WordPress Security FAQ

Q: Isn’t WordPress made to be secure? I’m good at upgrading when a new release is available – won’t that keep me safe?

A: If your approach to security is simply to upgrade WordPress when a new version comes out, then no, you’re not safe. As the WordPress developers would be the first to tell you, securing an installation isn’t just about protecting your filesystem and database from attack (which, by the way, involves more than just upgrading regularly). It also means verifying the integrity of your host’s server configuration and keeping whatever devices you use to access WordPress free of malware. You owe it to yourself and the people you work with to make security a priority.

Q: Will hardening my installation cause problems with plugins I have installed?

A: It’s possible, but well-written and well-supported plugins should continue to work just fine after an installation has been hardened against attack. That’s been the case in my experience. A plugin that breaks completely as a result of implementing more stringent security measures isn’t a good plugin.

Q: I administer a blog on WordPress.com rather than running my own self-hosted WordPress site. Do I have anything to worry about?

A: If you blog at WordPress.com, my colleagues at Automattic take care of you. However, you should still be following best practices for accessing your account at WordPress.com (like keeping your computer free of malware).