{"id":8148,"date":"2015-02-18T11:16:50","date_gmt":"2015-02-18T17:16:50","guid":{"rendered":"https:\/\/wpengine.com\/?post_type=support&#038;p=8148"},"modified":"2025-10-03T13:58:30","modified_gmt":"2025-10-03T19:58:30","slug":"wordpress-site-security","status":"publish","type":"support","link":"https:\/\/wpengine.com\/support\/wordpress-site-security\/","title":{"rendered":"WordPress Site Security"},"content":{"rendered":"\n<p>It\u2019s important to understand that there is no \u201cset it and forget it\u201d solution for security. With the freedom to use a wide variety of custom code in the form of themes and plugins, also comes a great responsibility. Security is a partnership WP Engine shares with our customers. With that in mind, there are a number of best practices we recommend for all WordPress\u00ae websites.<sup><a href=\"#legal-disclaimer\">1<\/a><\/sup><\/p>\n\n\n\n\n\n<a name=\"update\"><\/a>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Stay Up to Date<\/h2>\n\n\n\n<p>The most critical and yet simplest way to keep a WordPress website secure is by keeping all components up-to-date. There are three main components to focus on for maintaining your site&#8217;s security:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>WordPress Core<\/strong>: Keeping WordPress core up-to-date is crucial to your site&#8217;s security. At WP Engine, we handle core upgrades for you automatically, but they can be perform manually as well. <a href=\"https:\/\/wpengine.com\/support\/wordpress-updates\/\">Read more about WP Engine&#8217;s WordPress automatic core update process here.<\/a><\/li>\n\n\n\n<li><strong>Plugins and Themes<\/strong>: A simple oversight in updating your plugins or theme can be a big deal. Plugin vulnerabilities represent&nbsp;<strong><a href=\"https:\/\/www.wordfence.com\/blog\/2016\/03\/attackers-gain-access-wordpress-sites\/\" target=\"_blank\" rel=\"noreferrer noopener\">55.9<\/a>% of the known entry points<\/strong>&nbsp;for attacks. Keeping your plugins and themes up to date is easily the most important step to maintaining a fast and secure WordPress website.\n<ul class=\"wp-block-list\">\n<li>Plugins and themes can be updated by logging in to your WordPress admin and clicking <em>Updates<\/em> in the main menu (\/wp-admin\/update-core.php).<\/li>\n\n\n\n<li>If keeping plugins up to date is too time-consuming or often causes your site to break, we offer the Smart Plugin Manager. This service keeps your plugins up to date, creates backup checkpoints and runs visual checks to ensure no updates are pushed that will break your site. <a href=\"https:\/\/wpengine.com\/smart-plugin-manager\/\">Check out Smart Plugin Manager here<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>PHP<\/strong>: WordPress runs on PHP and it can have a huge impact on the security and performance of your website. As a managed host, WP Engine helps automate this process as PHP versions reach end-of-life. However, updating your WordPress site&#8217;s PHP version can (and should) be done before automatic upgrades occur. <a href=\"https:\/\/wpengine.com\/support\/php-guide\/\">Learn more here<\/a>.<\/li>\n<\/ol>\n\n\n\n<a name=\"choose\"><\/a>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Choose Plugin\/Themes Carefully<\/h2>\n\n\n\n<p>It is important to have a discerning eye when it comes to choosing the theme and plugins your site will use. Each addition to your site contributes more code, which translates to more potential security flaws as well as extra pieces to maintain and update.<br>For similar reasons, you should also be certain to always fully delete any plugins or themes you are not actively using.<\/p>\n\n\n\n<p>A good first step is to ensure you download your plugins and themes through the <a href=\"https:\/\/wordpress.org\/plugins\/\">WordPress.org repository<\/a>, since these are subject to their stringent approval process.<\/p>\n\n\n\n<p><strong>Look for plugins and themes that:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Are actively maintained<\/li>\n\n\n\n<li>Have been recently updated<\/li>\n\n\n\n<li>Have a wide and happy user base<\/li>\n\n\n\n<li>Provide user help in the Support section<\/li>\n<\/ul>\n\n\n\n<p>Not only are you more likely to have success with these plugins and themes overall, but these are also the most likely to respond quickly should a vulnerability be discovered.<\/p>\n\n\n\n<a name=\"2fa\"><\/a><a name=\"Enforce_Two-Factor_Authentication\"><\/a>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Enforce Additional Login Authentication<\/h2>\n\n\n\n<p>Your administrator accounts are the gateway to the backend controls of your website. A simple way to double-down on security for your users to use two-factor authentication (2FA), multi-factor authentication (MFA), or offload logins to a specialized system entirely with single sign-on (SSO). These security options require your users to verify their identity with a second method, beyond a simple username and password.<\/p>\n\n\n\n<p>For example, two-factor authentication might require you to enter an additional rotating code from an app on your phone. An attacker might be able to brute force your username and password, but they still would be unable to access your site\u2019s administration area if they didn\u2019t guess the right code at the exact interval.<\/p>\n\n\n\n<p>With SSO, your corporate identity provider can be configured with the WP Engine User Portal to ensure all employees are logging in via SSO. <a href=\"https:\/\/wpengine.com\/support\/sso-user-portal\/\">Learn more about SSO for the User Portal here<\/a>. Using a corporate identity provider allows login credentials to be managed by a specialized login software that can be customized to your businesses security needs.<\/p>\n\n\n\n<p>WP Engine offers <a href=\"https:\/\/wpengine.com\/support\/multi-factor-authentication\/\">Two-Factor Authentication<\/a> for the User Portal. To secure your WordPress site admin dashboard there are several plugins you can use:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/rublon\/\" target=\"_blank\" rel=\"noreferrer noopener\">Rublon Two-Factor Authentication (2FA)<\/a><\/li>\n\n\n\n<li><a rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\" target=\"_blank\">Wordfence (2FA)<\/a><\/li>\n\n\n\n<li><a rel=\"noopener noreferrer\" href=\"https:\/\/wordpress.org\/plugins\/search\/two+factor+authentication\/\" target=\"_blank\">See more 2FA plugins<\/a><\/li>\n<\/ul>\n\n\n\n<a name=\"privilege\"><\/a>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Adhere to the &#8220;Least Privilege&#8221; Principle<\/h2>\n\n\n\n<p>The \u201cLeast Privilege\u201d principle means users should only be given the access level they <i>need<\/i> to perform their <i>core role<\/i> and nothing more.<\/p>\n\n\n\n<p>If you are an Administrator on a WordPress site, the responsibility of determining the access level of other users falls to you. Be extremely strict with users who publish content, and especially with other Administrators. Ask yourself: does this user truly need this level of access in order to perform their <i>core role<\/i>?<br><a href=\"https:\/\/wordpress.org\/support\/article\/roles-and-capabilities\/#summary-of-roles\">Learn more about WordPress user roles here.<\/a><\/p>\n\n\n\n<p>If you are a developer on a website, your responsibility is to ensure your code is adhering to <a href=\"https:\/\/make.wordpress.org\/core\/handbook\/best-practices\/coding-standards\/\" target=\"_blank\" rel=\"noopener noreferrer\">WordPress Coding Standards<\/a> and using core WordPress APIs where possible.<\/p>\n\n\n\n<a name=\"monitor\"><\/a>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Proactive Security Through Monitoring<\/h2>\n\n\n\n<p>Both uptime monitoring and file integrity monitoring are proactive strategies to keep your site secure and available. For example, WP Engine offers our <a href=\"https:\/\/wpengine.com\/support\/site-monitoring\/\">Site Monitoring product extension<\/a>, which can alert you should your site experience an outage.<\/p>\n\n\n\n<p>File integrity monitoring keeps you aware of any file changes made to site code. Plugins like <a href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sucuri Security<\/a>, <a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\" target=\"_blank\" rel=\"noopener noreferrer\">Wordfence<\/a> and <a href=\"https:\/\/wordpress.org\/plugins\/stream\/\" target=\"_blank\" rel=\"noopener noreferrer\">Stream<\/a> can monitor file changes on your site.<\/p>\n\n\n\n<p>Uptime monitoring services like <a href=\"https:\/\/www.pingdom.com\/product\/uptime-monitoring\" target=\"_blank\" rel=\"noopener noreferrer\">Pingdom<\/a> and <a href=\"https:\/\/uptimerobot.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">UptimeRobot<\/a> will notify you if your your site is not behaving as expected.<br>Increasing awareness allows your team to respond as quickly as possible if the unthinkable happens.<\/p>\n\n\n\n<p>Tools like <a href=\"https:\/\/support.google.com\/webmasters#topic=9128571\" target=\"_blank\" rel=\"noreferrer noopener\">Google Search Console<\/a> help by monitoring your site\u2019s reputation and health, to notify you if your site ends up on any blocklists.<\/p>\n\n\n\n<div style=\"color:#32373c;background-color:#00d1b2\" class=\"wp-block-genesis-blocks-gb-notice gb-font-size-18 gb-block-notice\" data-id=\"10de4b\"><div class=\"gb-notice-title\" style=\"color:#fff\"><p>NOTE<\/p><\/div><div class=\"gb-notice-text\" style=\"border-color:#00d1b2\">\n<p>WP Engine <a href=\"https:\/\/wpengine.com\/support\/wp-engine-monitor-server\/\">monitors basic server health<\/a> of all websites and backs up your site nightly, making it easy to <a href=\"https:\/\/wpengine.com\/support\/restore\/\">restore your site<\/a> if needed.<\/p>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Employ Network-level Security<\/h2>\n\n\n\n<p>At WP Engine we prioritize stable and secure websites. While many of these changes happen behind the scenes, the most recent network advancements have been made available to you as opt-in upgrades. The network upgrades route your website at a DNS level through additional security and performance layers at Cloudflare, all managed by WP Engine.<\/p>\n\n\n\n<p>The advanced network utilizes our custom blend of Cloudflare features to improve the speed, scalability, and security of your website. Best of all, the advanced network upgrade is provided at <em>no charge<\/em> for all WP Engine hosting plans.<\/p>\n\n\n\n<p><a href=\"https:\/\/wpengine.com\/support\/advanced-network\/\">Learn more about the advanced network here<\/a>.<\/p>\n\n\n\n<p>Global Edge Security (GES) is an Enterprise-grade performance and security product extension available for purchase on all WP Engine plans. With the GES product extension you will receive several features powered by Cloudflare:&nbsp;<a href=\"https:\/\/wpengine.com\/support\/ges\/#waf\">managed Web Application Firewall (WAF)<\/a>,&nbsp;<a href=\"https:\/\/wpengine.com\/support\/ges\/#ddos\">advanced DDOS Mitigation<\/a>,&nbsp;<a href=\"https:\/\/wpengine.com\/support\/ges\/#cdn\">Cloudflare CDN<\/a>, and&nbsp;<a href=\"https:\/\/wpengine.com\/support\/ges\/#ssl\">automatic SSL Installation<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/wpengine.com\/support\/ges\/\">Learn more about Global Edge Security here.<\/a><\/p>\n\n\n\n<p>To learn more about all of our network types, see our <a href=\"https:\/\/wpengine.com\/support\/network\/\">network comparison guide<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<p><strong>NEXT STEP: <a href=\"\/support\/ssl\/\">Add an SSL to encrypt information sent through your site<\/a><\/strong><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.<\/p>\n","protected":false},"featured_media":126216,"template":"","support-categories":[23,10,16,13],"support-tag":[63,65,17,31],"class_list":["post-8148","support","type-support","status-publish","has-post-thumbnail","hentry","support-categories-best-practices","support-categories-general-wordpress","support-categories-security-3","support-categories-wordpress-help","support-tag-account-management","support-tag-plugins","support-tag-security","support-tag-wpcore"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>WordPress Site Security - Support Center<\/title>\n<meta name=\"description\" content=\"WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/wpengine.com\/support\/wordpress-site-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WordPress Site Security - Support Center\" \/>\n<meta property=\"og:description\" content=\"WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wpengine.com\/support\/wordpress-site-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Support Center\" \/>\n<meta property=\"article:modified_time\" content=\"2025-10-03T19:58:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/\",\"url\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/\",\"name\":\"WordPress Site Security - Support Center\",\"isPartOf\":{\"@id\":\"https:\/\/wpengine.com\/support\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png\",\"datePublished\":\"2015-02-18T17:16:50+00:00\",\"dateModified\":\"2025-10-03T19:58:30+00:00\",\"description\":\"WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.\",\"breadcrumb\":{\"@id\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/wpengine.com\/support\/wordpress-site-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/#primaryimage\",\"url\":\"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png\",\"contentUrl\":\"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png\",\"width\":1200,\"height\":630,\"caption\":\"WP Engine\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/wpengine.com\/support\/wordpress-site-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/wpengine.com\/support\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Support Posts\",\"item\":\"https:\/\/wpengine.com\/support\/support\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"WordPress Site Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/wpengine.com\/support\/#website\",\"url\":\"https:\/\/wpengine.com\/support\/\",\"name\":\"Support Center\",\"description\":\"WP Engine&#039;s Support Center\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/wpengine.com\/support\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WordPress Site Security - Support Center","description":"WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/wpengine.com\/support\/wordpress-site-security\/","og_locale":"en_US","og_type":"article","og_title":"WordPress Site Security - Support Center","og_description":"WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.","og_url":"https:\/\/wpengine.com\/support\/wordpress-site-security\/","og_site_name":"Support Center","article_modified_time":"2025-10-03T19:58:30+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/wpengine.com\/support\/wordpress-site-security\/","url":"https:\/\/wpengine.com\/support\/wordpress-site-security\/","name":"WordPress Site Security - Support Center","isPartOf":{"@id":"https:\/\/wpengine.com\/support\/#website"},"primaryImageOfPage":{"@id":"https:\/\/wpengine.com\/support\/wordpress-site-security\/#primaryimage"},"image":{"@id":"https:\/\/wpengine.com\/support\/wordpress-site-security\/#primaryimage"},"thumbnailUrl":"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png","datePublished":"2015-02-18T17:16:50+00:00","dateModified":"2025-10-03T19:58:30+00:00","description":"WP Engine keeps your server secure and fast, now learn the best steps you can take to maintain a hardened WordPress website.","breadcrumb":{"@id":"https:\/\/wpengine.com\/support\/wordpress-site-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wpengine.com\/support\/wordpress-site-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/wpengine.com\/support\/wordpress-site-security\/#primaryimage","url":"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png","contentUrl":"https:\/\/wpengine.com\/support\/wp-content\/uploads\/2019\/12\/wp-engine-featured-image.png","width":1200,"height":630,"caption":"WP Engine"},{"@type":"BreadcrumbList","@id":"https:\/\/wpengine.com\/support\/wordpress-site-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wpengine.com\/support\/"},{"@type":"ListItem","position":2,"name":"Support Posts","item":"https:\/\/wpengine.com\/support\/support\/"},{"@type":"ListItem","position":3,"name":"WordPress Site Security"}]},{"@type":"WebSite","@id":"https:\/\/wpengine.com\/support\/#website","url":"https:\/\/wpengine.com\/support\/","name":"Support Center","description":"WP Engine&#039;s Support Center","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wpengine.com\/support\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/support\/8148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/support"}],"about":[{"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/types\/support"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/media\/126216"}],"wp:attachment":[{"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/media?parent=8148"}],"wp:term":[{"taxonomy":"support-categories","embeddable":true,"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/support-categories?post=8148"},{"taxonomy":"support-tag","embeddable":true,"href":"https:\/\/wpengine.com\/support\/wp-json\/wp\/v2\/support-tag?post=8148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}