How to Secure WordPress Site

WordPress powers more than 40% of the internet, which makes it the most targeted CMS on the planet. Hackers don’t always go after specific sites, they run automated scripts that scan thousands of WordPress installs looking for the same predictable weaknesses: default login URLs, outdated plugins, weak passwords, and exposed configuration files.

The good news is that most successful WordPress attacks are entirely preventable. You don’t need to be a developer to lock down your site. You just need to close the right doors.

This guide covers every meaningful step, grouped by priority, so you know where to start and what actually matters.

Why WordPress Sites Get Hacked (And What Attackers Are Looking For)

Understanding the attack surface helps you prioritize. Most WordPress breaches fall into a handful of categories:

Outdated plugins and themes are the most common entry point. When a vulnerability is discovered in a plugin, it gets published in public databases. Attackers then scan for sites still running the vulnerable version and exploit it automatically.

Weak or reused passwords make brute-force attacks trivial, especially when combined with the predictable default login URL at wp-login.php.

Poorly coded themes or plugins from untrusted sources often contain hidden backdoors or malicious code built in from the start.

Misconfigured file permissions can give attackers write access to core files, letting them inject malicious code or create hidden admin accounts.

No backups doesn’t cause a hack, but it turns a recoverable situation into a catastrophic one. Sites without backups often lose everything.

Keep these attack vectors in mind as you work through the steps below.

Step 1: Start with a Secure Hosting Environment

Security starts before you install WordPress. Your hosting provider is the foundation everything runs on.

A good host for WordPress should offer:

• Server-level firewalls and DDoS mitigation
• Automated malware scanning
• Isolated hosting environments (so other compromised accounts don’t affect yours)
• Automatic backups at the server level
• SSL certificate support
• PHP version control, so you can run a current, actively maintained PHP version

Shared hosting on a cheap plan puts your site on a server with hundreds or thousands of other sites. If one gets compromised and the hosting environment isn’t properly isolated, yours can be affected too.

Managed WordPress hosting providers handle many of the technical security configurations for you. If you’re running a business website, the extra cost is worth it.

If you need a professionally built and maintained WordPress site from the ground up, our WordPress web design service includes proper hosting configuration and ongoing support.

Step 2: Install an SSL Certificate

SSL (Secure Sockets Layer) encrypts the connection between your site and your visitors. Without it, any data transmitted (login credentials, form submissions, payment details) travels in plain text that can be intercepted.

Beyond security, SSL is a confirmed Google ranking factor. Sites without HTTPS get flagged in Chrome and other browsers as “Not Secure,” which also hurts conversion rates.

Most hosting providers now include free SSL certificates through Let’s Encrypt. Activating it is usually a one-click process in your hosting control panel. Once installed:

• Update your WordPress URL settings to use https:// in Settings > General
• Add a redirect rule in your .htaccess file to force all traffic to HTTPS
• Check for mixed content (images, scripts, or stylesheets still loading over HTTP) using a tool like Why No Padlock

This is a non-negotiable baseline. Get it done first.

Step 3: Keep Everything Updated

Outdated software is the single biggest source of WordPress vulnerabilities. WordPress core, themes, and plugins all need to be kept current.

WordPress releases automatic updates for minor security patches, but major version updates require manual action. Enable automatic background updates for security releases in your wp-config.php by adding:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins and themes, go to Dashboard > Updates regularly. Better yet, configure automatic updates for trusted plugins where the developers have a strong track record of responsible releases.

One important discipline: always back up your site before running major updates. A plugin update that conflicts with your theme or another plugin can break things, and having a recent backup means a five-minute fix instead of a crisis.

Step 4: Use Strong Passwords and a Password Manager

This sounds obvious, but it’s astonishing how many sites get compromised through weak or reused credentials.

Every account on your WordPress site should have a unique, complex password, your admin account, editor accounts, FTP credentials, your hosting control panel, and your database. A password reused from another service is a liability the moment that other service gets breached.

Strong WordPress passwords should be at least 16 characters and include a mix of uppercase and lowercase letters, numbers, and symbols. Don’t use your business name, domain name, or anything guessable.

A password manager like Bitwarden, 1Password, or Dashlane generates and stores complex passwords for every account so you never have to remember them or reuse them. Use one.

Also: never use “admin” as your username. It’s the first thing automated brute-force tools try. If your site was set up with admin as the username, create a new administrator account with a different username, log in with the new account, and delete the old admin user.

Step 5: Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step to the login process. Even if someone gets your password, they still can’t access your site without the second factor, typically a time-sensitive code from an authenticator app.

This is one of the highest-impact security improvements you can make. It’s free, takes about ten minutes to set up, and stops credential-based attacks cold.

Use an authenticator app like Google Authenticator or Authy rather than SMS-based 2FA. SMS codes can be intercepted through SIM-swapping attacks. App-based codes are generated locally on your device and are far more secure.

Plugins like WP 2FA, Wordfence, or miniOrange Google Authenticator make it straightforward to enable 2FA for your WordPress login. Enable it for all admin accounts at minimum.

Step 6: Limit Login Attempts and Change the Login URL

By default, WordPress allows unlimited login attempts. Brute-force bots exploit this by trying thousands of username/password combinations per minute.

Two complementary measures address this:

Limit login attempts. Plugins like Limit Login Attempts Reloaded or Loginizer will lock out an IP address after a set number of failed attempts (typically 3 to 5). This doesn’t stop sophisticated attacks but it eliminates the vast majority of automated brute-force traffic.

Change the default login URL. WordPress sites all use /wp-login.php or /wp-admin/ by default, which is publicly known. Changing it to something custom (/your-site-access/ or anything non-standard) dramatically reduces automated login attempts because bots can’t find the login page.

Use a plugin like WPS Hide Login to change the URL without editing core files. This won’t stop a determined attacker who knows to look, but it eliminates enormous volumes of automated bot traffic that would otherwise hammer your login page constantly.

Add a CAPTCHA to your login page as well. reCAPTCHA by Google or similar solutions require human interaction before the form can be submitted, which stops most automated attacks.

Step 7: Install a Security Plugin

A good WordPress security plugin acts as an ongoing monitoring and blocking system. It does work in the background that would otherwise require manual technical intervention.

The three most trusted options are:

Wordfence Security includes a Web Application Firewall (WAF), malware scanner, login security, live traffic monitoring, and IP blocking. The free version is solid; the premium version includes real-time threat intelligence updates.

Sucuri Security focuses heavily on malware scanning, file integrity monitoring, and post-hack cleanup. Sucuri also offers a cloud-based firewall as a paid add-on that sits in front of your server and filters malicious traffic before it reaches WordPress.

Solid Security (formerly iThemes Security) covers login hardening, file change detection, database backups, two-factor authentication, and more. Good for users who want a broad feature set with a beginner-friendly interface.

Don’t install multiple security plugins simultaneously. They conflict with each other, slow your site down, and create more problems than they solve. Pick one and configure it properly.

Step 8: Install a Web Application Firewall (WAF)

A WAF sits between your website and incoming traffic, analyzing requests and blocking malicious ones before they reach your WordPress files. It’s your active defense against SQL injection, cross-site scripting (XSS), brute-force attacks, and file inclusion exploits.

Some security plugins like Wordfence include a plugin-level WAF. This is better than nothing, but a DNS-level WAF (like Cloudflare or Sucuri’s firewall) is more powerful because it intercepts malicious traffic before it even reaches your server.

Cloudflare’s free tier includes basic DDoS protection and some firewall rules, which is a reasonable starting point for most sites. Their paid plans add more granular rules and threat intelligence.

Configure your WAF rules to block common attack patterns, restrict access to sensitive files, and alert you when suspicious activity is detected.

Step 9: Harden Your wp-config.php File

The wp-config.php file is the most sensitive file on your WordPress installation. It contains your database credentials, authentication keys, and other configuration data. If an attacker can read or modify it, your site is fully compromised.

Several hardening steps protect it:

Move it one directory above your WordPress root. WordPress automatically looks for wp-config.php one level up from the installation directory, so it works without any other changes. But being outside the web root means it can’t be accessed via a web browser.

Set restrictive file permissions. wp-config.php should be set to 400 or 440, which means only the file owner can read it. No one should have write access. You can set permissions via your FTP client or hosting file manager.

Block direct access via .htaccess. Add the following to your .htaccess file to prevent any web-based access:

order allow,deny
deny from all

Disable file editing from the dashboard. Add this line to wp-config.php to prevent anyone with dashboard access from editing theme or plugin files:

define( 'DISALLOW_FILE_EDIT', true );

If an attacker gains admin access, this prevents them from injecting malicious code through the built-in theme or plugin editor.

Disable PHP error reporting on live sites. Error messages can reveal file paths and database details that help attackers map your site structure. Add these lines to wp-config.php:

define( 'WP_DEBUG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', false );

Step 10: Set Correct File Permissions

File permissions control who can read, write, and execute files on your server. Overly permissive settings are a common way attackers gain the ability to modify your site’s files.

The standard secure permissions for WordPress:

• Directories: 755 (owner can read, write, execute; group and public can read and execute)
• Files: 644 (owner can read and write; group and public can read only)
• wp-config.php: 400 or 440 (owner can read; no one can write)

You can check and adjust permissions via FTP clients like FileZilla or through your hosting panel’s file manager. Some security plugins also have a file permission checker built in.

Review permissions after major updates or when adding new plugins and themes, as some installations can reset permissions to less secure defaults.

Step 11: Disable XML-RPC If You Don’t Need It

XML-RPC is a legacy API that allows remote access to WordPress. It was useful when managing WordPress from mobile apps or third-party tools, but it’s now largely superseded by the REST API and is rarely needed.

The problem: XML-RPC can be weaponized for brute-force attacks. Attackers exploit its system.multicall method to test hundreds of password combinations in a single request, bypassing login attempt limits. It can also be used for DDoS amplification.

If you’re not using Jetpack, certain mobile apps, or other services that specifically require XML-RPC, disable it. Plugins like “Disable XML-RPC” handle this with a single click, or you can block access via .htaccess.

Step 12: Change the Default Database Prefix

WordPress uses wp_ as the default prefix for all database tables. Every WordPress table name is publicly predictable: wp_users, wp_options, wp_posts, and so on.

This makes SQL injection attacks easier because attackers already know what they’re targeting. Changing the prefix to something random (like xk7_users or q3mx_options) removes that predictability.

This is easiest to do during the initial WordPress installation. There’s a field in the setup process where you can set a custom prefix. If your site is already live, you can still change it, but it requires updating both the database table names and the wp-config.php file, and you should create a full backup before attempting it. Plugins like Solid Security can handle this change safely.

Step 13: Remove Unused Themes and Plugins

Every inactive plugin and theme on your WordPress site is a potential vulnerability. Even if a plugin is deactivated, its files still exist on your server, and if those files contain a security flaw, an attacker can potentially exploit them directly.

The rule is simple: if you’re not using it, delete it. Not just deactivate, delete.

Do a regular audit of your plugin list. Be realistic about what you actually need. Every plugin you remove is one fewer attack surface. This also helps with site performance, which matters for SEO and page load time.

When adding new plugins, stick to the official WordPress plugin repository and check three things: when it was last updated, how many active installs it has, and what the recent reviews say. A plugin that hasn’t been updated in two years is a security risk, regardless of how good it was when it was written.

Step 14: Set Up Regular Backups

Backups don’t prevent attacks, but they’re the difference between a site you can restore in 30 minutes and one that’s gone forever.

A solid backup strategy for WordPress:

Automate it. Don’t rely on manual backups. Use plugins like UpdraftPlus or BackupBuddy to schedule automatic backups on a regular cadence daily for active sites, weekly at minimum for low-traffic ones.

Back up both files and the database. Your WordPress files and your database are both essential. An incomplete backup that only includes one of them is not useful for a full restore.

Store backups offsite. Backups stored only on your server are useless if the server is compromised or goes down. Connect your backup plugin to an external storage destination like Google Drive, Amazon S3, or Dropbox.

Test your restores. A backup you’ve never tested is a backup you can’t trust. Periodically restore a backup to a staging environment to confirm it works.

Our WordPress maintenance and support service includes managed backup monitoring if you’d rather not handle this yourself.

Step 15: Enable Regular Security Scans

Even with everything locked down, you want ongoing monitoring to catch anything that slips through. Automated security scans check your files against known malware signatures, look for unauthorized file changes, and flag suspicious activity.

Most security plugins (Wordfence, Sucuri, Solid Security) include malware scanning. Configure them to run scans automatically on a weekly schedule at minimum. Set up email alerts so you’re notified immediately if something changes.

File integrity monitoring is particularly useful. It tracks changes to your core WordPress files and alerts you when something is modified outside of normal update processes. If an attacker gains access and modifies a file, you’ll know.

Also monitor your Google Search Console account. Google will flag your site if it detects malware, and getting notified quickly matters. A site flagged as dangerous by Google loses search rankings fast, and the SEO impact can take time to reverse even after the issue is cleaned up.

Step 16: Hide the WordPress Version Number

Displaying your WordPress version makes it easier for attackers to know exactly which vulnerabilities apply to your installation. It’s a small detail, but there’s no reason to expose it.

WordPress outputs the version number in several places: the HTML meta generator tag, the readme.html file, and RSS feeds. Remove the meta generator tag by adding this to your theme’s functions.php file:

remove_action( 'wp_head', 'wp_generator' );

Delete or restrict access to the readme.html file in your WordPress root, as it also displays the version number. Many security plugins handle both of these automatically.

Quick Security Checklist

For reference, here’s everything covered in this guide as a checklist:

• Secure hosting provider with server-level firewall and isolation
• SSL certificate installed and HTTPS enforced
• WordPress core, plugins, and themes up to date
• Strong, unique passwords for all accounts; no “admin” username
• Two-factor authentication enabled for all admin accounts
• Login attempts limited; default login URL changed; CAPTCHA added
• Security plugin installed and properly configured
• Web Application Firewall (WAF) active
• wp-config.php hardened: moved above web root, restrictive permissions, file editing disabled, debug mode off
• File permissions set correctly (755 for directories, 644 for files, 400/440 for wp-config.php)
• XML-RPC disabled if not needed
• Database prefix changed from default wp_
• Unused plugins and themes deleted
• Automated backups running to offsite storage
• Security scans scheduled and email alerts configured
• WordPress version number hidden

FAQ: Securing Your WordPress Site