The WordPress Security Learning Center

Protecting your site from attackers is important — deepen your knowledge of WordPress security with our collection of resources for everyone using WordPress. From WordPress security fundamentals to expert developer resources, this learning center is meant for every skill level. Learn and discover best practices in our in-depth articles, videos, industry survey results, helpful graphics and more.

Learning Center

WordPress Security Fundamentals

Written and designed for anybody wanting to learn more about WordPress Security; Also, a great selection of back-to-the basic resources for any Wordpress Network Pro or Admin, computer sciences (Comp Sci) student and professors too.


1.1: Introduction to WordPress Security

If you are new to WordPress administration and WordPress security, this is the first article from our learning center you should read. It covers the basics of administering WordPress securely and will help you get up to speed with things like regular plugin upgrades, choosing secure passwords for your members and administrators and more. Read Full Article


1.2: How to Protect Yourself from WordPress Security Issues & Threats

This document is designed to help you understand the basics of WordPress security. In it we're hoping to give you a working knowledge of who is attacking your WordPress site, why they attack it, and how they try to get in. Read Full Article


1.3: How to Choose a WordPress Hosting Service

Choosing WordPress hosting is one of the most important decisions you will make when you create a new WordPress website. There are a wide array of WordPress hosting options to choose from. From bargain shared WordPress hosting options that cost just a few dollars per month to more costly dedicated WordPress hosting, to self hosting… Read Full Article


1.4: How to Secure Your WordPress Working Environment

The crown jewel any hacker goes after is a workstation or mobile device. These are examples of 'endpoints' in the network when discussed among security professionals. Read Full Article


1.5: How to Harden Your WordPress Site From Attacks

This article is designed to equip you with the beginner to intermediate level knowledge necessary to administer a secure WordPress website. We're going to cover the most important items to focus on to ensure that your site and data stay secure. Read Full Article


1.6: Has my site been hacked? How to Check

Most customers that contact us for help with cleaning a hacked site have discovered their site is hacked because their browser is alerting them when they visit their own site, or their hosting provider took their site offline. This is disastrous because it means that your site has been infected long enough for the hackers to do damage. Read Full Article


1.7: Recovering Website SEO After a Hack

If your site has been hacked and you have successfully cleaned your site and closed the security hole the attacker used to gain access, you’ll need to recover any damage done to your SEO ranking and reputation. The goal with this lesson is to give you an understanding of how to recover your SEO ranking… Read Full Article


1.8: Understanding PHP Vulnerabilities & How They Originate

Besides brute-force attacks that try to guess your password by simply using the login screen, bots that try to exploit vulnerabilities in your website PHP code are the most common form of attack targeting WordPress websites. Most of your time securing your site will be spent securing vulnerabilities in your website PHP code. Read Full Article


1.9: Understanding Zero Day Exploits & Disclosures

This document introduces two foundational security concepts that are important for all WordPress website administrators to understand. As you secure your WordPress website, you will encounter zero day vulnerabilities and how they and other non-zero day vulnerabilities are disclosed. Read Full Article

WordPress Security For Developers

Dedicated to Wordpress developers, this section helps all those who code understand the more advanced needs for programming with Wordpress security in mind. If you are an expert, you will find valuable WordPress Security best practices here.


2.1: Introduction to Writing Secure PHP Code

If you write enough code, you will accidentally write a vulnerability at some point in your career as a developer. The 2.X section of the Wordfence Learning Center is designed to help you as a beginner or advanced level developer reduce the probability that you will release a vulnerability into production. Read Full Article


2.2: How to Prevent Cross Site Scripting Attacks

Cross Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins by a significant margin. In an analysis that we did of 1599 vulnerabilities reported over a 14 month period, we found the following distribution: Read Full Article


2.3: Understanding SQL Injection Attacks

Based on our analysis of 1599 WordPress plugin vulnerabilities reported over 14 months, SQL Injection vulnerabilities are the second most common vulnerabilities found in WordPress. If you’re able to avoid writing XSS and SQL injection vulnerabilities, you will have removed the risk of writing 65% of all vulnerabilities you might ever accidentally create. It is… Read Full Article


2.4: How to Prevent Authentication Bypass Vulnerabilities

Authentication bypass vulnerabilities are one of the less common vulnerabilities we see, but they are also one of the easiest to accidentally create as a WordPress plugin author. So we thought it would be useful to include a short lesson on common pitfalls that lead to these kinds of vulnerabilities. Beware of is_admin() There is… Read Full Article


2.5: How to Prevent File Upload Vulnerabilities

File Upload Vulnerabilities are the third most common vulnerability type that we found in our vulnerability analysis of 1599 WordPress vulnerabilities over 14 months. The Impact of File Upload Vulnerabilities In the video demonstration below we show how a file upload vulnerability is detected by an attacker on a vulnerable website. The attacker then uses… Read Full Article

WordPress Malware Removal


3.1: Removing Malicious Redirects From Your Site

A malicious redirect is code inserted into a website with the intent of redirecting the site visitor to another website. Malicious redirects are typically inserted into a website by attackers with the intent of generating advertising impressions. However, some malicious redirections can have more damaging effects. A malicious redirect can exploit vulnerabilities in a site visitor’s computer… Read Full Article


3.2: Finding and Removing Backdoors

A malicious backdoor is code that allows unauthorized and often unrestricted access to a compromised site. They allow attackers access to all of the files within the hosting account. Backdoors can look like normal php code or obfuscated (intentionally obscured to make code ambiguous) and hidden. A backdoor can be inserted into a valid file… Read Full Article


3.3: Removing Spam Pages From WordPress Sites

Spam pages are files added to your publicly available web site with the intent of manipulating search engine result pages. The more inbound links a site receives, the higher the placement of the target web site in the search results. Inbound links from sites with high reputation ranking are even more valuable. Sites with older… Read Full Article


3.4: Finding and Removing Spam Links

Spam links are links inserted into a website with the intent of manipulating search engine result pages. The more inbound links a site receives, the higher the placement of the target web site in the search results. Spam links are typically inserted into the database content in plain text, though they can also often be… Read Full Article


3.5: Removing Phishing Pages From WordPress Sites

Phishing is a malicious attempt to obtain sensitive information such as usernames, passwords, credit card information through a coordinated email and web-based campaign. Phishing starts with deceptive messages (emails, text messages, or other electronic communication) sent to the victim with links ending on hacked sites. The sensitive information is then collected and sent to the… Read Full Article


3.6: Removing Malicious Mailer Code From Your Site

A malicious mailer is code inserted into a website with the intent of using your site’s email functionality to send unwanted spam email messages. Malicious mailers are php scripts designed to quickly send spam. Attackers access the malicious mailer by sending the script both the email message and the target emails. As such, a malicious… Read Full Article


3.7: Finding and Removing Malicious File Uploaders

A malicious file uploader is a file or script that allows an attacker to upload additional files for the purpose of malicious usage. Malicious uploaders usually will allow any file to be uploaded to the website without any security checks, creating great risk to the website. An uploader can look like normal site code or… Read Full Article


3.8: WordPress Defacement Page Removal

A defacement page is an an attack on a website that changes the visual appearance or content of one or more pages on a web site for the purpose of political messages, vandalism, or to show off a hacker’s skills. Defacements can often be done along with more malicious intent, and can affect one or… Read Full Article


3.9: How to Remove Suspicious Code From WordPress Sites

Suspicious code is code that matches general malware practices, but may not fit into a specific category of malicious intent. Suspicious code may have nothing inherently malicious within it, however, it matches patterns of either functional usage or obfuscation (intentionally obscure to make code ambiguous) that are often malicious. Suspicious code should be examined more… Read Full Article