The WordPress Security Learning Center

Protecting your site from attackers is important — deepen your knowledge of WordPress security with our collection of resources for everyone using WordPress. From WordPress security fundamentals to expert developer resources, this learning center is meant for every skill level. Learn and discover best practices in our in-depth articles, videos, industry survey results, helpful graphics and more.

WordPress Security Fundamentals

Written and designed for anybody wanting to learn more about WordPress Security; Also, a great selection of back-to-the basic resources for any Wordpress Network Pro or Admin, computer sciences (Comp Sci) student and professors too.


1.1: Introduction to WordPress Security

If you are new to WordPress administration and WordPress security, this is the first article from our learning center you should read. It covers the basics of administering WordPress securely and will help you get up to speed with things like regular plugin upgrades, choosing secure passwords for your members and administrators and more. Read Full Article


1.2: How to Protect Yourself from WordPress Security Issues & Threats

This document is designed to help you understand the basics of WordPress security. In it we're hoping to give you a working knowledge of who is attacking your WordPress site, why they attack it, and how they try to get in. Read Full Article


1.3: How to Choose a WordPress Hosting Service

Choosing WordPress hosting is one of the most important decisions you will make when you create a new WordPress website. There are a wide array of WordPress hosting options to choose from. From bargain shared WordPress hosting options that cost just a few dollars per month to more costly dedicated WordPress hosting, to self hosting […] Read Full Article


1.4: How to Secure Your WordPress Working Environment

The crown jewel any hacker goes after is a workstation or mobile device. These are examples of 'endpoints' in the network when discussed among security professionals. Read Full Article


1.5: How to Harden Your WordPress Site From Attacks

This article is designed to equip you with the beginner to intermediate level knowledge necessary to administer a secure WordPress website. We're going to cover the most important items to focus on to ensure that your site and data stay secure. Read Full Article


1.6: Has my site been hacked? How to Check

Most customers that contact us for help with cleaning a hacked site have discovered their site is hacked because their browser is alerting them when they visit their own site, or their hosting provider took their site offline. This is disastrous because it means that your site has been infected long enough for the hackers to do damage. Read Full Article


1.7: Recovering Website SEO After a Hack

If your site has been hacked and you have successfully cleaned your site and closed the security hole the attacker used to gain access, you’ll need to recover any damage done to your SEO ranking and reputation. The goal with this lesson is to give you an understanding of how to recover your SEO ranking […] Read Full Article


1.8: Understanding PHP Vulnerabilities & How They Originate

Besides brute-force attacks that try to guess your password by simply using the login screen, bots that try to exploit vulnerabilities in your website PHP code are the most common form of attack targeting WordPress websites. Most of your time securing your site will be spent securing vulnerabilities in your website PHP code. Read Full Article


1.9: Understanding Zero Day Exploits & Disclosures

This document introduces two foundational security concepts that are important for all WordPress website administrators to understand. As you secure your WordPress website, you will encounter zero day vulnerabilities and how they and other non-zero day vulnerabilities are disclosed. Read Full Article

WordPress Security For Developers

Dedicated to Wordpress developers, this section helps all those who code understand the more advanced needs for programming with Wordpress security in mind. If you are an expert, you will find valuable WordPress Security best practices here.


2.1: Introduction to Writing Secure PHP Code

If you write enough code, you will accidentally write a vulnerability at some point in your career as a developer. The 2.X section of the Wordfence Learning Center is designed to help you as a beginner or advanced level developer reduce the probability that you will release a vulnerability into production. Read Full Article


2.2: How to Prevent Cross Site Scripting Attacks

Cross Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins by a significant margin. In an analysis that we did of 1599 vulnerabilities reported over a 14 month period, we found the following distribution: Read Full Article


2.3: Understanding SQL Injection Attacks

Based on our analysis of 1599 WordPress plugin vulnerabilities reported over 14 months, SQL Injection vulnerabilities are the second most common vulnerabilities found in WordPress. If you’re able to avoid writing XSS and SQL injection vulnerabilities, you will have removed the risk of writing 65% of all vulnerabilities you might ever accidentally create. It is […] Read Full Article


2.4: How to Prevent Authentication Bypass Vulnerabilities

Authentication bypass vulnerabilities are one of the less common vulnerabilities we see, but they are also one of the easiest to accidentally create as a WordPress plugin author. So we thought it would be useful to include a short lesson on common pitfalls that lead to these kinds of vulnerabilities. Beware of is_admin() There is […] Read Full Article


2.5: How to Prevent File Upload Vulnerabilities

File Upload Vulnerabilities are the third most common vulnerability type that we found in our vulnerability analysis of 1599 WordPress vulnerabilities over 14 months. The Impact of File Upload Vulnerabilities In the video demonstration below we show how a file upload vulnerability is detected by an attacker on a vulnerable website. The attacker then uses […] Read Full Article