Category: Security

Hardcoding API keys and database passwords in wp-config.php — even with restrictive file permissions — creates a single point of secret compromise: anyone with read access to the file system has all credentials. A secrets manager (HashiCorp Vault, Doppler, AWS Secrets Manager, or 1Password Secrets Automation) rotates, audits, and injects secrets at runtime, so your…

When a WordPress site is compromised, the immediate priority is evidence collection before cleanup — overwriting infected files without capturing artefacts destroys the forensic trail needed to understand the attack vector. A structured post-compromise workflow covers: snapshot preservation, IOC extraction, backdoor enumeration, root-cause identification, and hardened restoration.

The WordPress REST API is enabled for all visitors by default, and while most endpoints require authentication for write operations, the discovery endpoint, user enumeration via /wp/v2/users, and any publicly registered route can leak information or become a target for brute-force and enumeration attacks. Hardening the REST API requires a layered approach: disabling public discovery,…

Cookie-based authentication is unsuitable for headless frontends and mobile apps that consume the WordPress REST API from a different origin. JSON Web Tokens (JWT) provide a stateless alternative: the client exchanges credentials for a signed token, then sends it as a Bearer header on every subsequent request. The implementation below uses only core WordPress hooks…

Running automated static analysis on your WordPress plugin before release catches entire classes of vulnerabilities — SQL injection, reflected XSS, open redirects, and insecure unserialize() calls — that manual code review often misses. Two tools stand out for PHP/WordPress work: the open-source Semgrep with its WordPress rule-set, and the community-maintained PHPCS WordPress-Security sniff.

WordPress Multisite introduces a second permission tier — the Super Admin — and network-wide settings that affect every site in the network. Securing a multisite network requires thinking about cross-site data leakage, plugin/theme control, and the larger attack surface that comes from multiple WordPress installs sharing a single codebase.

Serving protected files — invoices, premium downloads, user exports — requires streaming file content through PHP rather than linking directly to a URL. A direct link bypasses all WordPress access control; a PHP download handler checks capabilities first and then streams the file with the correct headers.

The WordPress REST API exposes dozens of routes by default — many of which your theme or plugin never uses. Disabling unused endpoints reduces the attack surface, hides version information, and prevents automated scanners from enumerating your content structure.

Detecting compromised WordPress files before a breach escalates is a critical part of security hardening. WP-CLI’s wp core verify-checksums checks core files against the official WordPress.org checksums API, and the same approach can be extended to plugins and themes.