Security shield with dollar sign and calculator representing FTC Safeguards Rule compliance for accounting firms

BlogSecurity

Security

Is WordPress Secure for Financial Data? What Accounting Firms Need to Know

Published June 2026 · By Melvin Monterroza · 8 min read

WordPress is secure enough for an accounting firm in 2026, but only when it is actively maintained. The FTC Safeguards Rule has been in full enforcement since June 2023, and it requires accounting firms to implement specific technical controls on any system that handles client information. WordPress can satisfy every one of those controls. An unmanaged WordPress site, one running outdated plugins, no two-factor authentication, and no security monitoring, cannot.

What the FTC Safeguards Rule Means for Your Website

The FTC Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, applies to financial institutions that collect nonpublic personal information from clients. Tax preparation firms and accounting practices are explicitly included in that definition. If your WordPress site has a contact form where a prospect describes their tax situation, or a booking tool where a client schedules an appointment, you are handling NPI, and the Safeguards Rule applies to that system.

The rule was strengthened in 2021 and reached full enforcement on June 9, 2023. It now requires a written information security program with nine specific elements: a designated qualified individual overseeing security, a documented risk assessment, access controls, encryption, multi-factor authentication, a patch management program, system monitoring, service provider oversight, and a written incident response plan. Your WordPress website is a covered system under the rule, and your hosting provider, your form plugins, and your booking tool are service providers subject to vendor oversight.

A contact form on an unencrypted page, an admin account with no two-factor authentication, or a plugin you installed two years ago and never updated are each a documentable failure under a Safeguards compliance review.

The 5 WordPress Controls That Map to Safeguards Requirements

Five WordPress controls map directly to FTC Safeguards Rule requirements: HTTPS for encryption in transit, two-factor authentication on all admin accounts, scheduled plugin and core updates for patch management, a security monitoring plugin for system monitoring, and documented vetting of your hosting provider and every plugin you install.

Safeguards RequirementWordPress ControlHow to verify
Encryption in transitHTTPS / SSL certificate active on all pagesNo mixed content; all URLs load on https://
Multi-factor authenticationWP 2FA or Wordfence 2FA active for every admin accountAll accounts with Editor role or higher have 2FA enrolled
Patch management programDocumented update schedule (weekly or biweekly)Update log with dates; no plugin showing update available for more than 14 days
System monitoringWordfence or equivalent with activity logging and alert emailLogin attempt log; active alert notifications to a monitored inbox
Service provider oversightWritten record of hosting provider, active plugins, and themeInventory document listing each service provider and the review date

The multi-factor authentication requirement is the one most accounting firm websites fail. Wordfence’s free tier includes 2FA for all user accounts. The WP 2FA plugin (free, by Melapress) also handles this and supports TOTP authenticator apps. Enabling 2FA on every account with admin or editor access takes about ten minutes and satisfies one of the rule’s most explicit requirements.

What Your WordPress Site Should Never Store

WordPress is the public face of your firm. It is not the right place for client financial data. The Safeguards Rule requires encrypting NPI at rest and in transit, and while your web hosting provider can encrypt the database at the storage level, a WordPress MySQL database is not the right architecture for documents that carry legal protection requirements.

  • What belongs in WordPress: contact form submissions with names, emails, and appointment requests.
  • What does not belong in WordPress: tax returns, financial statements, signed engagement letters with sensitive terms, uploaded client documents of any kind, and anything containing Social Security numbers or EINs.

Client documents belong in a dedicated portal. SmartVault, TaxDome, Canopy, and Liscio are all built for the access controls, audit trails, and encryption requirements that financial documents need. The right model is: WordPress handles the public site and initial lead capture, and the portal handles everything that could constitute protected NPI. Embedding a client portal login button on your WordPress homepage that links out to TaxDome is correct. Uploading a tax return to your WordPress media library is not.

Contact Forms: The NPI Exposure Most Accounting Firms Overlook

Contact forms are where the Safeguards Rule becomes a real compliance question for most accounting firm websites. A prospect filling out a form that asks about their tax situation, annual revenue, or current filing status is submitting nonpublic personal information. How that data is stored, who can access it, and how long it is retained all fall directly under the rule.

Most WordPress form plugins store submissions in the database by default. Contact Form 7 with the Flamingo add-on stores every submission. WPForms, Gravity Forms, and Ninja Forms all do the same. That means every contact form inquiry on your site is sitting in your WordPress database indefinitely, accessible to anyone with an admin login, and covered by the Safeguards Rule’s access controls, retention, and monitoring requirements.

The practical fix has two parts. First, configure your form plugin to email submissions immediately to a secure inbox, and then disable or limit the database storage setting in the plugin options. Second, if you do keep form entries in WordPress, set a data retention period. Most form plugins have a setting to auto-delete entries older than 30 or 60 days. Document that policy in your security program. That documented policy is what you would show in a compliance review.

Plugin Updates Are a Compliance Requirement Under the Safeguards Rule

The Safeguards Rule’s patch management requirement means keeping your WordPress core, plugins, and themes updated is a specific legal obligation for covered accounting firms, not a preference. A plugin with a known and publicly disclosed security vulnerability is a documented risk with a documented fix. Leaving it unpatched is a failure under the risk assessment element of your information security program.

Most WordPress site compromises in 2026 exploit outdated plugins, not the WordPress core itself. A contact form plugin that has not been updated in six months, a theme with a known file-inclusion vulnerability, or an abandoned plugin whose developer stopped releasing security patches each represents a hole in your patch management program.

A documented update policy does not need to be complex. A simple written schedule covering when you update, who is responsible, and how you handle emergency security releases is enough to satisfy the requirement. We run patch management on a weekly cycle as part of the WordPress care plans we maintain for professional services firms, with same-week patching for any critical severity release. If you want to understand the full scope of WordPress maintenance for accounting firms, that page breaks it down by plan tier.

For a look at how security requirements compare across professional firm types, our attorney website security guide covers the legal-industry equivalent of most of these controls. And if you work in healthcare, the compliance picture looks different: see is WordPress HIPAA compliant for how HIPAA maps to WordPress.

Frequently Asked Questions

Does the FTC Safeguards Rule apply to small accounting firms?

Yes. The rule applies to all financial institutions subject to the FTC’s jurisdiction under GLBA, including tax preparers and CPA firms regardless of size. The only exception is the annual penetration testing requirement, which applies only to covered institutions with 5,000 or more customer records. Small firms still need a qualified individual overseeing security, a risk assessment, access controls, MFA, patch management, and an incident response plan.

What counts as NPI on a CPA website?

Nonpublic personal information is any information a customer provides while seeking your financial services, or any information resulting from your financial relationship with them. On a CPA website, that includes information submitted in a contact form describing a client’s tax situation, names and contact details collected through a booking tool, any financial figures shared in an intake form, and client data stored in your website’s database through form plugin entries.

Do we need a BAA with our WordPress hosting provider?

Not for Safeguards Rule purposes. A Business Associate Agreement is a HIPAA term. Under the Safeguards Rule, your hosting provider is a service provider and you need a written agreement requiring them to maintain appropriate safeguards. Most reputable managed WordPress hosts include this in their standard service agreements. What you do need is a documented record of your hosting provider as a service provider in your security program, with a date of review.

Can we just install a security plugin and be compliant?

No. A security plugin like Wordfence satisfies the monitoring and detection requirement, but the Safeguards Rule has nine required elements. You also need a designated security officer, a documented risk assessment, access controls, MFA on all admin accounts, a patch management schedule, documented service provider oversight, and a written incident response plan. A security plugin with no one reviewing its alerts and no update schedule behind it is not a compliance program.

If our WordPress site is hacked, do we have to notify clients?

Likely yes. The FTC Safeguards Rule requires covered financial institutions to notify the FTC within 30 days of discovering a breach involving 500 or more customer records. State breach notification laws often require notifying affected customers directly, and those timelines vary by state. If your WordPress site is compromised and client contact form data or any NPI was exposed, activate your incident response plan immediately and assess the scope before deciding on notifications. Acting within 72 hours of discovery is the standard to aim for.

Melvin Monterroza, Founder of Sitios SV

Melvin has personally recovered more than 50 hacked WordPress sites, from casino and pharma spam to malware redirects and Google blacklists. He works hands-on in cPanel, WHM, and Linux, and runs Sitios SV, a US-based bilingual managed WordPress company.

Need WordPress that meets Safeguards requirements?

We maintain WordPress sites for accounting and professional services firms, including documented patch management, 2FA setup, and security monitoring aligned with FTC Safeguards Rule requirements.

Similar Posts