General, Users

Security

The security of your site and your personal data is always a priority.  This page describes what we do to help protect your site and your personal data, along with added steps we recommend you take to do the same.  

How We Protect Your Site and Your Data

Encryption, by Default

Strong encryption is critical to help ensure your privacy and security. We encrypt (serve over SSL) all WordPress.com sites, including custom domains hosted on WordPress.com. We consider strong encryption so important that we do not offer the option to disable it, which would compromise the security of your WordPress.com site. We also 301 redirect all insecure HTTP requests to the secure HTTPS version. Learn more about HTTPS and SSL for your site.

We automatically install an SSL certificate for your site. Once in a blue moon (i.e. very rarely), a user’s specific configuration for a site prevents the SSL certificate from working correctly. If there’s a problem with your SSL certificate, please contact us.

↑ Table of Contents ↑

Firewalls

We run firewalls and have processes in place to alert us about unauthorized attempts to access WordPress.com accounts.

↑ Table of Contents ↑

Monitoring Suspicious Activity

We continuously watch web traffic and monitor suspicious activity. We also have security measures in place to help protect against distributed denial of service (DDoS) attacks.

↑ Table of Contents ↑

Security Testing

We regularly check the security of our services and look out for potential vulnerabilities. We also operate a bug bounty program via HackerOne to reward people who find bugs and help us improve the security of our services.

↑ Table of Contents ↑

Data Backup and Recovery

Our systems back up your WordPress.com site data on a regular basis, so in case of an event that causes data loss (like power supply failure or a natural disaster, for example) we can recover it.

↑ Table of Contents ↑

Our Security Team

We have a dedicated security team committed to protecting your data. They work directly with our product teams to address potential security risks and maintain our strong commitment to keeping your data safe.

No way of transmitting data over the Internet and no method of electronic storage is perfectly secure. We can’t guarantee absolute security of your site or account — no one can.  But keeping your site and personal data well-protected is very, very, very important to us.

How You Can Protect Your Site and Your Data

There are also a few things you can do to help protect your data (read on!).

↑ Table of Contents ↑

Keep your secrets secret

The weakest link in the security of anything you do online is your password. It’s the key to your blog, your email, your social networking accounts or any other online service you use. If your password is easy to guess, your online identity is vulnerable.

All it takes is one person to guess your password and they can delete every post you ever made. They could deface your site. They could read your emails or hijack your address and impersonate you. They could ruin what you have taken time to build.

↑ Table of Contents ↑

Choose a strong password

Every password you use has to be easy to remember and hard to guess. A random set of numbers and characters make for a hard-to-guess password, but they’re also hard to remember. On the other hand, you’ll probably never forget your birthdate or the name of your first pet, but these make for very bad passwords, as they are increasingly easy to guess or find out.

On WordPress.com, you can use very long password with any combination of letters, numbers, and special characters, so the security of your password – and by extension, of your blog – is really up to you. We’ve collected some tips for creating strong passwords.

Instead of trying to keep track of dozens of passwords in your head or in unsecured text documents on your desktop, use password management software. They will lock all your information down behind one single password. If you only have to remember one password, you can make it as random and as hard to guess as you want.

These are some the password managers we use for our own passwords:

  • Keepass – Open Source, free to download and use. Available for Windows, Mac and Linux.
  • LastPass – Free service with premium option. Available for all major OSs, browsers and mobile devices.
  • 1Password – Paid download. Available for Windows, Mac and iOS, with support for all major browsers.

↑ Table of Contents ↑

Log out to prevent public access to your Account

You can protect your account by logging out when you are finished working. This is especially important when you are working on a shared or public computer. If you don’t log out, someone may be able to access your account just by viewing the browser history and going back to your WordPress.com Dashboard.

You can protect your account by logging out when you are finished working.

To log out of your WordPress.com account, click on your Gravatar in the upper right. Then, under your Gravatar click on Log Out.

↑ Table of Contents ↑

Safely share control of your site with other users

WordPress.com provides a rich multi-user platform. While each site has only one owner, you can have as many users as you want – this is ideal for group blogs with multiple authors, for magazine-style sites with an editorial workflow, or for any other large site where you want to share some of the administrative load.

However, sharing the load also means sharing the responsibilities. That’s why on WordPress.com, you can set different Roles for each user you add to your site. Roles determine a user’s access level.

The most limited role, Contributor, can only write draft posts, but can’t publish them. Users with an Author role can publish posts and upload images, but can’t touch other users posts. Editors can not only edit or publish any user’s posts, they can also moderate comments and manage categories and tags. Finally, the Administrator role has full control of the site – they can even delete it.

When adding users, try to find the role that best describes what you want them to do on your site. If you’re setting up an account for a user that only plans to contribute a few posts, make them a contributor. Reserve the Author and Editor roles for trusted users that have a long-term commitment to your site.

Finally, be particularly stingy with the Administrator role. When you make another user an Administrator on your site, you’re literally creating a separate set of keys for your site and handing them to someone else. Not only will they be able to take your site for a joyride,  just having an extra set of keys laying around significantly increases the risk of your site being hijacked.

In fact, we suggest you avoid the Administrator role entirely. In almost all cases, the Editor role would be a better choice.

Read more about this on the support pages for Adding Users and User Roles.

↑ Table of Contents ↑

Add an extra layer of security - authentication

With Two Step Authentication, you can use any iOS, Android, Blackberry, or SMS-capable mobile device as a unique key to your blog. After you sign up for the service, you will need to enter a specially generated one-time code whenever you try to log in to your blog. This means that even if someone gets your password, they won’t be able to log in without possessing your mobile device as well.

You can learn more about this service in the Two Step Authentication support page.

Still confused?

Contact support.

Not quite what you're looking for?

Get Help