WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

  1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
  3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by xuliang.
  4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Thanks to everyone who contributed to 4.7.3: Aaron D. Campbell, Adam Silverstein, Alex Concha, Andrea Fercia, Andrew Ozz, asalce, blobfolio, bonger, Boone Gorges, Boro Sitnikovski, Brady Vercher, Brandon Lavigne, Bunty, ccprog, chetansatasiya, David A. Kennedy, David Herrera, Dhanendran, Dion Hulse, Dominik Schilling (ocean90), Drivingralle, Ella Van Dorpe, Gary Pendergast, Ian Dunn, Ipstenu (Mika Epstein), James Nylen, jazbek, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Kelly Dwan, Marko Heijnen, MatheusGimenez, Mike Nelson, Mike Schroder, Muhammet Arslan, Nick Halsey, Pascal Birchler, Paul Bearne, pavelevap, Peter Wilson, Rachel Baker, reldev, Robert O’Rourke, Ryan Welcher, Sanket Parmar, Sean Hayes, Sergey Biryukov, Stephen Edgar, triplejumper12, Weston Ruter, and wpfo.

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

The Yoast SEO plugin helps you to easily optimize the text of your post. This could definitely result in higher rankings. But unfortunately, green bullets do not magically put you on top of the search results. In this post, I’ll discuss a number of possible reasons why a post doesn’t rank, even though the text has been optimized with the Yoast SEO plugin.

Too much competition

In most cases, the reason a post doesn’t rank on top is because there’s simply too much competition. If you optimize your blogpost for Justin Bieber, chances are high you won’t rank for that term.  Too many sites and blog posts have established themselves in this niche. Your site doesn’t have the authority that some other sites do have. And a large portion of the other sites in this niche are probably also capable of writing SEO-friendly texts. Green bullets won’t help you to rank high in the search results if your niche is too competitive.

Read more: ‘Should you blog about Justin Bieber’ »

If you really want to rank for those highly competitive terms, you should try a long tail keyword strategy. Blog about all the nuances and little variations around the competitive keywords. If these long tail articles start ranking, you’ll be able to rank for more competitive terms as well. Such a strategy requires long-term efforts, but in the end, it will pay off.

Learn how to set up a keyword strategy for your site in our Keyword research training »

Keyword research training$ 99 - Buy now » Info

Technical issues

If your post doesn’t show up in the search engines at all, it could be that there are technical issues that prevent your post from appearing in the search results. Of course, when set up right, Yoast SEO takes care of all technical issues, but you could be running a plugin that interferes with our plugin. And we’ve seen some themes that actually prevent Google from indexing your site.

Hacked?

Always make sure your site isn’t hacked! If a site is hacked, your older posts will decrease in ranking as well. New post won’t rank as easily as they used to do. This will all evolve rather slowly, depending on how much crap is published on your site, without you knowing it. This really happens!

Keep reading: ‘WordPress Security’ »

Internal linking structure

A reason for your post not to end up high in the search engines , could be because other parts of your SEO strategy are not optimized. The structure of your site – the internal linking structure – is a very important aspect of an SEO strategy. Having a clear site structure leads to better understanding of your site by Google. If your internal linking structure is poor, chances to rank high (even though your content might be awesome) are lower. Yoast SEO premium could help you with your internal linking structure. If you want to improve your site structure, you should check out our site structure training.

Read on: ‘Site structure: the ultimate guide’ »

Few external links

If you just started out with your website, your content won’t instantly rank. Not even if all your bullets are green. You’ll need some links from other websites. Google has to know your website exists. In order to get backlinks, you should reach out to other websites. You’ll need to do some PR or link building. Ask them to mention your site or talk about your product and link to your site. Use social media to get the word out!

Content SEO: learn how to do keyword research, how to structure your site and how to write SEO friendly content »

Content SEO$ 19 - Buy now » Info

Green bullets, no ranking?

There are multiple reasons that could prevent a post from ranking. If you optimized it correctly with Yoast SEO, the most common cause will definitely be that the competition in a niche is just too hard. Unfortunately, SEO is a long-term strategy. You just need to have a little patience. In the meantime, there are a lot of other aspects of your SEO (site structure, link building) you can tackle. Try to focus on all aspects of website optimization, try to be that best result. It will pay off eventually!

Read more: ‘The temptation of the green bullet’ »

There are several reasons to move your website to a new domain. Maybe you’ve gained access to a much stronger domain. Perhaps you’re changing direction or you’re rebranding. Or you’d like to start over with a new name and a new site. Assuming you have a good reason for moving your site to a new domain – other then “this name just sounds catchier” – there are some things to consider concerning security and SEO when moving your website to a new domain.

In this Ask Yoast, we’ll answer a question from Anbu Devilhunter:

“If I move to a new domain are there any security measures I should take?

Check out the video or read the answer below!

Optimize your site for search & social media and keep it optimized with Yoast SEO Premium »

Yoast SEO for WordPress pluginBuy now » Info

Security measures new domain

Read this transcript to learn more about SEO and security measures when you’re moving your site to a new domain:

“Well, yes. You should make sure that you have your old domain and keep it forever, so that you can keep the redirects from that old domain to your new domain. Because otherwise, at some point, someone else is going to use that old domain and you’ll lose your redirects. So you’ll lose a lot of links pointing to your site.

Any other security measures? Well, yes, everything that you need to do to a good domain. But I’d suggest talking to our friends at Sucuri, and see what they can do for you. We run their web application firewall in front of everything we do and I would suggest you do too.

Good luck!”

Ask Yoast

In the series Ask Yoast we answer SEO questions from followers! Need help with SEO? Let us help you out! Send your question to ask@yoast.com.

Read more: ‘WordPress Security’ »

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Thanks to everyone who contributed to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and Weston Ruter.

WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.6.1 fixes 15 bugs from 4.6. For more information, see the release notes or consult the list of changes.

Download WordPress 4.6.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.6.1.

Thanks to everyone who contributed to 4.6.1:

Andrew OzzbongerBoone GorgesChaos EngineDaniel Kanchev, Dion Hulse, Drew Jaynes, Felix ArntzFredrik ForsmoGary PendergastgeminorumIan Dunn, Ionut Stanciu, Jeremy Felt, Joe McGillMarius L. J. (Clorith)Pascal BirchlerRobert D PayneSergey Biryukov, and Triet Minh.

Even if you try your utmost best, chances are hackers will find a way to hack your site. Following our WordPress security article, I’ll show you five things you should do right after you find your site to be hacked. Some of those things you should probably do before it even happens!

1. Understand what just happened

Your site has been hacked. There are a number of ways this can happen. It might be due to poor maintenance (more on that later), or due to bad plugins. Regardless of what the cause is, you’d better prepare yourself. Your website is on WordPress, and because of the huge user base WordPress has, hackers like WordPress as well. I think my personal website is under brute force attack a couple of times a day. Don’t even get me started on the site you are reading now. This isn’t an invitation, but please realize that hackers try to hack your website all the time. You are no exception.

Tony Perez did a webinar about how websites get hacked earlier this year:

A few things that might lead you to believe you’re suffering a hack might include:

  • Google has blacklisted your website;
  • Google search result pages show “This site may be hacked”;
  • Your host has disabled your site;
  • Customers notify you via their local AntiVirus applications;
  • Your website is not behaving correctly or generating odd errors.

There are some free tools available to help you in the process, like the SiteCheck Scanner and Unmaskparasites Security Scanner.

Knowing what happens and realizing that you are vulnerable, is half the battle. Please read our WordPress security article and monitor your website at all times. On top of that, you might want to install a web application firewall and a local application security plugin.

2. Harden WordPress

There are a lot of things you can do, but at least address the following:

  1. Generate new security keys for WordPress. These are in your wp-config.php file and you can generate these here. Copy/paste in your wp-config.php file, save the file and step 1 is done.
  2. Reset your user passwords. Somehow, the hacker managed to hack your site. In a brute force attack, the method is just to guess your username (please don’t use ‘admin’) and password. After a hack, change all passwords just to make sure. Use a unique password with a complex structure. It’s always best to use a randomly generated password instead of a human generated one. Combine upper/lowercase, use special characters and numbers. WordPress helps with that these days. Use a password manager like 1Password or LastPass to store your passwords.
  3. Reinstall the core. Post-compromise, we highly recommend you always remove and reinstall the WordPress core manually. Do not use the update/reinstall feature via your dashboard. Instead, use your favorite FTP/SFTP client and manually replace the files. Attackers like to embed their files deep in your file structures, and a very common place is within the core directories (i.e., /wp-admin/ and /wp-includes/).
  4. Reinstall your plugins. Of course, that sounds drastic. But if you want to make sure no malicious code remains on your website, do a fresh install and hope all the additions and insertions of the hack disappear. We follow strict security guidelines here at Yoast and have our software reviewed by Sucuri on a regular basis. That’s still a best-effort, by the way, but it makes sure we can immediately address any vulnerabilities. All things considered, it’s our job as a plugin developer to do our very best. Unfortunately, not all plugin developers are as strict in this as we are. So reinstalling your plugins might be a good idea.

By the way, you can also find these three immediate actions in the Sucuri Scanner plugin, as Post-Hack recommendations.

Order a website review NOW and get a plugin of your choice for free. We'll even configure it for you!

Get a Yoast website review

3. Keep your website up-to-date

Keeping your site up-to-date sounds like SEO advice: “Dynamic content makes your website rank better”. But please keep in mind that a healthy technical install really protects your website from hacks. Personally, I stay away from plugins without updates in the last two years. There is a reason WordPress.org tells you that. Hackers target vulnerabilities in older versions of WordPress. The version of your WordPress install is in your WordPress readme.html file (so remove that), and sometimes even right in your source code.

The bottom line is to keep both plugins and WordPress up-to-date at all times. Note that this advice goes for activated and deactivated plugins, as these are just as vulnerable. Make sure to update all of your software (after cleaning up your website) after a hack. This way you’ll have all the latest security updates and makes you less vulnerable. Nevertheless, we find lots of sites running old versions of WordPress and plugins during our website reviews.

4. Restore a backup after the hack

Valentin Vesa of Sucuri pointed me to this when discussing the subject with him. Create a backup strategy. Please don’t be the guy that installed Backup to Dropbox or Backup Buddy and has never restored a backup. Make sure you can. Monitor your backups. Store your backups offsite. Plus, you have to test your backups now and then, to make sure all is right.

Solid backups make it possible to quickly restore your website after a hack. It might cost you a few updates, but at least you’ll keep your site up and running. After restoring a backup, follow up on advice number three of this list and make sure to update your WordPress install and all of your plugins.

5. Don’t try this at home

Don’t take security lightly. In most cases, it’s a trade of its own. You are probably not the most capable person to take care of it. Webmasters, web agencies, and business owners have other qualities that matter. If you hire a security company like Sucuri to take care of your website security business, you can focus on the things you are good at.

And yes, quality security services cost money. But think of all the time you are saving not having to worry, or dealing with a hack yourself. To make it even better for you, Sucuri has a nice offer for our readers:

A 25% discount if you purchase a complete security package of Website AntiVirus & Firewall (basic) and pay for a year upfront (currently $199.99 / year). This also goes for any of the higher Firewall plans as long as the payment is made for the year up front.
Use coupon code YOAST252016 at checkout and get a 25% discount :)

All the more reason to prevent your site from being hacked, instead of dealing with security after the hack is already done!

This article was written with the help of our good friends at Sucuri.
Thanks, Valentin and Tony!

Read more: ‘Regular security audits: taking our responsibility’ »

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of  the WordPress security team.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.3.

Thanks to everyone who contributed to 4.5.3:

Boone Gorges, Silvan Hagenvortfu, Eric Andrew LewisNikolay Bachiyski,  Michael Adams, Jeremy FeltDominik SchillingWeston RuterDion HulseRachel BakerAlex ConchaJennifer M. DoddBrandon Kraft, Gary Pendergast, Ella Iseulde Van Dorpe, Joe McGill, Pascal Birchler, Sergey BiryukovDavid Herrera and Adam Silverstein.

WordPress security has always been food for thought. Even though most of the latest updates (including WordPress 4.5.2) deal with WordPress security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. In this article, I’d like to enumerate a number of suggestions on how to improve security on your own WordPress website.

wordpress security must read article by yoast

Table of contents

WordPress itself has a list on WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below. Personally, I prefer a more hands on list and direction, that’s why we decided to write this article.

Don’t use admin as a username

Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it really easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin you’ll also kill the attack outright.

Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember though, like our friends at Sucuri like to say, Security is not about risk elimination, it’s about risk reduction.

For the everyday, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bit harder for the hacker to guess the username. For the sake of clarity, understand that when we say admin we are speaking specifically to the username only and not the role.

Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the admin user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.

Use a less common password

An easy thing to remember is CLU: Complex. Long. Unique.

This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.

‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘letmein’; seriously? Shame on you. Even ‘starwars’ made the 2015 list of 25 most used passwords. Remember, you’re never as unique as you think you are…

Add Two-Factor Authentication

Even if you’re not using ‘admin’ and are using a strong, randomly generated password, Brute Force attacks can still be a problem. To address this, things like Two-Factor Authentication are key to helping to reduce the risk of such attacks.

Oh, I know, the hassle two-factor authentication is. But for now, it’s your Fort Knox. The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the recognized standard today for enhanced security at your access points.  You are already using two-factor authentication for Gmail, Paypal, and the works (at least you should be), why not add it to your WordPress security toolkit as well. Ipstenu (Mika Epstein) did an article on the subject you might want to read: Two Factor Authentication.

There is a plugin for that: Google Authenticator. An alternative that takes a slightly different approach for the same purpose is the Rublon Plugin.

Employ Least Privileged principles

The WordPress.org team put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to this step.

The concept of Least Privileged is simple, give permissions to:

  • those that need it,
  • when they need it and
  • only for the time they need it.

If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.

Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.

Hide wp-config.php and .htaccess

No, thou less tech-savvy WordPress website owner, that is not hard to do. It’s actually really simple, especially when you are using Yoast SEO for WordPress > Tools > File Editor to edit your .htaccess.

For better WordPress security, you’d need to add this to your .htacces file to protect wp-config.php:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

That will prevent the file from being accessed. Similar code can be used for your .htacces file itself, by the way:

<Files .htaccess>
order allow,deny
deny from all
</Files>

You can do it. It’s no rocket science.

Use WordPress security keys for authentication

Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically set of random variables, used to improve security (encryption) of information in cookies. Changing this in wp-config.php can be simply done by getting a new set of keys here and add these. These keys change on a refresh of that page, so you’ll always get a fresh set.

Syed Balkhi at WPBeginner did an article on WP security keys, in case you want some more background information. The Sucuri plugin can help you with these keys as well.

Disable file editing

If a hacker gets in, the easiest way to change your files would be to go to Appearance > Editor in WordPress. To lift your WordPress security, you could disable writing of these files via that editor. Again, open wp-config.php and add this line of code:

define('DISALLOW_FILE_EDIT', true);

You’ll still be able to edit your templates via your favorite FTP application, you just won’t be able to do it via WordPress itself.

Limit login attempts

Attacks like a Brute Force attack, target your login form. Specifically for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form.

Next to that, you could also limit the number of attempts to login from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way. We haven’t tested all, but feel free to let me know your experiences.

Be selective with XML-RPC

XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful how they implement this specific hardening tip.

While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.

There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

Hosting & WordPress security

In the past years of website reviews, we have had our share of website owners stating that their hosting company couldn’t help with this, or knew jack about that. Hosting companies simply see your website differently. There is no simple rule to decide on your WordPress hosting company. But the choice of a hosting company does matter when optimizing your WordPress security.

Every article written on hosting or hosting companies seems to start by telling you that the cheapest one is probably not the best one. Most cheaper hosting plans won’t have support to help you out with a hacked site. These plans include little to secure your website, like for instance set up a Website Firewall (more on the Sucuri Website Firewall later). Shared hosting, for instance, does imply that your hosting server is also populated with other websites. These might have security issues of their own, which in turn might affect your own website’s security as well.

WordPress security seems to be one of the main USPs offered in specialized WordPress hosting products, like the one offered by GoDaddy. They offer backups, redundant firewalls, malware scanning and DDoS protection and automatic WordPress updates for very reasonable pricing (understatement).

Be mindful of host account

One of the biggest challenges with hosts is in their account configuration for website owners. Website owners are allowed to install and configure as many websites as they want, and this fosters “soup kitchen”-like environments.

This is challenging because, in many instances, a website is compromised via a concept known as cross-site contamination in which a neighboring site is used as the attack vector. The attacker penetrates the server, then moves laterally into neighboring sites on the server.

The best way to account for this is to create two accounts, one which you treat as a production environment – only live sites are published – and a staging one, in which you put everything else.

Stay up-to-date

Staying up-to-date is an easy statement to make, but for website owners in the day-to-day, we realize how hard this can be. Our websites are complex beings, we have 150 different things going at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
Updates need to extend beyond WordPress core. The same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.

This can be compounded in really complex environments in which dependencies make it so that backups can’t be achieved. This is why we personally employ Sucuri’s Firewall. This firewall virtually patches and hardens our website at the edge. It gives us the time we require to go back and apply updates in a more reasonable time frame, allowing us to test in our staging environments first, and only then push to production.

(Free) plugins & themes

Most WordPress users tend to apply themes and plugins at will to their posts. Unless you’re doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless you have a solid business model to accompany these free giveaways. If a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.

We have teamed up with Sucuri years ago, to make sure every plugin is checked for security before release, and we have an agreement with them for ongoing checks as well. If you are creating a free theme or free plugin, you might not have the resources to add solid checks like that.

How to pick the right plugin

Ratings on WordPress.org exampleIf you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.

Let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin. WordPress.org shows ratings, but one five star rating won’t tell you anything, so also check the number or ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you could decide to use it too.

WordPress 4.5.2 compatible exampleThere is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. That doesn’t mean it’s a bad plugin, it could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will tell you that, and the compatibility with the current WordPress version, which is also listed on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.

Based on these ratings and compatibility, you could pick your plugins less random and have a larger chance of some kind of security being added.

Contact Sucuri

I’ve already mentioned our friends at Sucuri. Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past. If you’re not familiar with these gentlemen, they are the owners and managers of Sucuri.

Sucuri is a globally recognized website security company known for their ability to clean and protect websites, bringing peace of mind to website owners, including us here at Yoast.
We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product / service that lets you get back to running your business. They are our partners, the security team we lean on when we need help the most.

Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts to your SEO (something dear to our hearts). Because of this, we turn to them for our needs, like they turn to us for website optimization.

Here is a webinar Sucuri put together on how websites get hacked:

A lot of the suggestions in this article can be dealt with by installing and configuring their free Sucuri Scanner plugin for WordPress or hiring them to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.

Yoast recommends Sucuri

If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack now:

Get your Sucuri Website Security Stack NOW.

Closing thoughts

If you have come this far in this article, you will have no excuse not to improve the WordPress security for your website. Like adding posts and pages, checking your WordPress security should be a regular routine for every WordPress site owner.

This isn’t the full list of all the things you can do to secure your website. I am aware that one should, for instance, create regular backups. And that WordPress has a number of plugins for this as well. But backups are not part of WordPress security per se, I think these are part of having a website in general – they are administrative/maintenance tasks.

I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s on us to make it harder for the hackers!

Tony, thanks again for your input and additions to this article!

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.

Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coördinate and fix these issues.

Download WordPress 4.5.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.2.

Additionally, there are multiple widely publicized vulnerabilities in the ImageMagick image processing library, which is used by a number of hosts and is supported in WordPress. For our current response to these issues, see this post on the core development blog.