The security of your website and your personal data is always a priority. This page describes what we do to help protect your site and your personal information, along with added steps we recommend you take to do the same.
In this guide
Have a question?
Ask our AI assistantAt other WordPress hosts, the site owner is typically responsible for setting up security protection with a third-party plugin. Here at WordPress.com, we handle this on your behalf. Here are some of the built-in features and processes that are already protecting your website:
WordPress software is continuously updated with the latest security features and protocols. If the version of WordPress your site runs were to fall out of date, your website would be vulnerable to security risks. For this reason, we automatically keep the WordPress version up to date on all sites hosted on WordPress.com.
Strong encryption is critical to help ensure your privacy and security. We encrypt (serve over SSL) all WordPress.com sites, including custom domains. We consider strong encryption so important that we do not offer the option to disable it, which would compromise the security of your WordPress.com site. We also 301 redirect all insecure HTTP requests to the secure HTTPS version. Learn more about how we Secure Your Domain With SSL.
Jetpack Scan checks every WordPress.com site daily for dangerous plugins, themes, malware, and other vulnerabilities. Once weaknesses are spotted, our security team swiftly resolves the issues, updating or reverting files as needed, depending on the problem.
Our systems back up your WordPress.com website data regularly, so in case of an event that causes data loss (like a power supply failure or a natural disaster, for example), we can recover it. While all WordPress.com sites are protected, sites with higher-level plans can access daily backups via the dashboard.
A firewall is an essential layer of protection against distributed denial-of-service (DDoS) attacks and other hacking attempts. Our Web Application Firewall (WAF) examines incoming traffic to all WordPress.com sites and decides to allow or block it based on various rules (such as suspicious IP addresses, malicious bots, and unusual traffic activity).
If you are building a custom app that requires a firewall connection, the Firewall Rules page lists the allowed protocols and ports.
Downtime Monitoring on WordPress.com continuously watches your website and alerts you the moment that downtime is detected. With 99.999% uptime on WordPress.com, downtime due to your hosting, servers, security breaches, or traffic spikes is unlikely compared to other hosts, but our automated monitor will alert you if downtime is detected.
We continuously watch web traffic and monitor suspicious activity. Our security measures help protect against unwanted login attempts, brute force attacks, and distributed denial of service (DDoS) attacks.
We have a dedicated security team committed to protecting your data. We work to eliminate malware and address potential security risks surfaced by Jetpack Scan, our security tool enabled on all WordPress.com sites.
We operate a bug bounty program via HackerOne to reward people who find bugs and help us improve the security of our services.
Please bear in mind that if you wish to attempt to test our security measures on your WordPress.com-hosted site, we do not allow for whitelisting. You are free to test whatever you wish, but as our system cannot ensure you are not malicious, your IP address may be temporarily blocked.
No way of transmitting data over the Internet, and no method of electronic storage is perfectly secure. We can’t guarantee the absolute security of your site or account — no service can. But keeping your site and personal data well-protected is very, very, very important to us!
Security works both ways. There are steps you can take to safeguard your website and WordPress.com account:
Your password is the weakest link to the security of anything you do online. It’s the key to your website, email, social networking accounts, and any other online service you use. If your password is easy to guess, your online identity is vulnerable. All it takes is one person to guess your password, and they could deface your site, steal your domain, or impersonate you.
Every password you use has to be easy to remember and hard to guess. A random set of numbers and characters makes for a hard-to-guess password, but they’re also hard to remember. On the other hand, you’ll probably never forget your birthdate or the name of your first pet, but these make for very bad passwords, as they are increasingly easy to guess or find out.
On WordPress.com, you can use a very long password with any combination of letters, numbers, and special characters, so the security of your password – and your website – is really up to you. We’ve collected some tips for creating strong passwords.
In addition to a strong password, we recommend adding another layer of account security with two-step authentication. Two-step authentication adds an extra step to your login process: after you enter your password, you must provide a code from your phone or a physical key. This is more secure because even if someone knows your password, they cannot access your account unless they also have access to your phone or physical key. Learn how to enable two-step authentication here.
We have dedicated teams that actively monitor your site scans and help resolve them. If we detect malware on your website, we act quickly to remove the affected files or directories. This may result in changes to the appearance or functionality of your site, so we will notify you via email if this happens.
For this reason, it’s important to keep your WordPress.com email address up-to-date. Learn how to change your account’s email address here.
You can protect your account by logging out when you are finished working. This is especially important when working on a shared or public computer. If you don’t log out, someone can access your account by viewing the browser history and returning to your WordPress.com dashboard.
To log out of your WordPress.com account, click on your profile at https://wordpress.com/me. Then, click on the Log Out button:
You can invite other people to contribute to your website. This is ideal for group blogs with multiple authors, magazine-style sites with an editorial workflow, or any other large site where you want to share some of the administrative load.
However, sharing the load also means sharing the responsibilities. That’s why on WordPress.com, you can set different roles for each user you add to your site. Each role has different levels of permission:
- Contributor: the most limited role; can only write draft posts but can’t publish them.
- Author: can publish posts and upload images but can’t touch other users’ posts.
- Editors: can edit or publish any user’s posts, moderate comments, and manage categories and tags.
- Administrators: have full control of the site – they can even delete it.
When adding users, choose the role that best suits what you want them to do on your website. If you’re setting up an account for a user who only plans to write a few posts, make them a Contributor. Reserve the Author and Editor roles for trusted users with a long-term commitment to your site.
Finally, be particularly cautious with the Administrator role. When you make another user an Administrator, you give them full access to make any changes to the website. Only add an admin that you trust, and remove them when you no longer need them to access the site.
The Jetpack Activity Log records all website activities and events so you can keep track of any changes or unexpected events. Check regularly to keep track of actions taken on your site.
Your website’s plugins and themes will require regular updates to prevent security breaches and protect your site, its contents, and its visitors. You can enable automatic plugin and theme updates on WordPress.com.
The more themes and plugins you have installed on your site, the more opportunities there are for a hacker to take advantage of them. Delete plugins and themes that are no longer required for your site, which has the added bonus of also improving your site’s performance.
Make sure emails that you receive from WordPress.com are legitimate.
- Emails from WordPress.com will always end in @wordpress.com
- WordPress.com emails will not come from @something.wordpress.com or @something-wordpress.com
- If you are ever unsure about an email you received, contact us to verify its legitimacy.
We will never ask you for your login information. Nor will we ask you to log in anywhere but through https://wordpress.com or through your own WP Admin dashboard at yourgroovysite.com/wp-admin/, replacing yourgroovysite.com with your valid site address.
Despite all the above security protections, there is a small chance for any website to be hacked. If you discover your website has been hacked, take the following steps to resolve the issue:
- Check your site’s Activity Log on WordPress.com to see who logged in, what they changed, and when the changes occurred.
- Check Jetpack Scan for malware or other evidence of a hack.
- Check your Site Monitoring logs for specific HTTP requests to endpoints in plugins or to identify a timeline of when the malware was introduced.
- Update your plugins and themes to secure any vulnerabilities that the hacker could have taken advantage of.
- Reset your account password and your local wp-admin password at
wp-admin/users.php, and instruct all other users to do the same. - Enable two-factor authentication for your WordPress.com account.
- Reset your SFTP/SSH password.
- Contact support if you need help to resolve the issue. Provide as much information as possible to streamline the conversation and support.
- Resubmit your site to Google via the Google Search Console if it was blacklisted.
By leveraging WordPress.com’s powerful security features, you can confidently protect your website from a wide range of threats. Stay proactive by following best practices and utilizing the tools provided, ensuring a secure and seamless experience for both you and your visitors.
On other WordPress hosts, site owners typically install a security plugin to monitor the website, scan for malware, and block brute-force attacks and login attempts. Popular plugin options include Wordfence and Sucuri Security.
However, you’ll notice that the benefits these plugins provide are already built into the WordPress.com platform. WordPress.com is a managed hosting service that provides all of the key functions and features that a self-hosted site owner would typically need to figure out on their own, including security.
For this reason, WordPress.com site owners do not need to install a security plugin and in fact, some security plugins will interfere with the built-in security processes already working on your website. Save yourself time and expense by making use of the security features explained in this guide.
If you have any concerns about your site’s security, don’t hesitate to get in touch.
