WordPress Application Security

The ultimate WordPress application security guide for WordPress CMS admins.

WordPress is awesome, it's super easy to host with a one click install, so you can be up and running in minutes. These low barriers to entry along with its popularity make WordPress susceptible to mistakes and mischief.

To secure your WordPress site, there are a plethora of solutions to choose from, but knowing which ones to use, how it should be configured and who should do this work is complicated.

Through collating and sharing links and resources, we aim to improve the WordPress Application Security.

Red links go to Reddit conversations Grey links go to documentation Blue links go to WordPress plugins Orange links go to non WordPress solutions
WordPress

WordPress Hacked

The official WordPress guide on what to do when hacked.

Read more >
Placeholder WordPress.org
WordPress

Hardening WordPress

Common vulnerabilities and things to help keep you safe.

Read more >
Placeholder WordPress.org

The good stuff...

A key component to keeping your site safe is to audit who you are granting access to and what frequently privileges you grant them, using the principle of 'least privilege'.

WordPress has default roles and capabilities, but these can also be extended by a theme or plugin, so it's good to check what your application can do in this regard. Reducing the number of users on your site can reduce the risk of privilege escalation. Reducing the privileges reduces the risk of users having unintended access. You could also consider the following:

  • Automatically remove, deactivate or de-privilege users based on conditions
  • Authenticate with a corporate identity linked to corporate emails
  • Remove access when a user has left the organisation
  • Do not use admin accounts to publish content
  • Do not use usernames as display names
  • Reduce users
  • Reduce privileges
  • Change the default administrator's username
WordPress User Management WordPress User Capabilities MelaPress MelaPress

A key component to keeping your site safe is to frequently audit what you are uploading to your server, as If not blocked, files can be found via the WP Rest API or indexing.

  • Is any of the media sensitive or private?
  • Does any of the media contain PII?
  • Are you uploading any other non-standard file formats, like SVG?

WordPress File Uploader WordPress Media Guide

Logging user activity helps with nonrepudiation, i.e. proving a user has done something that they claim not to have. It can also help with debugging issues, compliance and testing. There are also server logs, so checking what can be done at the OS or host level is worthwhile.

See the conversation

WordPress has plugins that can help.

WP Stream WP Admin Audit WP Activity Log Log Dash

Multi or two-factor authentication adds an extra step to the login process so that it requires something the user knows (the password), as well as something the user has (the second factor). This makes it harder for someone to login that only knows the password and username.

WordPress

WordPress has many plugins that offer this functionality.

WordFence WordPress MFA Plugin SolidWP AIOS Plugin WPMU Defender MFA

Limiting login attempts helps to prevent brute force attacks, where bad actors try things like numerous combinations of credentials to guess passwords programmatically. This can be mitigated with a WAF (Web Application Firewall), with software on the server, with CAPTCHA and/or a WordPress plugin. It's a good idea to find out what your host and server are doing in this space, too.

PatchStack Guide Fail2Ban Turn Style

Some WordPress plugins offer this functionality.

Limit Login Attempts WordFence Solid WP Loginizer

Having a password policy makes guessing passwords or using passwords obtained from data dumps harder for both humans and computers. You might want a password that is easy to remember but difficult to guess or just difficult to guess.

WordPress.org Guide WordPress.org Advanced Guide
See the conversation

You can set password policies in some WordPress plugins.

"I change ALL 300+ passwords twice a year"

"Every password I have is at least 128 characters long with the usual numbers, symbols etc. Not all sites and systems allow this, though, so there are some tweaks. I don't allow simple passwords and will check passwords against known breaches via Wordfence/other plugins."

"Have used Wordfence for some time, and even its default defences are robust"

Solid WP Mini Orange WordFence

You may need a password manager, too, and you may or may not want it backed up and synced in the cloud.

"If 'the cloud' is a worry for some reason with bitwarden, you can self-host it officially - not to be confused with vaultwarden"

KeyPass 1Password EnPass BitWarden BitWarden Self Hosted

This area covers a wider range of overlapping work, check the section on scanning too as many aspects there also overlap.

You can attempt to find vulnerabilities in your application through penetration testing. This varies in scope and method and can be as little as an automated scanner with an automated report right though to full time teams continually trying to gain access both with and without information or access on your systems and code. It is wise to consider who will do the work and how this will be done. You might want to consider using themes and plugins that have had this work done.

Crest WordFence NCSC

There are bug bounty programs for both the WordPress CMS and Automattic plugins. Some other plugins and themes may also have bug bounty programs too. These programmes encourage people to find and, in turn, fix vulnerabilities in software. It might be worth considering if such a programme would be beneficial to your application, or if you should use themes and plugins that participate in such programmes.

Make WordPress WordFence PatchStack HackerOne

Similar to bug bounties and pen tests, code can be reviewed and audited by individuals, companies or software to help identify issues or vulnerabilities in your theme, plugins or integrations.

WordPress Plugin Checker PatchStack Audit

It is a good idea to scan your application to check for malware and known vulnerabilities, this can be done with plugins, applications and online web scanners. Your host may already be doing this for you so it's a good idea to look into that first.


Malware scanning is a process that detects malicious software on a system, there are various WordPress plugins that can help do this.

MalCare JetPack Scan AIOS WordFence CleanTalk Ninja Quttera

An external scan such as the WPScan CLI tool or Imunify360 could be run from a computer or server. This could be helpful as some malware can stop a plugin or application working effectively.

"If you have multiple sites I think it can get very expensive easily, I decided to get immunify 360 and has been good so far it will try to patch the sites also clean the sites if infected I really like it"

WPScan Qualys Clam AV Imunify 360 Quttera Google Search Console

An external scan run from a third party online web site.

Hacker Target Sucuri isitWP

If you find malware you will need to remove it and then fix the root cause. You might be able to do this with a plugin or two as well as some help from your host. You may need expert help from a sysadmin or a WordPress security expert. How you fix the issue will depend on your set up, access and skill set as well as the root cause and remediation required. You may need to set up a new or clean server and re-build everything from clean sources.

See the conversation
WordPress Guide: Remove the Malware WordPress Guide: Fix the root cause

Some WordPress plugins can check the integrity of core and plugin files, as well as look for unscrupulous or modified files. Some users like to run multiple tools as some tools can find issues others can't.

WordFence GOT MLS JetPack

Some companies offer services to scan and remove malware on your behalf, some hosts will do this for you too.

MalCare Sucuri

When you generate a password or log into WordPress your password is mixed with a salt to generate a hash. This hash is then stored in the database meaning WordPress never has your plain text password. This means that if the database is obtained by a bad actor they do not have access to the plain text version of your users passwords.

Key Generator SaltShaker Wiki Salt Wiki Hash Wiki Key Mela

WordPress was originally built as a blogging platform so comes built in with commenting functionality, however many WordPress website are not blogs and do not use comments so you may wish to disable these functions.

If you are running a blog you may wish to review the settings to make sure they work for your site. Spam can be relentless if not effectively managed and unnecessary accounts pose the risk of account escalation. Consider the following...

  • block comments containing certain keywords
  • queue comments containing links
  • verify email addresses before allowing comments
  • require commenters to have an account
  • close comments on old posts
  • approve all comments before publishing
  • disable pingbacks

  • WordPress Settings AntiSpam Bee Honeypot Akismet Oopspam

    WordPress can send emails but reliably sending emails is a complicated matter. You might want to consider how emails are sent to improve the chances of delivery and to avoid block lists. There are also many security protocols around email sending so there is a lot to read.

    • Do your emails contain sensitive data?
    • Do your emails contain crucial updates?
    • Is a form plugin emailing you a customers PII?

    See the conversation
    PHP Mail in WordPress WP Mail SMTP Wiki SPF Wiki DMARC Wiki DKIM MX Tool Box Debouncer

    WordPress has many public rest API endpoints, you should check you are happy with their default configuration.

    WordPress Rest API Handbook

    When an image is uploaded to the WordPress media library that information can often be accessible by the public using the WordPress media API. You should consider reviewing your media or disabling access to help ensure no data is unintentionally exposed.

    WordPress Media Rest API

    The WordPress API allows for username enumeration, WordPress considers the username as public, but many user may wish to hide this information from the public.

    See the conversation
    WordPress Users Rest API

    This core API was introduced to enable 3rd party apps to integrate with WordPress. Unless required it is recommended by many to disable access.

    WordPress XMLRPC XML PRC Guide WP Beginner

    De bugging tools can be used to show detailed information about errors. But you will want to make sure debugging is not available to the public on a production environment.


    WordPress Debugging Query Monitor

    Many WordPress sits add form plugins, forms can be a fantastic tool but they can also be used to send malicious content or files to a server so extra care must be taken.

    • Is the input data sanitized?
    • Is the input data sensitive or PII?
    • Is the user uploading files?
    • ... if so where, what type of files, how big, and are they secure file types?
    • Is the data being send in plain text via email?
    • Is the data being stored in your database?
    • Can anyone fill out the form or should the user be logged in?
    • Do you need a CAPATCHA?
    • Do you need a honeypot?
    • Can this be a 3rd party tool embeded?


    Honey Pot Gravity Forms WPForms Contact Form 7

    Some users like to be able to edit files via WordPress, however this can lead to your site being broken. WordPress advises against enabling file editing.


    WordPress File Editing

    The core CMS, themes and plugins in the WordPress repository can be set to auto update, this is a hot topic. Some perfere to autoupdate as many plugin related security fixes are automatically applied without the need to log in. Some think the risk of an updated plugin breaking your site is a bigger risk. Either way you will want to decided whats best for you and your situation. Many people like to take backups and test any changes on a test environment before they are released to production.

    See the conversation See the conversation
    WordPress Updates

    Consider deactivating and removing all unused themes and plugins.

    See the conversation

    Firewalls can monitor, filter and block traffic traffic between end users and your application, these can be added at the network, host or application level. You may already be using a solution that provides some protection so consider what you already have in place. There are pros and cons to each combination so think about what is right for you and your users.

    "If you don't use a waf you're doing it wrong"

    See the conversation Wikipedia - WAF

    A DNS level firewall will help stop malicious activity getting to your server in the first place, potentially taking some of the pressure off your host and application.

    "The benefit of using cloudflare is that their WAF doesn't use your servers resources. A simple way to take down a web server is to flood it with traffic."


    A popular DNS WAF solution is CloudFlare, they are widely used and have a free plan. Some managed hosts also offer a DNS WAF as part of their product offering, so it would be wise to see if your host is helping too.

    "I'm using Cloudflare for many sites, and am a fan of the service. It's nice that it blocks so many bots and other nasty crap before it even touches the web server. Unfortunately, not everyone wants to, or can give up control of their DNS to Cloudflare. We have a lot of banks and hospitals as clients who it's not a good fit for."

    CloudFlare Securi Akami Fastly CloudFront Barracuda Quic Cloud Protect Origin Servers

    A WAF can be installed on the operating system or server, many hosts will have a WAF running on their servers, you should ask your host to see how they are helping. Using a WAF at the network VS the application or host will have pros and cons to consider.

    "Any decent host has DDOS protection and Firewall Tool. If you are at some of EIG hosts or at shared plan, it's hard to be isolated from overflow attacks, no WAF can help you there."

    "Sysadmins hosting WordPress should run modsecurity."

    Ninja PHP app Perishable Press Fail2ban OSWAP modsecurity CRS

    WordFence have a huge number of downloads in the WordPress repository, and on those numbers it's the most used plugin based WAF. PatchStack is also a wildly discussed and praised plugin in the Redit foum. WordPress plugins often come bundled with has many features, so you might already be using a plugin that has a WAF and not even know it! It's a good idea to audit your plugins to see where your features overlap or have gaps.

    "Wordfence. It's the best out of the box solution and even the free tier offers excellent protection. Spend some time reading the documentation then some more time setting it up as you require."

    "a shared host running, say, ten wp instances, each with its own instance of wordfence is wasting resources." "WordFence is an example of how messy things get when WordPress Administrator gets blurred with the sysadmin role."

    "I like patchstack because it's really simple to set up and understand."

    WordFence WPMU Defender WAF PatchStack Ninja WP Plugin BBQ BlueSix WF Settings

    Security headers can be modified to control things like what iframes can do with your users data

    • Can an iframe access the microphone or camera or other data from the device?
    • Do you mind if the user clicks a link that website knows the user came from your website?
    • Do you mind which scripts can be embeded in the CMS?
    • Do you mind what domains can be iframed into your site?
    • Do you mind which domains can iframe your site?
    • Do you want to force HTTPS connections?

    This is quite complex, so it is best to consult an expert.


    Security header plugin Security header checking Report URI Moz - CSP Moz - CSP 2 Moz - Xframe Moz - STS Moz - Permissions Moz - X content

    Many hosting companies also provide services, so consider that when making a plan.

  • Can you recover your site from the back up?
  • What would happen if your server is no longer available?
  • Will you need snap shots or full back ups?
  • What will be in the back up?
  • How long will you keep the back ups?
  • How frequent will you take them?
  • What if your back up is corrupt will the other backups also be corrupt?
  • Can your back ups be found with scanning tools?
  • Do non logged in users have access to the back up via a URL?
  • Consider having a tested disaster recovery or business continuity plan.

    "Schedule daily, weekly or monthly backups. Send backups to remote servers (AWS S3, Dropbox, Google Drive) or your local machine."

    WordPress Guide WP (back up) Config Finder WPScan (back ups)
    See the conversation

    If you do not have a host or server set up that provides adequate back ups then you may wish to use a backup plugin to provide automated backs ups.

    "I don't like AIO because it uses a proprietary zip format. I've used Updraft for over 10 years, on hundreds of sites, its never failed me."

    Updraft SolidWP JetPack BlogVault WPVivid WP Time Capsule Duplicator Manage WP Back Up WP AIO

    When working with suppliers it’s a good idea to understand the certifications and governing bodies they may belong to, this can but is not always be a good barometer to their understanding of security. You can also understand take a vendor security assessment using a framework to ascertain a suppliers security maturity.

    OWASP NIST Cyber Essentials SOC2 ISO 27001 Vendor Security Alliance NCSC PCI Standards

    This is something that cannot be done in the application and has to be done on the host or server. However this is worth a mention as it will be important for many to secure.

    Setting up an SSL certificate is now pretty standard for most websites. With Let’sEncrypt it’s often very easy and free, many hosting companies will offer free SSL certificates from Let’sEncrypt. It’s a good idea to check you SSL certificates is valid and to make sure you are using modern TLS versions.

    See the conversation
    WordPress HTTPS Lets Encrypt SSL Labs Cert Checker Hows my SSL - Browser CloudFare Check - Browser

    This is something that cannot be done in the application and has to be done on the host or server. However this is worth a mention as it will be important for many to secure.

    Securing access to your domain registrar, Name Server and domain name system records is good idea. Unauthorised access to these systems can lead to traffic and data being diverted or domains being transferred. It might be useful to monitor domain squatting to potentially reduce fishing. Audits should be carried out on all systems.

    Domain Squatting Domain Squatting

    This is something that cannot be done in the application and has to be done on the version control system. However this is worth a mention as it will be important for many to secure.

    When managing code in a version control system, care must be taken to manage what is and is not tracked in such a system. Having secretes, passwords, credentials or keys tracked can provide a bad actor with access if they gain control of such a system and care should be taken if they are in the code of commit history. Some hosted version control system offer additional features such as code scanning and commit scanning to help reduce this type of data entering the system. Some systems also help with managing issues and vulnerabilities reported in any software your code is dependent on. As with managing user access to the CMS access to version control systems should also be audited.

    GitHub Security

    This is something that cannot be done in the application and has to be done on the host or server. However this is worth a mention as it will be important for many to secure.

    You should speak with your host or sysadmin to make sure this is secure. You might want to check the following

    • Who has access?
    • How do they have access? SSH SFTP
    • Is the access audited?
    • What ports are open?
    • Are there any access rules?
    • How and when are things patched and updated?
    • Is directory browsing blocked?
    • is access to files and directories restricted?
    • Is PHP script execution forbidden in non essential directories (uploads, includes, cache etc)?

    In short it’s best to speak to an expert here.

    Or outsource to a very good managed host, take a look at the hosting guides on the right hand side of this page.

    WordPress File Permissions