WordPress powers over 40% of the web, which makes it one of the most popular platforms on the planet — and one of the biggest targets for attackers. The good news is that WordPress itself is well-maintained and regularly patched.

The bad news? Most WordPress sites get compromised not because of a flaw in WordPress, but because of something the site owner could have prevented. Weak passwords, outdated plugins, default settings left unchanged — these are the things attackers exploit, and they’re all within your control.

This guide walks you through the practical steps you can take to secure your WordPress site, from the basics that every site should have in place to more advanced measures for those who want extra peace of mind.

What’s in This Guide

  1. Why WordPress Security Matters
  2. Keep Everything Updated
  3. Use Strong, Unique Passwords
  4. Enable Two-Factor Authentication (2FA)
  5. Limit Login Attempts
  6. Install a Security Plugin
  7. Set Correct File Permissions
  8. Use SSL/HTTPS Everywhere
  9. Back Up Your Site Regularly
  10. Harden Your WordPress Configuration
  11. Understand Common Attack Vectors
  12. Quick Security Checklist

Why WordPress Security Matters

A hacked website isn’t just an inconvenience. Depending on the type of attack, it can mean:

  • Your visitors get redirected to malicious sites — damaging your reputation and potentially infecting their devices.
  • Your site is used to send spam — burning your domain’s email reputation and potentially getting your hosting suspended.
  • Your data is stolen or held to ransom — particularly serious if you handle customer information or payments.
  • Google flags your site as unsafe — destroying your search rankings and displaying a scary warning to anyone who tries to visit.

Recovery is always harder and more expensive than prevention. The steps below will dramatically reduce your risk.

1. Keep Everything Updated

This is the single most important thing you can do. The vast majority of WordPress hacks exploit known vulnerabilities in outdated software — vulnerabilities that have already been patched in newer versions.

You need to keep three things up to date:

  • WordPress core. Major releases (6.4, 6.5, etc.) come every few months. Minor security releases (6.5.1, 6.5.2) are pushed out as needed and are applied automatically by default — don’t disable this.
  • Plugins. These are the most common entry point for attackers. A single outdated plugin with a known vulnerability is all it takes. Check for updates at least weekly, or enable auto-updates for trusted plugins.
  • Themes. Even if your theme looks fine, an outdated theme can contain exploitable code. Update your active theme regularly, and delete any themes you’re not using — they can still be exploited even when inactive.

Key takeaway: Before updating, always make sure you have a recent backup. If you have a staging environment, test updates there first.

2. Use Strong, Unique Passwords

It sounds obvious, but weak passwords remain one of the most exploited vulnerabilities on the web. Attackers use automated tools that can try thousands of password combinations per minute.

If your admin password is something like admin123, Password1, or your business name, it’s only a matter of time.

What Makes a Strong Password

  • At least 16 characters long — longer is better.
  • A mix of uppercase, lowercase, numbers, and symbols — or better yet, a random passphrase of four or more unrelated words.
  • Unique to your WordPress site — never reused from another account.
  • Generated and stored by a password manager like Bitwarden, 1Password, or KeePass.

This applies to every user account on your site, not just the admin. If you have multiple authors or editors, make sure they’re using strong passwords too. You can enforce this with plugins like Password Policy Manager or by requiring a minimum password strength in your user registration settings.

Change the Default Admin Username

If your admin account is still called admin, you’ve already given attackers half of what they need to log in.

WordPress doesn’t let you change a username directly, but you can create a new administrator account with a different username, log in with it, and delete the old admin account (reassigning its content to the new one).

3. Enable Two-Factor Authentication (2FA)

Even the strongest password can be compromised — through phishing, a data breach on another site, or malware on your computer.

Two-factor authentication adds a second layer: after entering your password, you also need a time-based code from an app on your phone. This means that even if an attacker has your password, they still can’t log in without physical access to your device.

How to Set It Up

  1. Install a 2FA plugin such as WP 2FA, Two-Factor, or Wordfence Login Security (a free standalone plugin from the Wordfence team).
  2. Download an authenticator app on your phone — Google Authenticator, Microsoft Authenticator, or Authy all work well.
  3. Scan the QR code provided by the plugin, and from then on you’ll enter a 6-digit code from the app each time you log in.
  4. Save your backup codes somewhere safe. If you lose access to your phone, these are your way back in.

If your site has multiple users, consider making 2FA mandatory for all administrator and editor accounts. Most 2FA plugins let you enforce this by role.

4. Limit Login Attempts

By default, WordPress allows unlimited login attempts. This is what makes brute force attacks possible — an attacker can try password after password with no penalty.

Limiting login attempts blocks an IP address after a set number of failed tries, making brute force attacks impractical.

Options for Limiting Login Attempts

  • Limit Login Attempts Reloaded — a lightweight, popular plugin that does exactly what the name suggests. You set the number of allowed retries and the lockout duration.
  • Wordfence — includes brute force protection as part of its broader security features.
  • Server-level protection with fail2ban — if you have server access, fail2ban can monitor your WordPress login log and block offending IPs at the firewall level, which is more efficient than handling it in PHP.

Recommended config: 5 attempts before a 30-minute lockout, with longer lockouts after repeated offences. This won’t bother legitimate users but will stop automated attacks cold.

5. Install a Security Plugin

A good security plugin acts as a safety net, monitoring your site for suspicious activity and providing tools to harden your configuration. You don’t need to go overboard — one well-configured security plugin is better than three fighting each other.

Popular Options

  • Wordfence Security — the most widely used WordPress security plugin. The free version includes a firewall, malware scanner, login security, and real-time traffic monitoring. The premium version adds real-time firewall rules and malware signature updates as threats are discovered.
  • Sucuri Security — offers file integrity monitoring, security hardening, and remote malware scanning. Their premium plans include a cloud-based web application firewall (WAF) that filters malicious traffic before it reaches your server.
  • Solid Security (formerly iThemes Security) — provides a wide range of hardening options including file change detection, database backups, 2FA, and brute force protection.

Key takeaway: Whichever plugin you choose, spend 20 minutes on the setup wizard. A properly configured security plugin gives you significantly better protection than one left on default settings.

6. Set Correct File Permissions

File permissions control who can read, write, and execute files on your server. If permissions are too loose, an attacker who finds a vulnerability could modify your files — injecting malicious code into your theme, plugins, or even WordPress core files.

Recommended Permissions

  • Directories: 755 — the owner can read, write, and execute; everyone else can read and execute but not write.
  • Files: 644 — the owner can read and write; everyone else can only read.
  • wp-config.php: 600 or 640 — this file contains your database credentials and secret keys, so it should be as restricted as possible.

You can check and fix file permissions via SFTP (right-click a file or folder in your FTP client and look for “File Permissions”) or via SSH with these commands:

find /path/to/wordpress -type d -exec chmod 755 {} ;
find /path/to/wordpress -type f -exec chmod 644 {} ;
chmod 600 /path/to/wordpress/wp-config.php

Warning: Never set any file or directory to 777 (world-writable). If a plugin or guide tells you to do this, find a better plugin or guide.

7. Use SSL/HTTPS Everywhere

An SSL certificate encrypts the connection between your visitors’ browsers and your server, protecting login credentials, form submissions, and other sensitive data from being intercepted in transit.

It also gives you the padlock icon in the browser bar and is a requirement for modern SEO — Google has used HTTPS as a ranking signal since 2014.

Most hosting providers, including Webfort, provide free SSL certificates through Let’s Encrypt. Once your certificate is installed:

  1. Make sure both your WordPress Address and Site Address in Settings → General use https://.
  2. Set up a redirect so that any http:// requests are automatically forwarded to https://. Your hosting control panel may handle this, or you can add a redirect rule to your .htaccess file.
  3. Check for mixed content — pages loaded over HTTPS that still reference images, scripts, or stylesheets over HTTP. Your browser’s developer tools (Console tab) will flag these. Plugins like Really Simple SSL can fix most mixed content issues automatically.

8. Back Up Your Site Regularly

Backups aren’t a security measure in the traditional sense — they won’t stop an attack. But they’re your safety net if the worst happens. A clean, recent backup means you can restore your site quickly instead of rebuilding it from scratch.

Backup Best Practices

  • Back up both your files and your database. Your files include themes, plugins, uploads, and WordPress core. Your database contains your posts, pages, settings, and user accounts. You need both to fully restore a site.
  • Automate it. Don’t rely on remembering to take manual backups. Use a plugin like UpdraftPlus, BlogVault, or BackWPup to schedule daily or weekly backups.
  • Store backups off-site. A backup sitting on the same server as your website is useless if the server is compromised or fails. Send backups to Google Drive, Dropbox, Amazon S3, or a separate server.
  • Test your backups. A backup you’ve never tested is a backup you can’t trust. Periodically restore a backup to a staging environment to make sure it actually works.
  • Keep multiple copies. Retain at least 30 days of backups. If you discover a hack that happened two weeks ago, your most recent backup may already contain the malicious code.

9. Harden Your WordPress Configuration

Beyond the big-ticket items above, there are several smaller changes that reduce your attack surface. None of these is a silver bullet on its own, but together they make your site a harder target.

Disable File Editing in the Dashboard

WordPress includes a built-in code editor that lets administrators edit theme and plugin files directly from the dashboard. If an attacker gains admin access, this editor gives them an easy way to inject malicious code.

Disable it by adding this line to your wp-config.php:

define('DISALLOW_FILE_EDIT', true);

You can still edit files via SFTP — this just removes the in-dashboard shortcut that attackers love.

Protect wp-config.php

Your wp-config.php file is the most sensitive file in your WordPress installation. Beyond setting strict file permissions (covered above), you can block web access to it entirely by adding this to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

Disable XML-RPC if You Don’t Need It

XML-RPC (xmlrpc.php) is a legacy interface that allows external applications to communicate with WordPress. It was essential before the REST API existed, but today most sites don’t need it.

Unfortunately, it’s also a popular target for brute force attacks because it allows attackers to try multiple passwords in a single request.

If you don’t use the WordPress mobile app, Jetpack, or any service that relies on XML-RPC, you can disable it. Most security plugins offer a toggle for this, or you can block it at the server level:

<files xmlrpc.php>
order deny,allow
deny from all
</files>

Change the Database Table Prefix

By default, WordPress uses wp_ as the prefix for all database tables. While changing this alone won’t stop a determined attacker, it does make automated SQL injection attacks slightly harder.

If you’re setting up a new site, choose a custom prefix during installation (e.g., wf8k_). For existing sites, some security plugins can change this for you, but always take a full database backup first.

Disable Directory Browsing

If directory browsing is enabled, anyone can navigate to a folder on your site (like /wp-content/uploads/) and see a listing of all files in it. This can reveal information about your plugins, themes, and uploaded files.

Disable it by adding this to your .htaccess:

Options -Indexes

10. Understand Common Attack Vectors

Knowing how attackers get in helps you understand why the measures above matter. Here are the most common ways WordPress sites get compromised:

  • Vulnerable plugins and themes. This is the number one attack vector. Attackers actively scan the web for sites running plugins with known vulnerabilities. Automated tools can exploit thousands of sites within hours of a vulnerability being publicly disclosed.
  • Brute force attacks. Automated bots try to guess your login credentials by rapidly testing common username and password combinations against your login page and XML-RPC endpoint.
  • Cross-site scripting (XSS). An attacker injects malicious JavaScript into your site — often through a vulnerable plugin or unvalidated form input — which then executes in your visitors’ browsers.
  • SQL injection. Malicious SQL queries are inserted through input fields or URL parameters to manipulate your database — reading, modifying, or deleting data.
  • Phishing and social engineering. You receive a convincing email pretending to be from your hosting provider, a plugin company, or WordPress itself, tricking you into entering your credentials on a fake login page.
  • Malware in nulled themes and plugins. “Free” versions of premium themes and plugins downloaded from unofficial sources almost always contain backdoors or malware. Never use nulled software.

A Quick Security Checklist

Here’s a summary you can work through to check your site’s security posture:

ActionPriorityDone?
WordPress core, plugins, and themes are up to dateCritical
Strong, unique passwords on all accountsCritical
Two-factor authentication enabled for adminsCritical
SSL certificate installed, HTTPS enforcedCritical
Automated backups running and stored off-siteCritical
Login attempts limitedHigh
Security plugin installed and configuredHigh
File permissions set correctly (755/644/600)High
Unused themes and plugins deletedHigh
File editing disabled in dashboardMedium
XML-RPC disabled (if not needed)Medium
Directory browsing disabledMedium
Default “admin” username changedMedium
Database table prefix changed from defaultLow

Final Thoughts

WordPress security isn’t about making your site impenetrable — no system connected to the internet can claim that. It’s about making your site a hard enough target that attackers move on to easier pickings, and ensuring that if something does go wrong, you can recover quickly.

The steps in this guide aren’t difficult, and most of them only need to be done once. Keep your software updated, use strong passwords with two-factor authentication, install a security plugin, and maintain regular backups. That combination alone puts you ahead of the vast majority of WordPress sites on the web.

If you’re a Webfort customer, your hosting already includes features that help — free SSL certificates, server-level firewalls, and regular server-side security updates. If you need a hand reviewing your site’s security or recovering from an incident, our support team is here to help.