Atlantic.Net Blog

Best Practice for Creating a HIPAA-Compliant WordPress Site

Richard Bailey
by Atlantic.Net (55 posts) under HIPAA Compliant WordPress Hosting

WordPress is a widely used website creation application powering about 38% of all websites on the Internet today. WordPress achieved mainstream popularity because of its ease of use, allowing almost anyone to create detailed and professional-looking websites with a few clicks.

WordPress is particularly popular with small-to-medium size businesses, web developers, graphic designers, and personal blogs. However, it is also used by big companies, such as BBC America, Sony Music, and Microsoft News.

Did you know?

On the Atlantic.Net Cloud Platform (, you can auto-deploy a WordPress client-server in seconds. Our secure, defined one-click WordPress application uses Ubuntu 20.04 with PHP, MySQL, Apache, WordPress, and Postfix included as standard.

WordPress sites that include Protected Health Information (PHI), as with any website handling PHI, must adhere to the administrative, physical, and technical safeguards of HIPAA to ensure the confidentiality of data uploaded or made available through the website.

HIPAA-Compliant Design Rules for WordPress

The following three-step HIPAA-compliant framework facilitates the development of a WordPress site that can handle PHI:

  • HIPAA compliance built into the website design process
  • Server hardening to meet the technical requirements of HIPAA
  • HIPAA-compliant WordPress hosting

Did you know?

HIPAA rules are applicable regardless of whether the WordPress site is being used in-house or connected to the public Internet.

Website Design

HIPAA compliance must drive the website design plan; the design must meet HIPAA’s minimum security and privacy standards to ensure the confidentiality, integrity, and availability of PHI.

  • Access controls to prevent unauthorized access to PHI
  • Access controls to the WordPress administration control panel

Need help? 

Check out the “Advanced Access Manager” plugin by Vasyl Martyniuk.

  • Audit controls to log all access to the site 
  • Audit controls to log any activity on the site that involves ePHI

Need help? 

Check out the “WP Activity Log” plugin by WP White Security.

  • Integrity controls to prevent PHI from being altered by unauthorized users
  • Transmission security controls to protect PHI uploads (encrypted in transit) 
  • Encrypt the webserver data

Server Hardening

Here are some practical ways to protect your WordPress server from common vulnerabilities and threats:

  • Update WordPress and PHP regularly
  • Update the operating system monthly
  • Only use very strong passwords and never reuse passwords
  • Only use sFTP encryption to transfer files to and from the webserver
  • Update file permissions so that no user can change or modify files
  • Ensure no system services or applications run as the root user

Did you know?

Only the .htaccess file should have root permissions.

  • Restrict database user privileges and set IP restrictions to access the DB
  • Secure WP-Admin with multi-factor authentication (MFA)

Need Help?

Here are two great MFA plugins: “Duo Two-Factor Authentication” and “Google Authenticator.”

HIPAA-Compliant WordPress Hosting

A hosting company that is HIPAA compliant will provide you with an infrastructure that is built around the fundamental safeguards needed for compliance. Make sure you choose a hosting provider that can:

  • Implement physical security controls to prevent unauthorized physical access to the webserver
  • Offer a Fully Managed Firewall or Web Application Firewall (WAF)
  • Provide an encrypted VPN
  • Provide an encrypted Data Backup plan to protect PHI securely
  • Provide a Disaster Recovery solution to ensure that PHI is continuously available
  • Provide forensic level logging of all activity of the host server (this is in addition to WordPress layer logging)
  • Monitoring and alerting logging
  • Monitoring file changes using an Intrusion Prevention Service

Did you know?

Atlantic.Net offers HIPAA Compliant Hosting and HIPAA Compliant Cloud Storage services to support IT Solutions for Healthcare. 

Ready to get started with setting up a HIPAA-Compliant WordPress Site? Choose Atlantic.Net for a one-click WordPress installation that will set you well on your way to a HIPAA-Compliant WordPress Website – get started today!

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom