Top 3 WordPress Plugins for HIPAA Security
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, HIPAA WordPress, Resources, Security

As a healthcare professional, you’ve worked hard to set up your practice; it wasn’t easy, but the pieces are in place and you’re helping patients. You’ve even got a great-looking website – congratulations!  

Still, the news about costly healthcare data breaches keeps coming: Banner Health, settling a HIPAA violation case for $1.25 million; New England Dermatology, a $300,640 penalty for HIPAA privacy violations.

If it happens to you – and it just might – you could be sunk. Worst of all, your patients could suffer from lack of care.  

Hopefully, you’ve already considered these things. And yet…. 

Maybe when your site first launched you assumed it didn’t fit the criteria for needing HIPAA Security Rule protections. You thought to yourself, “Our website isn’t the primary portal for our patient data; we rely much more on paper forms in the office.” 

But stop and consider: if any section of your site receives patient identifiers (from names to addresses, to medical record numbers or even IP addresses) – either through a patient intake form or web portal – then you absolutely need to protect your patient’s privacy.

But Isn’t Added Security Expensive?

We get it – you may be seeing dollar signs right now. If times have been tight, it’s tempting to cut corners. But since cybersecurity is now a key patient safety issue according to the AMA, cutting corners could be hurting patients.

But here’s the good news: effective security needn’t cost you an arm and a leg. 

Your WordPress website (which by the way, wasn’t HIPAA-secure “out-of-the-box” when you started) can definitely benefit from added layers of security.

How do you do it? One of the easiest ways is through the use of cost-efficient plugins. (We’ve also got a great, inexpensive solution for your critical hosting issue as well, but we’ll get to that later):

In case you weren’t aware, a WordPress plugin is essentially a piece of PHP (open-source scripting) software that’s easy to download and install – no coding expertise is required. 

However, there are over 60,000 plugins that are currently available from the WordPress Plugin Directory, so you want to be sure the plugins you’ve selected are highly rated, well-reviewed, and are the most up-to-date version (having the latest security fixes).

This is vital because plugins themselves can be a doorway to vulnerabilities. In other words, an out-of-date or poorly tested plugin won’t be truly secure and will provide an opening for malicious actors to get to your site. 

And remember, hackers don’t care a bit if they hack a bunch of small practices, or one large one. They’ll still demand a ransom. (And if you thought money was tight before, wait until you get that request, or a huge HIPAA fine or lawsuit for not having adequate protections). 

So with all this in mind, let’s look at 3 excellent and cost-efficient plugins for improving your site security:

1. WP 2FA – “Two Factor Authentication”

With over 40,000+ installations and excellent reviews, WP 2FA is an excellent choice for adding an additional layer of security to your sign-on process. 

Why this matters:

Standard WordPress logins utilize a single sign-on (called “single-factor”) that requires a typical username/password combination.

The downside of this, of course, is if anyone were to steal these credentials, they’d have full access to your site to steal sensitive protected health information (PHI), install malware, or completely take your site offline. It’s always wise, therefore, to avoid this single-point-of-failure situation, for the following reasons:   

  • Studies have shown that multi-factor authentication is “effective at blocking 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks,” as reported in the HIPAA Journal.
  • Compliance with HIPAA – Since HIPAA requires policies and procedures for authorizing secure access to ePHI, it makes sense to avoid a single point of failure. The Department of Health and Human Services knew this when they began recommending the use of 2FA almost fifteen years ago.
  • Patient Safety – According to the American Medical Association, cybersecurity is now understood as a critical patient safety issue. Insecure systems can lead to exploitation of your patients, fines for HIPAA violations, potential lawsuits and legal proceedings, reputation loss, and business loss… need we go on? Strengthen your security posture now with an integration-friendly solution that will help preserve the well-being of your patients and practice.
  • Remote access to systems is on the rise, spurred by a pandemic and the rise of connected devices. Since stolen identities account for the majority of data loss occurrences, insist that your remote workers use it; in fact, as a recent Data Breach Report suggests, “2FA everything you can.” Smartphones can easily be used for authentication through readily available apps through Authy, Google, and others.

A Two-Factor Authentication (2FA) plug-in like WP 2FA provides an extra layer of security in the sign-on process by requiring an additional one-time passcode (OTP) to be entered. This code is time sensitive (it disappears or changes after about 30 seconds) and can conveniently be delivered to your smartphone by SMS or email. In this way, even if someone did acquire your password, they could not gain access to your site without the OT. 

Note: It’s important to stress here that 2FA does not do away with the need for strong passwords. Strong passwords should always be insisted upon, as phishing schemes have even allowed attackers to intercept SMS messages. (The use of a password manager can help make the use of strong, complex passwords more feasible).

WP 2FA is easy to install and can be done through a front-end page on your website, so you won’t even need to access the WordPress dashboard. WP 2FA is also compatible with most other 3rd-party plugins, and you can “white label” it to keep it consistent with your brand’s look and feel. Prices start at $29/yr. for the basic Starter plugin, and range up to $99/yr. for the Enterprise version.   

2. iThemes Security 

With over 1 million+ active installations, the iThemes Security plugin offers real-time, round-the-clock WordPress security to monitor any security-related event on your site. A dynamic dashboard shows you important security activity at a glance, including brute force attacks, banned users, active lockouts, site scan results, and more (with the Pro version).

Why this matters:

  • Just as forcing open a poorly-constructed door with a cheap lock on it is easily accomplished, so too, a single point of failure with a poor password will allow your site to be easily broken into, or “brute-forced” open. This is a common attack hackers use, accomplished by repeatedly querying possible passwords via an automated system that will quickly generate character combinations. iThemes Security automatically identifies and stops common methods of attack on WordPress sites, along with others. 
  • iThemes Security hides your login page (wp-login.php, wp-admin, admin, and login) to make it more difficult to find by automated attacks. 
  • iThemes Security bans unauthorized users, permanently blocking repeat offenders from accessing your site.
  • Network Brute Force Protection – The iThemes Security community and is over a million websites strong; if anyone tries to break into a website in the community, iThemes Security will block them across the network.

HIPAA regulations require covered entities to have sound procedures for password creation, changes, and safeguards. Strong passwords, along with the added layers of security provided by iThemes Security, will make a big difference!

3. HIPAA Gauge

While it may be a relatively new plugin, the HIPAA Gauge plugin from HIPAA Vault is an excellent addition to your WordPress security. HIPAA Gauge will scan your site, then show you a dashboard with four gauges that reveal actual vulnerabilities impacting the key facets of your WordPress site. These include the WordPress core, plugins, themes, and web server configuration.

Why this matters:

  • A third of all WordPress sites are at least two versions behind.

WordPress includes some security updates with each new version release, yet many WordPress users fail to keep their sites updated in order to enjoy these protections. Risks to protected health data passing through these sites are therefore greatly increased.   

  • Weak plugins may be selected by users, opening a doorway for bad actors. 

We’ve noted how adding new plugins will enable significant changes to your system, including greater functionality; however, it’s critical to know that certain plugins will actually alter your database, as well as introduce vulnerabilities. It’s therefore vital to monitor all plugin changes and ensure you’re using the latest, compatible versions.  

HIPAA Gauge reports vulnerabilities of plugins, themes, and the web server where the site is hosted. Each gauge consists of a red, yellow, and green zone, providing an immediate visual indicator and percent score of your website’s security health. 

(A premium version of the plugin is also available with an upgrade, for a more detailed report of specific vulnerabilities. Vulnerabilities may impact the website’s adherence to HIPAA compliance guidelines).

While HIPAA Gauge isn’t intended to prove HIPAA compliance of your site, it is an excellent tool for diagnosing the need for security measures that can help you achieve it. 

A Proven, HIPAA-Compliant Host

As discussed earlier, a website that meets the standards of the HIPAA Security Rule is vital. But a critical part of that is using a proven HIPAA-compliant host. That’s because they will be the primary keepers of your environment, data transfer, and storage. 

You need a provider that will ensure a HIPAA-compliant infrastructure with layers of security, including encryption, access and audit controls, regular monitoring and security scans, backups in case of disaster, and logging (a HIPAA regulation). 

HIPAA Vault provides all this, plus a Business Associate Agreement (BAA), a HIPAA Compliance logo for display on your website, and 24/7 live, technical support – all at one low-cost monthly fee.  

And, if managing the security configurations and monitoring of your website aren’t things you want to be worrying about (and what practitioner does?), HIPAA Vault offers a fully managed, HIPAA-compliant publishing platform called HIPAA WordPress, designed to handle all this for you. 

Even if you already have a WordPress site running, we’ll transfer your existing web content to a new, secure site, along with up to 2 databases, and if desired, you can choose from any of our customizable healthcare templates. 

We ensure the most up-to-date security plugins (such as those discussed above), as well as the expertise to stay on top of it all – 24/7/365 – you can concentrate on your business.  

If we can answer any of your questions about HIPAA-Compliant WordPress, don’t hesitate to give us a call at (760) 615-0474 or chat with us online at 

HIPAA Vault is a leading provider of HIPAA-compliant solutions like HIPAA WordPress, enabling healthcare providers, enterprise business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. For more information, please visit our website at

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.