to date on security or backing up their files adequately to protect their content.

Of course, he has reason to say that: CodeGuard provides cloud-based website backup services. Still, the growing issue of security problems are hard to ignore.

Survey Says ...

WordPress is the world's leading content management system, used by about 23.5 percent of all websites, according to the latest research from W3Techs, which provides information about the usage of various types of technologies on the web.

Just recently, there have been a flurry of reports about WordPress issues, including a  “SQL injection” vulnerability. Some experts say WordPress is really not any more vulnerable than other platforms, but that it is just a victim of user misuse.

Either way, security lapses open doors to hackers, malevolent employees and simple human error. “If an important file is deleted, the website is defaced or malware is injected, it's costly to recreate the initial work. All too often, businesses have to learn this the hard way," Moeller said.

The survey polled some 503 WordPress users, including a mix of US-based businesses and bloggers.

It found that 47 percent of WordPress users only back-up their websites every few months, which makes them vulnerable to cyber attacks or even their own carelessness.

While 54 percent update WordPress at least every few weeks, less than a quarter of them use a website backup plug-in. And even fewer apparently have training on how to use these tools. In addition:

  • 25 percent aren’t trained on how to use WordPress
  • 22 percent are “clueless” about WordPress backups
  • 21 percent have seen the “white screen of death” multiple times
  • 69 percent have experienced a plug-in failure following an update
  • 63 percent have deleted files that were not backed up
  • 22 percent said backup plug-in seems “unimportant”

But while they don’t appear to be overly concerned with preventing problems, WordPress users surveyed will pay a premium to get lost information back.

Nearly a quarter would shell out “almost anything,” for a complete restore and nearly 20 percent would cough up several thousand dollars to get the job done, according to the survey.

Why So Clueless?

So why are so many WordPress users so out of touch with the realities of protecting their sites?

The problem may stem from the fact that WordPress is so easy to use. Because it’s so straightforward, it attracts users with little technical experience and low IT budgets, according to CodeGuard.

The survey emphasizes this point: nearly half of respondents do not have a website or IT manager.

Certainly not all WordPress users fall into this category. WordPress.org handles websites for numerous large entities, including CNN, Dow Jones,  UPS, the New York Times and the Wall Street Journal, as well as US government websites for NASA, the Marines and the Air Force, among many others, according to a statement from Automattic, the web development company behind WordPress.

Even so, it appears from the survey that many are at risk for problems. “It is more likely that a lack of training and education, combined with a belief that hosting providers already do this for them is the root cause for why users leave themselves unprotected,” said Moeller.

Get Smart

So what can WordPress users to protect their sites? “It is entirely possible to run WordPress in a secure fashion,” according to the statement from Automattic.

If you are among the “clueless” contingent of WordPress users, invest in training or hire an IT manager.

WordPress also has a security white paper that can help. It outlines best practices and processes for the core software.

Perhaps the most important step in protecting your site is to recognize the importance of security. “Businesses don't seem to realize that they are financially exposed should something go wrong,” said Moeller.

“Most hosting providers do not guarantee any type of backup in their terms of service. Disaster recovery server backup taken by hosting providers is only for catastrophic server failure, not for individual customer website failure.”