Securing WordPress for Real Estate Websites

Real estate websites handle sensitive personal information including financial data, property details, and client communications. WordPress powers many real estate sites from individual agents to large brokerages. Proper security protects both your business and your clients.

Real Estate Security Challenges

• Client data - Personal and financial information
• Property information - Access codes, showing instructions
• Multiple users - Agents, admins, clients
• Third-party integrations - MLS, IDX feeds, payment systems
• Lead forms - Common attack targets

Protecting Client Data

Secure Client Portal

// Client portal access control
function secure_client_portal_access() {
    if (!is_page('client-portal')) {
        return;
    }

    if (!is_user_logged_in()) {
        wp_redirect(wp_login_url(get_permalink()));
        exit;
    }

    $user = wp_get_current_user();
    if (!in_array('client', $user->roles)) {
        wp_die('Access denied. This area is for clients only.');
    }

    // Verify client is viewing their own documents
    $requested_client = get_query_var('client_id');
    if ($requested_client && $requested_client != $user->ID) {
        wp_die('You can only view your own documents.');
    }
}
add_action('template_redirect', 'secure_client_portal_access');

Document Security

// Protect uploaded documents
function secure_real_estate_documents($file) {
    // Check file type
    $allowed = array('pdf', 'doc', 'docx', 'jpg', 'png');
    $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));

    if (!in_array($ext, $allowed)) {
        $file['error'] = 'This file type is not allowed.';
        return $file;
    }

    // Rename to prevent direct access guessing
    $file['name'] = wp_generate_password(16, false) . '.' . $ext;

    return $file;
}
add_filter('wp_handle_upload_prefilter', 'secure_real_estate_documents');

// Block direct access to client documents
function block_direct_document_access() {
    if (strpos($_SERVER['REQUEST_URI'], '/client-documents/') !== false) {
        // Verify user has access
        if (!current_user_can('access_client_documents')) {
            header('HTTP/1.1 403 Forbidden');
            exit('Access denied');
        }
    }
}
add_action('init', 'block_direct_document_access');

Lead Form Security

Spam Prevention

// Honeypot for lead forms
function add_lead_form_honeypot() {
    return '

        Website
        
    
';
}

function validate_lead_form_honeypot($data) {
    if (!empty($data['website'])) {
        // Bot detected
        log_spam_attempt($data);
        return new WP_Error('spam', 'Submission rejected.');
    }
    return $data;
}

Rate Limiting

// Prevent lead form abuse
function rate_limit_lead_forms() {
    $ip = wpfs_get_client_ip();
    $key = 'lead_form_' . md5($ip);
    $count = get_transient($key) ?: 0;

    if ($count > 5) { // Max 5 submissions per hour
        wp_send_json_error(array(
            'message' => 'Too many submissions. Please try again later.'
        ), 429);
    }

    set_transient($key, $count + 1, HOUR_IN_SECONDS);
}
add_action('wp_ajax_submit_lead', 'rate_limit_lead_forms', 1);
add_action('wp_ajax_nopriv_submit_lead', 'rate_limit_lead_forms', 1);

IDX/MLS Integration Security

// Secure IDX API credentials
function get_idx_credentials() {
    // Store encrypted, not in database
    $encrypted_key = get_option('idx_api_key_encrypted');

    if (!$encrypted_key) {
        return false;
    }

    return decrypt_with_key(
        $encrypted_key,
        SECURE_AUTH_KEY
    );
}

// Validate IDX data before display
function sanitize_idx_listing($listing) {
    return array(
        'mls_number' => sanitize_text_field($listing['mls_number']),
        'address' => sanitize_text_field($listing['address']),
        'price' => absint($listing['price']),
        'bedrooms' => absint($listing['bedrooms']),
        'bathrooms' => floatval($listing['bathrooms']),
        'description' => wp_kses_post($listing['description']),
        'images' => array_map('esc_url', $listing['images'])
    );
}

Property Access Information

Secure Showing Instructions

// Store showing info securely
function store_showing_instructions($listing_id, $instructions) {
    // Encrypt sensitive info
    $encrypted = encrypt_data($instructions, SECURE_AUTH_KEY);

    update_post_meta($listing_id, '_showing_instructions_encrypted', $encrypted);
}

// Only show to authorized agents
function get_showing_instructions($listing_id) {
    if (!current_user_can('view_showing_instructions')) {
        return 'Access denied';
    }

    $encrypted = get_post_meta($listing_id, '_showing_instructions_encrypted', true);

    // Log access
    log_showing_info_access($listing_id, get_current_user_id());

    return decrypt_data($encrypted, SECURE_AUTH_KEY);
}

Agent Account Security

// Agent-specific security rules
function agent_security_requirements($user_id) {
    $user = get_userdata($user_id);

    if (!in_array('agent', $user->roles)) {
        return;
    }

    // Require strong password
    enforce_strong_password($user_id);

    // Require 2FA
    if (!has_2fa_enabled($user_id)) {
        add_admin_notice('Please enable two-factor authentication');
    }

    // Session security
    limit_concurrent_sessions($user_id, 2);
}

Security Checklist

• [ ] SSL certificate installed
• [ ] Client portal access controls
• [ ] Document upload restrictions
• [ ] Lead form spam protection
• [ ] IDX credentials encrypted
• [ ] Showing info protected
• [ ] Agent 2FA required
• [ ] Regular security audits

Conclusion

Real estate WordPress sites must protect sensitive client data, secure property information, and maintain trust. Implement proper access controls, encrypt sensitive data, and secure all third-party integrations.