If you are confused about whether WordPress is handling security well or poorly, you are not alone. A new study from WP Engine “of 1,700+ digital leaders” found that it was seen as one of the benefits:

And disadvantages:

WP Engine suggests that there was a perception gap and the mistaken group is those thinking it is insecure:

However, WordPress is already recognized for its security (38-47%), suggesting a perception gap that could be addressed with better education on enterprise-grade security features, managed hosting, and compliance capabilities.

Their solution sounds awfully like it is just promoting their hosting services.

The confusion seems very warranted. As it is common for WordPress security providers to downplay WordPress’ very real security problems in one situation while in another moment turning a fake vulnerability claim in to a “critical” issue. It is also common for misleading news stories to run hyping up minor WordPress security issues or focusing on WordPress despite the actual news being a security provider scamming their customers. While news worthy WordPress security issues receive no coverage.

Looking at WP Engine itself also helps to understand what is going on here. WP Engine has been very successful at promoting themselves at handling security well despite a long track record of the opposite.

There is a lot that could be easily done to improve the very real security problems with WordPress. The easy items include putting together a real security team (with credible leadership). Getting a security review of WordPress done. And having a method to report security issues to WordPress. These are things that WP Engine could certainly play a constructive role if they want to turn the perception of security in to reality. Or they might keep promoting themselves as being the solution to security problems they are themselves helping to create.