March 13th, 2017

WordPress Security Overview: Can WordPress be HIPAA-compliant?

For a deep dive, see our white paper: Securing WordPress

WordPress is a content management system that dominates the internet, powering more than 24% of the web. Although it has many great features that make it quick and easy to set up, the complications associated with HIPAA standards can make it difficult to achieve compliance. WordPress has recovered from a checkered past as far as security is concerned, but it is still a third party tool which is not specifically designed to conform to HIPAA standards.

WordPress Security

A Brief History of WordPress Security Issues

Although WordPress has been around since 2003, its security issues came to the forefront in 2007. In January, many SEO blogs, as well as those using Adsense were attacked using an exploit. The breadth of the security issues was revealed in May, when a survey by BlogSecurity found that 98% WordPress blogs were exploitable. This was mainly because they were running outdated versions of WordPress. WordPress released a series of updates in an attempt to address the various security issues, including a ‘one click’ updating process.

In 2011, the TimThumb vulnerability was exposed. The image resizing tool allowed attackers to execute arbitrary PHP code on sites. A patch was soon released; however, other TimThumb attacks continued until 2014.

Despite the ‘one click’ update feature, a 2013 study by Enable Security showed that 73.2% of websites were still using outdated versions of the software, leading to vulnerabilities. Further research found that many popular plugins were vulnerable due to SQL injection errors.

In 2015 an XSS vulnerability was found which affected a wide variety of commonly used plugins, such as Gravity Forms, Jetpack and Yoast. The vulnerabilities allowed hackers to perform Blind SQL injections, however the issue was quickly addressed in updates.

At the start of this year (2017), a vulnerability was discovered in the WordPress Rest API. It let unauthenticated users modify website pages if they were running WordPress 4.7 or above. The issue was fixed by WordPress within a week.

Current WordPress Security Issues

While WordPress had a rocky start regarding security, things have improved dramatically. The organization’s development team is active in looking for vulnerabilities and has a strong track record for fixing issues as soon as they are discovered. As long as a site is using the current version, WordPress itself is relatively secure.

Despite WordPress’s security, its ubiquitous nature makes it a huge target for attackers. WordPress has a 58.8% market share of CRM software, so hackers are constantly scanning for WordPress installations that have exploits and searching for new ones. When issues are found, attackers can quickly take advantage of them.

The Dangers of WordPress Plugins

WP White Security’s August 2016 Roundup showed that there were only 2 WordPress core vulnerabilities and one premium theme vulnerability; however, there were a massive 34 plugin vulnerabilities. This indicates that plugins tend to be the least secure part of a WordPress site.

Plugins are developed by third parties, many of whom have lower security and development standards than WordPress itself. Plugins also tend to complicate the WordPress environment, which can lead to further security issues.

Brute Force Attacks

These are one of the most common attacks that WordPress sites face. WordPress doesn’t automatically limit login attempts, so attackers can use bots to try to guess a site’s administrative username and password via trial and error . If the site uses a weak password, the hacker can easily infiltrate it and access data. Check out our article on how to form strong passwords to prevent brute force attacks … and also use two-factor authentication for administrators.

Denial of Service (DoS) Attacks

DoS attacks are used by hackers to slow down or crash a target site. They send huge amounts of traffic to a site in order to disrupt the host’s services. One of the most common types are Distributed Denial of Service (DDoS) attacks, which use thousands of IP addresses to flood the target site with traffic. Malicious queries are common on WordPress sites and they can cost companies significant amounts of money in lost business. Secure your site against DoS attacks by making sure you use the latest version of WordPress and that you have strong login credentials.

It is also common that scripts scanning for administrative passwords can take a site offline.  This is because the WordPress authentication process is slow and expensive. If many requests are made at once, they can use up all of the available resources on your server rendering your web site inaccessible.

The Most Common WordPress Vulnerabilities

When vulnerabilities are exploited, they can do immense damage to a website and the business it represents. This is especially true for healthcare organizations that hold valuable medical data. Not only are they a bigger target for hackers, but the potential consequences of a breach can be much greater. Attackers often seek to steal healthcare data, which they use to either blackmail the victim, or sell to the highest bidder on the darknet. This can cost a company millions of dollars in extortion payments or in cleaning up the mess if patient data is released.

Other common attacks include setting up phishing pages that are hosted on your site, sending spam, and hosting malware on your site. These can seriously damage a company’s and a web site’s reputation. The key security issues that need to be looked out for are:

File Inclusion Exploits

Vulnerable code can be leveraged by attackers to load remote files that give them unauthorized access. File inclusion exploits rely on vulnerabilities in a site’s PHP code. They allow hackers to access the wp-config.php file, which is critical in WordPress installations.

SQL Injections

SQL injections are another popular way for hackers to access WordPress databases. Attackers can create new admin accounts which they can then use to access, alter, or delete data.

XSS Attacks

WordPress plugins are commonly susceptible to cross-site scripting (XSS) attacks. Attackers get victims to load pages with insecure javascript scripts. These are then used to steal data from the user’s browser, such as any information they have input into forms.  They can also be used to steal user login credentials.


WordPress is also vulnerable to several different kinds of malware. The most common include drive-by downloads, pharma hacks, malicious redirects, and backdoors. If there are underlying vulnerabilities on your server, an attacker can also install malware on it.

Is WordPress a Suitable CMS For HIPAA?

Using WordPress is a great way to get your site up-and-running quickly, but there are many caveats that need to be carefully attended to if you want it to be HIPAA-compliant. When any using third party software, you should be aware of the associated risks that are out of your control. Vulnerabilities in WordPress can interrupt your site’s compliance with HIPAA, or even lead to a breach. Even if WordPress is at fault, the responsibility for any security issues still falls on the site owners.

WordPress may seem simple to set up and operate, however ensuring that it is both secure and compliant can be much more difficult. Due to the strict nature of HIPAA, it is generally recommended that you use a professional WordPress developer who has experience in HIPAA compliance. It is important that WordPress and all of the plugins are always using the latest versions to make sure that any recently discovered vulnerabilities have been patched. Plugins also need to be vetted to make sure that are secure and trustworthy.

While WordPress can be compliant with HIPAA, it is worth considering having a custom site developed. This can give an organization more control over their software, which can be tailored directly towards HIPAA-compliant security.

How to Secure WordPress

The following steps are crucial for keeping your WordPress site secure:

1. Stay Updated

Many of the security issues surrounding WordPress have been caused by sites using outdated versions of the software. Thankfully, the WordPress team responds to vulnerabilities quickly and will often have a patch within a few days of the discovery. Security patches are normally configured to update automatically and it is advised not to disable this feature. Major releases can also be configured to update automatically. 

As plugins are more likely to have critical security issues, it is important to have them updated regularly as well. You can do this manually, or you can add code to your theme’s functions.php file to automatically update plugins from trusted developers.

2. Only Use Plugins You Can Trust

To keep compliant with HIPAA, companies need to ensure that they are only using plugins from trustworthy sources. These need to be vetted so that they aren’t exposing your site to greater risks.

3. Install Security Plugins

Security plugins can be used to monitoring and log actions on your website. They can also be used for malware scanning, file change detection, strong password enforcement, and more. iThemes Security is an excellent option that was developed by WordPress security experts. A security plugin itself isn’t enough–the site administrator also needs to learn how to configure and use it effectively in order to monitor and prevent threats.

4. Use Two Factor Authentication For Admin Accounts

As mentioned above, many passwords can be brute forced with relative simplicity. Two factor authentication adds another step in an attempt to thwart attackers. The most common method is to send a code to the admin’s phone. This makes it significantly more difficult for a hacker to gain access.  See Duo Two-Factor.

5. Be Careful When Storing Personal Identifiable Information (PHI)

Unless a WordPress expert is structuring your site, it is best to avoid keeping this sensitive data in the WordPress database. Slight errors can make the data vulnerable, so it is often best to store it elsewhere. If you decide to use the WordPress database, it is important to have backups, encrypt the databases, and to have clear access controls and audit controls or access to this data.. A thorough audit will also be necessary to ensure that you are HIPAA compliant.

6. Vet Your Site Users

You need to make sure that people cannot sign up on your site directly. Have your HIPAA administrators vet every user before they are granted access.

7. Go Dedicated

When using a web server that will store and/or transmit, you really need to have a dedicated server.  You can not use a service where your server or service is shared with other organizations — there is too much risk to your data.

8. More ….

There are many more things to consider when setting up a HIPAA-complaint web site of any kind.  For more reading, see:

7 steps to make your web site HIPAA-secure

HIPAA-compliant web site basics

Using as a Host

While can be used as a host, it is also quite limiting. It takes care of the updates and also vets the plugins, however it is not set up for HIPAA compliance. The number of plugins and themes that can be used is also greatly restricted, making it difficult for companies to customize their site. Many businesses, such as LuxSci, are dedicated to HIPAA compliance; this makes them better hosting options for websites that need to meet the HIPAA standards.

Is WordPress the Right Choice For Your HIPAA Needs?

As third-party software, WordPress comes with its own risks that need to be considered before its adoption. The numerous hurdles associated with HIPAA can make it exceptionally challenging to configure WordPress in a secure and compliant way. Many companies choose to develop a custom site instead, so they can have everything exactly how they need it to be.  See also: WordPress and ePHI: is that a good idea?

Even if you decide that WordPress isn’t the right service for keeping your website HIPAA-compliant, that doesn’t mean that it can’t be a useful tool for your business. Here at LuxSci, we find that WordPress is great for our informational Blog and for maintaining a system status page in different data center.  Our status page is hosted by so that  if any issue were to affect our own services, it is unlikely to also affect This gives us a status page that works even in the worst-case scenario.

Read Next: For a deep dive, see our white paper: Securing WordPress

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.