Is WordPress HIPAA Compliant?
By Gil Vidals, , HIPAA WordPress

As the most popular, off-the-shelf content management system (CMS) in the world – estimated at over 50% of the market share, translating to some 75 million websites worldwide – WordPress is clearly the website builder of choice.

Numerous medical practices and other health providers rely on the WordPress platform for its ease of use, variety of plugin themes, and online portal features.

Unfortunately, the proliferation of such a huge number of WordPress sites – drawing upon a vast repository of over 42,000 Plugins – has made WordPress a favorite target for hackers.

Is WordPress HIPAA Compliant?

So why are healthcare-related WordPress sites particularly susceptible to cyberattack? Simply because at its core, out-of-the-box WordPress software is not secure for the storage or transfer of protected health information (PHI).

A typical WordPress CMS, for example, can have unprotected portals that allow access to sensitive databases by a host of vulnerabilities.

Spam emails, rogue advertisements, botnet attacks, plugins from untrusted sources, and even the commandeering of WordPress servers for storing malware (often without the site owner’s knowledge) are all malicious attack vectors hackers use to breach systems and gain access to sensitive data.

In other words, a WordPress site must undergo special security configurations before it can legitimately interact with PHI – a corrective application of the HIPAA Security Rule.

In general, the HIPAA Security Rule requires appropriate administrative, physical, and technical controls to be utilized to ensure that any protected health information uploaded to a website (or made available through the site) remains confidential.

Protect Data in Storage and Transmission

Most notably, this means that if a WordPress database will be used to store sensitive PHI – including text, images, and videos – the database must be encrypted. Secure Sockets Layer (SSL) is also a must for HIPAA Compliance, as SSL establishes an encrypted session between the server and client to protect PHI data during transport.

Broadly speaking, HIPAA security controls for WordPress will necessarily address the following 3 areas: 1) Securing your Access, 2) Assigning Permissions, and 3) Providing in-depth defense.

1. Secure Access

It should go without saying (but we say it anyway) that the passwords used to access your site must be secure. Username/password combinations are still the most common target for attack, so making it easy for hackers to guess weak passwords (like ‘password123’ or ‘opensesame’) is simply asking for trouble.

Length is an especially important factor in the choice of a password, as mathematically speaking, longer passwords are more difficult to crack. Make it a habit as well to use at least one lowercase, one uppercase, one number, and one special character.

Sure, such passwords may be more difficult to remember, but here is where a password manager tool can help. It can’t be stressed enough: strong passwords will help mitigate many of the attacks you might face.

2. Assign Permissions

Utilize the Least Privilege Principle. Basically, this means that any plugins or users created should have permissions assigned only in connection with the resources it needs, and nothing else.

In this way, even if a user or plugin is compromised, it will only allow access to a limited set of resources, rather than all of your controls and data. This will help protect your system and prevent someone from gaining access to sensitive information.

3. Provide In-Depth Defense

A last general precaution (though certainly not least overall) is to ensure in-depth defense, or multiple layers of security for your system. The advantage here is that each layer of security can address the shortfalls of that particular layer. For example, a HIPAA Compliant environment will require a host database to have a dedicated IP Address separate from where the content resides.

With these items on separate IP addresses [preferably behind a network switch], it becomes far more difficult for that data to be compromised. The use of two-factor authentication to sign on to a system can also help prevent a compromised username/password combination, protecting both the environment and the user.


It is essential when building a CMS-based website like WordPress in a HIPAA Compliant environment to know the basics of how HIPAA security and compliance standards apply. Plugins (or add-ons) are available to enable such things as two-factor authentication. In addition, audit logs to keep track of user/system access are also required by HIPAA to be retained for future use and record-keeping.

These logs must be kept for a minimum of 6 years, so utilizing a robust storage solution is also highly recommended.

Check out our HIPAA Compliant WordPress solutions with plans starting at $67.00/mo.

As mentioned, WordPress was not designed to conform to HIPAA standards, so if all this sounds complex, hosting your site with an experienced HIPAA compliant hosting company may save you a lot of headaches – and protect your PHI in the process. A managed security service provider like HIPAA Vault has the established track record and expertise to secure and maintain your site (since vulnerabilities are always evolving) so you can do what you do best: serve your customers and concentrate on growing your business.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. At the core of HIPAA Vault’s business is the managed solutions architecture that is included with every product and service. Advanced security measures are needed to ensure HIPAA compliance, and customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition, HIPAA Vault is able to provide agile private, hybrid, and public FedRAMP compliant cloud, and participates in SBA 8(a), HUBZone, GSA, and DBE programs. For more information, please visit our website at