WordPress powers over 40% of the web, which makes it one of the most popular platforms on the planet \u2014 and one of the biggest targets for attackers. The good news is that WordPress itself is well-maintained and regularly patched.<\/p>\n\n\n\n
The bad news? Most WordPress sites get compromised not because of a flaw in WordPress, but because of something the site owner could have prevented. Weak passwords, outdated plugins, default settings left unchanged \u2014 these are the things attackers exploit, and they’re all within your control.<\/p>\n\n\n\n
This guide walks you through the practical steps you can take to secure your WordPress site, from the basics that every site should have in place to more advanced measures for those who want extra peace of mind.<\/p>\n\n\n\n
A hacked website isn’t just an inconvenience. Depending on the type of attack, it can mean:<\/p>\n\n\n\n
\nRecovery is always harder and more expensive than prevention. The steps below will dramatically reduce your risk.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n1. Keep Everything Updated<\/h2>\n\n\n\n
This is the single most important thing you can do. The vast majority of WordPress hacks exploit known vulnerabilities in outdated software \u2014 vulnerabilities that have already been patched in newer versions.<\/p>\n\n\n\n
You need to keep three things up to date:<\/p>\n\n\n\n
\n
- WordPress core.<\/strong> Major releases (6.4, 6.5, etc.) come every few months. Minor security releases (6.5.1, 6.5.2) are pushed out as needed and are applied automatically by default \u2014 don’t disable this.<\/li>\n
- Plugins.<\/strong> These are the most common entry point for attackers. A single outdated plugin with a known vulnerability is all it takes. Check for updates at least weekly, or enable auto-updates for trusted plugins.<\/li>\n
- Themes.<\/strong> Even if your theme looks fine, an outdated theme can contain exploitable code. Update your active theme regularly, and delete any themes you’re not using<\/strong> \u2014 they can still be exploited even when inactive.<\/li>\n<\/ul>\n\n\n\n
\nKey takeaway:<\/strong> Before updating, always make sure you have a recent backup. If you have a staging environment, test updates there first.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n2. Use Strong, Unique Passwords<\/h2>\n\n\n\n
It sounds obvious, but weak passwords remain one of the most exploited vulnerabilities on the web. Attackers use automated tools that can try thousands of password combinations per minute.<\/p>\n\n\n\n
If your admin password is something like
admin123<\/code>,Password1<\/code>, or your business name, it’s only a matter of time.<\/p>\n\n\n\nWhat Makes a Strong Password<\/h3>\n\n\n\n
\n
- At least 16 characters long \u2014 longer is better.<\/li>\n
- A mix of uppercase, lowercase, numbers, and symbols \u2014 or better yet, a random passphrase of four or more unrelated words.<\/li>\n
- Unique to your WordPress site \u2014 never reused from another account.<\/li>\n
- Generated and stored by a password manager like Bitwarden<\/strong>, 1Password<\/strong>, or KeePass<\/strong>.<\/li>\n<\/ul>\n\n\n\n
This applies to every user account on your site, not just the admin. If you have multiple authors or editors, make sure they’re using strong passwords too. You can enforce this with plugins like Password Policy Manager<\/strong> or by requiring a minimum password strength in your user registration settings.<\/p>\n\n\n\n
Change the Default Admin Username<\/h3>\n\n\n\n
If your admin account is still called
admin<\/code>, you’ve already given attackers half of what they need to log in.<\/p>\n\n\n\nWordPress doesn’t let you change a username directly, but you can create a new administrator account with a different username, log in with it, and delete the old
admin<\/code> account (reassigning its content to the new one).<\/p>\n\n\n\n
\n\n\n\n3. Enable Two-Factor Authentication (2FA)<\/h2>\n\n\n\n
Even the strongest password can be compromised \u2014 through phishing, a data breach on another site, or malware on your computer.<\/p>\n\n\n\n
Two-factor authentication adds a second layer: after entering your password, you also need a time-based code from an app on your phone. This means that even if an attacker has your password, they still can’t log in without physical access to your device.<\/p>\n\n\n\n
How to Set It Up<\/h3>\n\n\n\n
\n
- Install a 2FA plugin such as WP 2FA<\/strong>, Two-Factor<\/strong>, or Wordfence Login Security<\/strong> (a free standalone plugin from the Wordfence team).<\/li>\n
- Download an authenticator app on your phone \u2014 Google Authenticator<\/strong>, Microsoft Authenticator<\/strong>, or Authy<\/strong> all work well.<\/li>\n
- Scan the QR code provided by the plugin, and from then on you’ll enter a 6-digit code from the app each time you log in.<\/li>\n
- Save your backup codes<\/strong> somewhere safe. If you lose access to your phone, these are your way back in.<\/li>\n<\/ol>\n\n\n\n
If your site has multiple users, consider making 2FA mandatory for all administrator and editor accounts. Most 2FA plugins let you enforce this by role.<\/p>\n\n\n\n
\n\n\n\n4. Limit Login Attempts<\/h2>\n\n\n\n
By default, WordPress allows unlimited login attempts. This is what makes brute force attacks possible \u2014 an attacker can try password after password with no penalty.<\/p>\n\n\n\n
Limiting login attempts blocks an IP address after a set number of failed tries, making brute force attacks impractical.<\/p>\n\n\n\n
Options for Limiting Login Attempts<\/h3>\n\n\n\n
\n
- Limit Login Attempts Reloaded<\/strong> \u2014 a lightweight, popular plugin that does exactly what the name suggests. You set the number of allowed retries and the lockout duration.<\/li>\n
- Wordfence<\/strong> \u2014 includes brute force protection as part of its broader security features.<\/li>\n
- Server-level protection with fail2ban<\/strong> \u2014 if you have server access, fail2ban<\/a> can monitor your WordPress login log and block offending IPs at the firewall level, which is more efficient than handling it in PHP.<\/li>\n<\/ul>\n\n\n\n
\nRecommended config:<\/strong> 5 attempts before a 30-minute lockout, with longer lockouts after repeated offences. This won’t bother legitimate users but will stop automated attacks cold.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n5. Install a Security Plugin<\/h2>\n\n\n\n
A good security plugin acts as a safety net, monitoring your site for suspicious activity and providing tools to harden your configuration. You don’t need to go overboard \u2014 one well-configured security plugin is better than three fighting each other.<\/p>\n\n\n\n
Popular Options<\/h3>\n\n\n\n
\n
- Wordfence Security<\/a><\/strong> \u2014 the most widely used WordPress security plugin. The free version includes a firewall, malware scanner, login security, and real-time traffic monitoring. The premium version adds real-time firewall rules and malware signature updates as threats are discovered.<\/li>\n
- Sucuri Security<\/a><\/strong> \u2014 offers file integrity monitoring, security hardening, and remote malware scanning. Their premium plans include a cloud-based web application firewall (WAF) that filters malicious traffic before it reaches your server.<\/li>\n
- Solid Security (formerly iThemes Security)<\/a><\/strong> \u2014 provides a wide range of hardening options including file change detection, database backups, 2FA, and brute force protection.<\/li>\n<\/ul>\n\n\n\n
\nKey takeaway:<\/strong> Whichever plugin you choose, spend 20 minutes on the setup wizard. A properly configured security plugin gives you significantly better protection than one left on default settings.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n6. Set Correct File Permissions<\/h2>\n\n\n\n
File permissions control who can read, write, and execute files on your server. If permissions are too loose, an attacker who finds a vulnerability could modify your files \u2014 injecting malicious code into your theme, plugins, or even WordPress core files.<\/p>\n\n\n\n
Recommended Permissions<\/h3>\n\n\n\n
\n
- Directories:<\/strong>
755<\/code> \u2014 the owner can read, write, and execute; everyone else can read and execute but not write.<\/li>\n- Files:<\/strong>
644<\/code> \u2014 the owner can read and write; everyone else can only read.<\/li>\n- wp-config.php:<\/strong>
600<\/code> or640<\/code> \u2014 this file contains your database credentials and secret keys, so it should be as restricted as possible.<\/li>\n<\/ul>\n\n\n\nYou can check and fix file permissions via SFTP (right-click a file or folder in your FTP client and look for “File Permissions”) or via SSH with these commands:<\/p>\n\n\n\n
find \/path\/to\/wordpress -type d -exec chmod 755 {} ;\nfind \/path\/to\/wordpress -type f -exec chmod 644 {} ;\nchmod 600 \/path\/to\/wordpress\/wp-config.php<\/code><\/pre>\n\n\n\n\nWarning:<\/strong> Never set any file or directory to
777<\/code> (world-writable). If a plugin or guide tells you to do this, find a better plugin or guide.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\n7. Use SSL\/HTTPS Everywhere<\/h2>\n\n\n\n
An SSL certificate encrypts the connection between your visitors’ browsers and your server, protecting login credentials, form submissions, and other sensitive data from being intercepted in transit.<\/p>\n\n\n\n
It also gives you the padlock icon in the browser bar and is a requirement for modern SEO \u2014 Google has used HTTPS as a ranking signal since 2014.<\/p>\n\n\n\n
Most hosting providers, including Webfort, provide free SSL certificates through Let’s Encrypt<\/strong>. Once your certificate is installed:<\/p>\n\n\n\n
\n
- Make sure both your WordPress Address<\/strong> and Site Address<\/strong> in Settings \u2192 General use
https:\/\/<\/code>.<\/li>\n- Set up a redirect so that any
http:\/\/<\/code> requests are automatically forwarded tohttps:\/\/<\/code>. Your hosting control panel may handle this, or you can add a redirect rule to your.htaccess<\/code> file.<\/li>\n- Check for mixed content<\/strong> \u2014 pages loaded over HTTPS that still reference images, scripts, or stylesheets over HTTP. Your browser’s developer tools (Console tab) will flag these. Plugins like Really Simple SSL<\/strong> can fix most mixed content issues automatically.<\/li>\n<\/ol>\n\n\n\n
\n\n\n\n8. Back Up Your Site Regularly<\/h2>\n\n\n\n
Backups aren’t a security measure in the traditional sense \u2014 they won’t stop an attack. But they’re your safety net if the worst happens. A clean, recent backup means you can restore your site quickly instead of rebuilding it from scratch.<\/p>\n\n\n\n
Backup Best Practices<\/h3>\n\n\n\n
\n
- Back up both your files and your database.<\/strong> Your files include themes, plugins, uploads, and WordPress core. Your database contains your posts, pages, settings, and user accounts. You need both to fully restore a site.<\/li>\n
- Automate it.<\/strong> Don’t rely on remembering to take manual backups. Use a plugin like UpdraftPlus<\/strong>, BlogVault<\/strong>, or BackWPup<\/strong> to schedule daily or weekly backups.<\/li>\n
- Store backups off-site.<\/strong> A backup sitting on the same server as your website is useless if the server is compromised or fails. Send backups to Google Drive, Dropbox, Amazon S3, or a separate server.<\/li>\n
- Test your backups.<\/strong> A backup you’ve never tested is a backup you can’t trust. Periodically restore a backup to a staging environment to make sure it actually works.<\/li>\n
- Keep multiple copies.<\/strong> Retain at least 30 days of backups. If you discover a hack that happened two weeks ago, your most recent backup may already contain the malicious code.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n9. Harden Your WordPress Configuration<\/h2>\n\n\n\n
Beyond the big-ticket items above, there are several smaller changes that reduce your attack surface. None of these is a silver bullet on its own, but together they make your site a harder target.<\/p>\n\n\n\n
Disable File Editing in the Dashboard<\/h3>\n\n\n\n
WordPress includes a built-in code editor that lets administrators edit theme and plugin files directly from the dashboard. If an attacker gains admin access, this editor gives them an easy way to inject malicious code.<\/p>\n\n\n\n
Disable it by adding this line to your
wp-config.php<\/code>:<\/p>\n\n\n\ndefine('DISALLOW_FILE_EDIT', true);<\/code><\/pre>\n\n\n\nYou can still edit files via SFTP \u2014 this just removes the in-dashboard shortcut that attackers love.<\/p>\n\n\n\n
Protect wp-config.php<\/h3>\n\n\n\n
Your
wp-config.php<\/code> file is the most sensitive file in your WordPress installation. Beyond setting strict file permissions (covered above), you can block web access to it entirely by adding this to your.htaccess<\/code> file:<\/p>\n\n\n\n<files wp-config.php>\norder allow,deny\ndeny from all\n<\/files><\/code><\/pre>\n\n\n\nDisable XML-RPC if You Don’t Need It<\/h3>\n\n\n\n
XML-RPC (
xmlrpc.php<\/code>) is a legacy interface that allows external applications to communicate with WordPress. It was essential before the REST API existed, but today most sites don’t need it.<\/p>\n\n\n\nUnfortunately, it’s also a popular target for brute force attacks because it allows attackers to try multiple passwords in a single request.<\/p>\n\n\n\n
If you don’t use the WordPress mobile app, Jetpack, or any service that relies on XML-RPC, you can disable it. Most security plugins offer a toggle for this, or you can block it at the server level:<\/p>\n\n\n\n
<files xmlrpc.php>\norder deny,allow\ndeny from all\n<\/files><\/code><\/pre>\n\n\n\nChange the Database Table Prefix<\/h3>\n\n\n\n
By default, WordPress uses
wp_<\/code> as the prefix for all database tables. While changing this alone won’t stop a determined attacker, it does make automated SQL injection attacks slightly harder.<\/p>\n\n\n\nIf you’re setting up a new site, choose a custom prefix during installation (e.g.,
wf8k_<\/code>). For existing sites, some security plugins can change this for you, but always take a full database backup first.<\/p>\n\n\n\nDisable Directory Browsing<\/h3>\n\n\n\n
If directory browsing is enabled, anyone can navigate to a folder on your site (like
\/wp-content\/uploads\/<\/code>) and see a listing of all files in it. This can reveal information about your plugins, themes, and uploaded files.<\/p>\n\n\n\nDisable it by adding this to your
.htaccess<\/code>:<\/p>\n\n\n\nOptions -Indexes<\/code><\/pre>\n\n\n\n
\n\n\n\n10. Understand Common Attack Vectors<\/h2>\n\n\n\n
Knowing how attackers get in helps you understand why the measures above matter. Here are the most common ways WordPress sites get compromised:<\/p>\n\n\n\n
\n
- Vulnerable plugins and themes.<\/strong> This is the number one attack vector. Attackers actively scan the web for sites running plugins with known vulnerabilities. Automated tools can exploit thousands of sites within hours of a vulnerability being publicly disclosed.<\/li>\n
- Brute force attacks.<\/strong> Automated bots try to guess your login credentials by rapidly testing common username and password combinations against your login page and XML-RPC endpoint.<\/li>\n
- Cross-site scripting (XSS).<\/strong> An attacker injects malicious JavaScript into your site \u2014 often through a vulnerable plugin or unvalidated form input \u2014 which then executes in your visitors’ browsers.<\/li>\n
- SQL injection.<\/strong> Malicious SQL queries are inserted through input fields or URL parameters to manipulate your database \u2014 reading, modifying, or deleting data.<\/li>\n
- Phishing and social engineering.<\/strong> You receive a convincing email pretending to be from your hosting provider, a plugin company, or WordPress itself, tricking you into entering your credentials on a fake login page.<\/li>\n
- Malware in nulled themes and plugins.<\/strong> “Free” versions of premium themes and plugins downloaded from unofficial sources almost always contain backdoors or malware. Never use nulled software.<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nA Quick Security Checklist<\/h2>\n\n\n\n
Here’s a summary you can work through to check your site’s security posture:<\/p>\n\n\n\n
Action<\/th> Priority<\/th> Done?<\/th><\/tr><\/thead> WordPress core, plugins, and themes are up to date<\/td> Critical<\/td> \u2610<\/td><\/tr> Strong, unique passwords on all accounts<\/td> Critical<\/td> \u2610<\/td><\/tr> Two-factor authentication enabled for admins<\/td> Critical<\/td> \u2610<\/td><\/tr> SSL certificate installed, HTTPS enforced<\/td> Critical<\/td> \u2610<\/td><\/tr> Automated backups running and stored off-site<\/td> Critical<\/td> \u2610<\/td><\/tr> Login attempts limited<\/td> High<\/td> \u2610<\/td><\/tr> Security plugin installed and configured<\/td> High<\/td> \u2610<\/td><\/tr> File permissions set correctly (755\/644\/600)<\/td> High<\/td> \u2610<\/td><\/tr> Unused themes and plugins deleted<\/td> High<\/td> \u2610<\/td><\/tr> File editing disabled in dashboard<\/td> Medium<\/td> \u2610<\/td><\/tr> XML-RPC disabled (if not needed)<\/td> Medium<\/td> \u2610<\/td><\/tr> Directory browsing disabled<\/td> Medium<\/td> \u2610<\/td><\/tr> Default “admin” username changed<\/td> Medium<\/td> \u2610<\/td><\/tr> Database table prefix changed from default<\/td> Low<\/td> \u2610<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nFinal Thoughts<\/h2>\n\n\n\n
WordPress security isn’t about making your site impenetrable \u2014 no system connected to the internet can claim that. It’s about making your site a hard enough target that attackers move on to easier pickings, and ensuring that if something does go wrong, you can recover quickly.<\/p>\n\n\n\n
The steps in this guide aren’t difficult, and most of them only need to be done once. Keep your software updated, use strong passwords with two-factor authentication, install a security plugin, and maintain regular backups. That combination alone puts you ahead of the vast majority of WordPress sites on the web.<\/p>\n\n\n\n
If you’re a Webfort customer, your hosting already includes features that help \u2014 free SSL certificates, server-level firewalls, and regular server-side security updates. If you need a hand reviewing your site’s security or recovering from an incident, our support team is here to help.<\/p>\n","protected":false},"excerpt":{"rendered":"
A practical, step-by-step guide to securing your WordPress website. Covers updates, strong passwords, two-factor authentication, file permissions, security plugins, and the most common attack vectors to watch out for.<\/p>\n","protected":false},"author":1,"featured_media":41,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,2],"tags":[15,17,19,18,16,14,11],"class_list":["post-22","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-wordpress","tag-brute-force","tag-file-permissions","tag-malware","tag-ssl","tag-two-factor-authentication","tag-wordpress-security","tag-wordpress-tips"],"_links":{"self":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":2,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":25,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/posts\/22\/revisions\/25"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/media\/41"}],"wp:attachment":[{"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webfort.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}