The hostingHostingA web hosting service is a type of Internet hosting service that allows individuals and organizations to make their website accessible via the World Wide Web. team works to improve WordPress’ end-user experience across hosting environments through industry collaboration and user education.
The goal of the page is to inform users who manage a WordPress site about general security best practices both in terms of environment level items, such as file permissionsFile permissionsMost file systems have methods to assign permissions or access rights to specific users and groups of users. These permissions control the ability of the users to view, change, navigate, and execute the contents of the file system., as well as application-level items, such as setting up proper user roles, so they have a better foundation for security than setting up WordPress somewhere with no additional configuration.
The most important thing to do for WordPress security is to keep WordPress itself and all installed plugins and themes up to date. It is also encouraged for users to choose themes and plugins that are actively receiving updates.
WordPress is committed to providing a secure experience for users. Information about WordPress’s official stance on security and a general discussion about WordPress’s overall aims for security can be found on WordPress.org’s Security page.
This guide borrows heavily from the WordPress CodexWordPress CodexLiving online manual to WordPress.org https://codex.wordpress.org/’s guide on Hardening WordPress. Since it’s publicly editable, advice in the codex should be viewed with caution.
Keeping any system, not just WordPress, secure is continuous work. Good security requires careful planning, monitoringMonitoringWebsite monitoring is the process of testing and verifying that end-users can interact with a website or web application as expected. Website monitoring is often used by businesses to ensure website uptime, performance, and functionality is as expected., and periodic maintenance.
Security largely consists of reducing risk and planning for recovery. Most security plans focus on minimizing the risk of unauthorized access only, but risk can never be successfully reduced to zero. As long as there is some risk, you must plan for recovery so that if something were to happen, user sites are not completely lost and can be quickly restored to normal operation.
Security is also about more than WordPress. It is also about making sure your hostingHostingA web hosting service is a type of Internet hosting service that allows individuals and organizations to make their website accessible via the World Wide Web. environment is secure and your personal online practices and behaviors keep you safe. Good security depends on the technology in use and the people using the technology. Obsolete or out-of-date technology can have bugs or vulnerabilities that can put your WordPress website at risk. People’s bad online practices can also put your WordPress website as risk. It is important to make sure that not only do you keep the technology you use up-to-date and maintained but also that employees are using security best practices when using the Internet and when interacting with your hosting platform or customer WordPress sites.
One of the most common kinds of attacks targeting internet services is brute force login attacks. With this form of attack, a malicious party tries to guess WordPress usernames and passwords. The attacker needs only the URLURLA specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org of a user site to perform an attack. Software is readily available to perform these attacks using botnets, making increasingly complex passwords easier to find.
The best protection against this kind of attack is to set and recommend and/or enforce strong passwords for WordPress users.
It is also recommended for hosts to throttle login attempts at the network and serverServerA server is a piece of computer hardware or software that provides functionality for other programs or devices. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers. level when possible. It’s helpful to throttle both maximum logins per site over time, and maximum attempts per IP over time across server or infrastructure to mitigate bot password brute-force attacks. This can be done at the pluginPluginA plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory or can be cost-based plugin from a third-party. level as well, but not without incurring the additional resource utilization caused during these attacks.
The WordPress project doesn’t consider usernames or user IDs to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Two-factor authentication2FATwo-Factor Authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly-generated and constantly refreshing code which the user can use., also known as 2FA2FATwo-Factor Authentication is a type of multi-factor authentication. It is a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly-generated and constantly refreshing code which the user can use. or two-step authentication, is a login scheme that uses a separate, second form of authentication when a user attempts to log in to a service with two-factor authentication enabled. The exact two-factor authentication setup varies from service to service, but it usually involves entering a code or interacting with an application on a smartphone when attempting to log in to a service. WordPress does not have two-factor authentication by default; however, there are several plugins that provide two-factor authentication for self-hosted WordPress websites.
The setup of your hosting account’s file system can have a large impact on the security of WordPress. Setting proper file permissions and ownership is important for ensuring unauthorized users cannot access or modify WordPress’s files.
This section on file permissions focuses entirely on file permissions on Linux servers. If you are using a Windows server, please consult with your hosting provider or a Windows server administrator for help setting the proper permissions.
Linux file permissions consist primarily of three components — the permissions the owner of the file or folder has, the permissions members of the group that owns the file or folder have, and the permissions that anyone else has for accessing or modifying the file and folder. The three permission components are usually represented using three numbers in order of the owner’s permission level, the group’s permission level, and everyone’s permission level. There is technically a fourth component, but that is beyond what we need to know to secure WordPress. It will not be discussed here.
There are three kinds of access each for the user, the group, and everyone else. They are read access, write access, and execute access. Read access lets you read the contents of the file or the directory. Write access lets you modify the file or the directory. And execute access lets you run the file like a program or a script.
Linux stores these different kinds of access internally as bits (i.e. in binary form). They are commonly represented in human-readable form as the numbers 4 (read access), 2 (write access), and 1 (execute access). These numbers are added together to represent different combinations of the three kinds of access you can have.
Some programs will represent the different kinds of access using letters instead of numbers. When using symbols, the kinds of access are still read access, write access, and execute access. Instead of numbers, the kinds of access are represented using “r” (read access), “w” (write access), “x” (execute access). These three letters are combined together (e.g. “rwx”, “rw”, “wx”, etc.) to represent the different combinations of the three kinds of access you can have.
File permissions are going to be different based on needs and server setup. Keep file permissions as restricted as possible, avoiding giving permissions that are not needed. Keep in mind WordPress needs the ability to write to its own files for updates, including automatic security updates.
WordPress websites should be run as non-privileged users. If possible, separate WordPress websites should be run as separate users in order to isolate WordPress websites from one another. In addition, the web serverServerA server is a piece of computer hardware or software that provides functionality for other programs or devices. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers. used to process PHPPHPPHP (PHP: Hypertext Preprocessor) is a general-purpose scripting language especially suited to web development. PHP code is usually processed on a web server by a PHP interpreter. On a web server, the result of the interpreted and executed PHP code would form the whole or part of an HTTP response. scripts and requests for WordPress websites should be configured to handle requests as a non-privileged user. The exact configuration of your users and web server will vary depending on your server environment, choice of web server, and the installed web server modules.
For automatic security updates to function, PHP must be able to overwrite WordPress’ coreCoreCore is the set of software required to run WordPress. The Core Team builds WordPress. files. If you do not handle automated updates at the infrastructure level, this is the recommended practice.
Additionally, WordPress stores assets and user uploaded files in a special uploads directory located in /wp-content/uploads, by default, within the WordPress root. The uploads directory must be web-accessible in order for user content and uploaded assets to be loaded by a browser. PHP will also need to be able to write to the user’s uploads folder for WordPress to handle uploading user content.
WordPress itself defines 5 default types of users (6 if WordPress MultisiteMultisiteMultisite is a WordPress feature which allows users to create a network of sites on a single WordPress installation. Available since WordPress version 3.0, Multisite is a continuation of WPMU or WordPress Multiuser project. WordPress MultiUser project was discontinued and its features were included into WordPress core.https://codex.wordpress.org/Create_A_Network. is enabled). They are:
Super Administrator (If WordPress Multisite is enabled) – a superuser with access to the special WordPress Multisite administration features and all other normal administration features.
Administrator (slug: ‘administrator’) – a superuser for the individual WordPress website with access to all of the administration features in the website.
Editor (slug: ‘editor’) – a user who can publish posts and manage the posts of other users.
Author (slug: ‘author’) – a user who can publish posts and manage the user’s own posts.
Contributor (slug: ‘contributor’) – a user who can write and manage the user’s own posts but cannot publish them.
Subscriber (slug: ‘subscriber’) – a user who can manage the user’s own profile only.
Super Administrators, Administrators, and Editors are all considered “trusted” users, meaning they have capabilities that could be abused to damage or compromise a WordPress site.
When WordPress is first installed, an Administrator account is automatically set up.
Plugins and themes can modify existing, as well as add additional types of, users and capabilities to WordPress beyond the defaults. These additional options are commonly used by plugins and themes to manage the functionality they add to WordPress.
WordPress is fully compatible with HTTPS when an TLS / SSL certificate is installed and available for the web server to use. Support for HTTPSHTTPSHypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) and it is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). is strongly recommended to help maintain the security of both WordPress logins and site visitors.
While cachingCacheA cache is a component that stores data so that future requests for that data can be served faster; the data stored in a cache might be the result of an earlier computation or a copy of data stored elsewhere. can significantly improve the performance of WordPress websites, caching can expose WordPress websites to new vulnerabilities if the caching providers are not configured correctly. Some common vulnerabilities include but are not limited to websites accessing the cached data for other websites or caching applications serving the wrong cached data or files. Each kind of caching application usually has security settings and configuration to provide a safe environment for enjoying the performance benefits of caching.
PHP opcode caching can significantly improve the performance of PHP processing for WordPress websites, as outlined in the Performance section of the WordPress Hosting Handbook. However, when improperly configured PHP opcode caching can enable users to access other users’ PHP files without authorization. There are important PHP configuration options for opcode caching that mitigate vulnerabilities such as accessing files without authorization.
The following setting makes PHP check that the current user has the necessary permissions to access the cached file. It should be enabled at the root php.iniphp.iniThe main configuration file of PHP. configuration level to prevent users from accessing other users cached files. opcache.validate_permission = On
This setting is not enabled by default. It is also only available as of PHP 7.0.14.
The following setting prevents PHP users from accessing files outside of the chrootchrootIn Unix, chroot is an operation that changes the apparent root directory for the current running process and its children’d directory to which they normally would not have access. It should also be added to the root php.ini configuration level to prevent unauthorized access to files. opcache.validate_root = On
This setting is not enabled by default. It is also only available as of PHP 7.0.14.
Normally, any PHP user can access the opcache APIAPIAn Application Programming Interface (API) is a computing interface that defines interactions between multiple software intermediaries. It defines the kinds of calls or requests that can be made, how to make them, the data formats that should be used, the conventions to follow, etc. for viewing the currently cached files and for managing the PHP opcode cacheCacheA cache is a component that stores data so that future requests for that data can be served faster; the data stored in a cache might be the result of an earlier computation or a copy of data stored elsewhere.. With some PHP configurations, however, the PHP opcode cache shares the same memory between all users on the server. Sharing the PHP opcode cache between all users means all users can view and access the PHP opcode cache and can access other users’ cached PHP files. Restricting the Opcache API prevents PHP scripts run in unauthorized directories from viewing cached files and interacting with the PHP opcode cache manually from within PHP scripts. The following setting defines the directory path PHP scripts must start with to be able to access the Opcache API. opcache.restrict_api = '/some/folder/path'
The default value for the setting is '', which means there are no restrictions on which PHP scripts can access the Opcache API. This setting should be defined in the root php.ini for your PHP configuration in order to prevent users from overriding it.
There are several solutions for providing databaseDatabaseA database is an organized collection of data. Access to this data is usually provided by a "database management system" (DBMS) consisting of an integrated set of computer software that allows users to interact with one or more databases and provides access to all of the data contained in the database. Because of the close relationship between them, the term "database" is often used casually to refer to both a database and the DBMS used to manipulate it.objectObjectIn computer science, an object can be a variable, a data structure, a function, or a method, and as such, is a value in memory referenced by an identifier. caching for WordPress. Each comes with its own configuration requirements for providing a secure environment while using database object caching.
RedisRedisRedis (Remote Dictionary Server) is an in-memory data structure store, in-memory key–value database. It is open-source software.. is a lightweight, high-performance key-value database server commonly used to cache the results from WordPress database queries. In its default configuration, Redis uses a single database and does not require a username and password to access the database. Redis should also only be accessible from authorized network hosts.
Redis provides 16 databases, number 0 to 15 by default. Redis clients should be configured to use different databases instead of the default database (number 0). Redis can be configured to have additional databases, but that is outside the scope of this document.
Redis user credentials
If Redis is going to be used for database object caching, the Redis server should be configured to require access credentials.
Redis network hosts
The Redis server in its default configuration listens on port 6379. The port can be changed in Redis’s configuration, but whatever port is used should be protected by a firewall to prevent unauthorized access.
Redis cache key salt
If using Redis for database object caching, using a unique Redis cache key salt will help prevent cache collisions — when two websites try to cache content using the same key. Cache collisions can result in websites accessing the cached data for other websites and can cause other undesirable and unexpected behaviors. The Redis cache key salt is usually configured through the Redis caching plugin or Redis client used to enable Redis database object caching in WordPress websites.
MemcachedMemcachedMemcached is a general-purpose distributed memory-caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read. Memcached is free and open-source software. is a memory object caching solution commonly used to provide database object caching for WordPress. One of the most important configuration concerns for memcached is preventing memcached from being accessed by the public internet. Putting memcached servers behind a firewall is one of the most important parts of using memcached securely for WordPress database object caching.
WordPress has the ability to automatically apply security updates. This should be enabled in almost all cases. The exception is if files are not writeable, outside of wp-content/uploads, for security reasons. In this instance, an alternative, expedient, and, preferably, automatic update process should be made available. See Configuring Automatic Background Updates for details on automatic update configuration.
Responsible disclosure means the following: if you encounter a security breach (or a weak spot) concerning the WordPress core software, we would like to hear about this as soon as possible. The WordPress community takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
To report a security issue, please visit the WordPress HackerOne program and file a ticket there.