Skip to content

Security on WordPress.com: A Developer’s Guide

As a developer, ensuring the security of your websites is essential for safeguarding both your work and your clients’ satisfaction. WordPress.com-hosted websites are designed with robust security measures, automating many of the protective procedures that other hosts typically leave to site owners. 

This guide explores the comprehensive security features offered by WordPress.com, detailing how the platform protects your site from various threats and what proactive steps you can take to enhance your site’s security.

Security Risks for a Website

With any website available publicly, there is a risk of malicious actors attempting to bring the website down or gain access to personal information. Failing to employ security protection on a WordPress website can lead to some serious consequences, such as:

  • Website defacement: Hackers can change the appearance of a website, often replacing content with their own messages.
  • Loss of control: Hackers gaining access to your admin account can lock you out of your own website.
  • Damage to reputation: A compromised website can damage the reputation of the organization or individual it represents, as well as the developer who manages the site.
  • Data breaches: Personal data of users, such as email addresses, passwords, and other sensitive information, can be stolen.
  • Spam content: Hackers can use your website to distribute spam emails or insert spammy content, which can lead to blacklisting by email providers and search engines.
  • Malware infections: Visitors to your website can inadvertently download malware, spreading the infection.
  • Phishing attacks: Hackers can create fake pages on your site to trick users into providing sensitive information, such as login credentials and credit card numbers.
  • Ransomware: Hackers can encrypt your website data and demand a ransom for its decryption, effectively holding your website hostage.
  • Search engine penalties: Google and other search engines may penalize or de-index your website if it is found to be compromised, severely affecting your search rankings.

The robust security measures described in the rest of this guide can help mitigate these risks and protect your WordPress.com website from a wide range of threats.

Check Your Website For Vulnerabilities

Jetpack Scan automatically monitors all WordPress.com sites for vulnerabilities and checks the following files daily:

  • All files in the plugins, mu-plugins, themes, and uploads directories.
  • Select files from your WordPress root directory, like wp-config.php.
  • Other select files inside the wp-content directory.

Jetpack Scan is looking for threats including the following:

  • Shells found in files that give attackers access to execute malicious code (malware), delete files, and make changes to your database. Jetpack Scan removes any infected files and replaces them with a clean version from your backup.
  • Plugins with known security vulnerabilities that we will update (if a newer version of the plugin has patched the threat) or delete to ensure the safety of the site.

As the site owner or admin, you don’t have to take any action on the identified security threats. Our dedicated security team works to eliminate malware and address potential security risks surfaced by Jetpack Scan. Once weaknesses are identified, we swiftly resolve the issues, updating or reverting files as needed, depending on the problem.

If your site has a WordPress.com Business and Commerce plan, you can view a record of all threats identified and stopped on your site. To view the Jetpack Scan history, take the following steps:

  1. Visit your site’s dashboard.
  2. Navigate to Jetpack → Scan.
  3. Scroll through the security threats, where you can expand more details about the threat. Threats can be filtered by “fixed” and “ignored” status.
Jetpack scan history with fixed vulnerabilities highlighted

Additional Security Features on WordPress.com

Along with automated scanning and removal of threats, your WordPress.com site includes the following built-in features and processes to protect your website:

Automatic Updates

WordPress software is continuously updated with the latest security features and protocols. If the version of WordPress your site runs were to fall out of date, your website would be vulnerable to security risks. For this reason, we automatically keep the WordPress version up to date on all sites hosted on WordPress.com.

Free SSL Certificate

We include free SSL with all domains used on a WordPress.com site, regardless of whether the domain is registered at WordPress.com or connected from another registrar. Our SSL certificate takes your site from HTTP to HTTPS at no additional cost.

Firewall Protection

A firewall is an essential layer of protection against distributed denial-of-service (DDoS) attacks and other hacking attempts. Our Web Application Firewall (WAF) examines incoming traffic to all WordPress.com sites and decides to allow or block it based on various rules (such as suspicious IP addresses, malicious bots, and unusual traffic activity).

If you are building a custom app that requires a firewall connection, the Firewall Rules page lists the allowed protocols and ports.

Brute Force Attack Prevention

Brute force attacks are a method hackers use to try to gain access to your site by using thousands of different combinations of usernames and passwords until they find the right one. Brute Force Attack Protection on WordPress.com blocks unwanted login attempts from traditional and distributed brute force login attacks. 

Downtime Monitoring

Downtime Monitoring on WordPress.com continuously watches your website and alerts you the moment that downtime is detected. With 99.999% uptime on WordPress.com, downtime due to your hosting, servers, security breaches, or traffic spikes is unlikely compared to other hosts, but our automated monitor will alert you if downtime is detected.

Real-Time Activity Log

The Jetpack Activity Log records all website activities and events so you can keep track of any changes or unexpected events.

Do I Need to Install a Security Plugin?

On other WordPress hosts, site owners typically install a security plugin to monitor the website, scan for malware, and block brute-force attacks and login attempts. Popular plugin options include Wordfence and Sucuri Security.

However, you’ll notice that the benefits these plugins provide are already built into the WordPress.com platform. WordPress.com is a managed hosting service that provides all of the key functions and features that a self-hosted site owner would typically need to figure out on their own, including security. 

For this reason, WordPress.com site owners do not need to install a security plugin and in fact, some security plugins will interfere with the built-in security processes already working on your website. Save yourself time and expense by making use of the security features explained in this guide. 

If you have any concerns about your site’s security, don’t hesitate to get in touch!

Protect Your Website

While the security features built into the WordPress.com platform handle most of the heavy-lifting, you, as the site administrator, should still take the following steps to protect your websites:

Use a Strong Password and Two-Step Authentication

A WordPress website can have the best security protection available, but if you use an easy-to-guess password, that’s all that a hacker needs to gain access and do whatever they want with your site. For this reason, it’s essential to protect your account with a strong password and enable two-step authentication with your phone or a physical security key for an extra layer of safety.

Review User Permissions

One of the many benefits of WordPress is that you can invite other users to work on a website with you. WordPress includes different levels of access depending on what permissions you need a person to have, from a Contributor (who can write posts) to an Admin (who has full access to everything). 

When adding users, only grant them the highest level of permission that they need. It’s also good practice to regularly review your site’s users and remove any who no longer need access to the site.

Review Plugins Regularly

Your website’s plugins and themes will require regular updates to prevent security breaches and protect your site, its contents, and its visitors. You can enable automatic plugin and theme updates on WordPress.com.

The more themes and plugins you have installed on your site, the more opportunities there are for a hacker to take advantage of them. Delete plugins and themes that are no longer required for your site, which has the added bonus of also improving your site’s performance.

Understand Backups

If your site has a WordPress.com Business or Commerce plan, Jetpack VaultPress Backup automatically backs up your site once per day, so you don’t need to worry about manually backing up your site or installing extra plugins to make sure you have backups of your site.

To view the scanning history of your site, navigate to Jetpack → Activity Log in your dashboard.

That said, if your site has been affected by malware, you should not manually restore a backup version of your site at the risk of re-introducing the malware back onto your site.

Keep Your Email Address Up-to-Date

We have dedicated teams that actively monitor your site scans and help resolve them. These resolutions include removing malicious code, removing dangerous plugins or themes, and, where possible, replacing compromised plugins with a safe version. We also attempt to mitigate major security issues with popular third-party plugins and themes so that known exploits cannot be used even if the software has not been updated.

If we detect malware on your website, we act quickly to remove the affected files or directories. This may result in changes to the appearance or functionality of your site, so we will notify you via email if this happens

For this reason, it’s important to keep your WordPress.com email address up-to-date. If you need to change it for any reason, you can follow these instructions

If a malware threat comes from a third-party plugin or theme on your site, we recommend reporting the issue to that plugin or theme’s developer who can provide an updated version that does not contain malicious code.

If Your Site Is Hacked

If you discover your website has hacked, take the following steps to resolve the issue:

  1. Check your site’s Activity Log on WordPress.com to see who logged in, what they changed, and when the changes occurred.
  2. Check Jetpack Scan for malware or other evidence of a hack.
  3. Check your Site Monitoring logs for specific HTTP requests to endpoints in plugins or to identify a timeline of when the malware was introduced.
  4. Contact support so our team can help resolve the issue. Provide as much information as possible to streamline the conversation and support.
  5. Update your plugins and themes to secure any vulnerabilities that the hacker could have taken advantage of.
  6. Reset your account password and your local wp-admin password at wp-admin/users.php, and instruct all other users to do the same.
  7. Enable two-factor authentication for WordPress.com and Jetpack.
  8. Reset your SFTP/SSH password.
  9. Resubmit your site to Google via the Google Search Console if it was blacklisted. 

By leveraging WordPress.com’s powerful security features, you can confidently protect your website from a wide range of threats. Stay proactive by following best practices and utilizing the tools provided, ensuring a secure and seamless experience for both you and your visitors.

Last updated: August 05, 2024