WordPress Security: A Practical Guide to Hardening Your Site
Most WordPress hacks aren't sophisticated. The attacker isn't a hooded figure in a basement; it's an automated script trying the password "admin123" on a hundred thousand sites an hour. If yours is the one that says yes, you're in.
The good news: WordPress security is mostly about closing easy doors. Here's the actual list of what matters.
1. Passwords. Yes, still.
Use a password manager. Generate a long, unique password for every site. The most common cause of WordPress break-ins we see is a password the owner has reused on five other services, one of which had a data breach in 2021. That's it. That's the hack.
2. Turn on two-factor authentication
Two-factor authentication adds a one-time code to your login. Even if your password leaks, the attacker also needs your phone. Wordfence, miniOrange and WP 2FA all do this cleanly. It takes five minutes to set up and prevents the entire "stuffed credentials" category of attack.
3. Keep WordPress, themes and plugins updated
Roughly half of compromised sites we clean up were exploited through a known vulnerability that had a patch available — sometimes for months. Enable automatic updates for minor versions and security patches. For major version updates, test in staging first.
4. Be picky about plugins
Every plugin is code from someone you've never met running on your server. Before you install one, check:
- When was it last updated? (Within six months ideally.)
- How many active installs? (More eyes means bugs get found.)
- What permissions does it want?
- Is the same functionality already in a plugin you have?
5. Limit login attempts
By default, WordPress will happily let an attacker try a million passwords. Install Limit Login Attempts Reloaded (or use the built-in feature in Wordfence) and brute force attacks become effectively impossible.
6. Change your admin username
If your admin user is called admin or your domain name, half the work is done for the attacker. Create a new admin user, assign your content to it, delete the old one.
7. Use a web application firewall
A WAF blocks malicious requests before they reach WordPress. Cloudflare's free tier includes basic WAF rules. Wordfence runs a software WAF inside WordPress. Sucuri offers a hosted WAF. Any of these is far better than none.
8. Lock down file permissions
On a properly configured server, files should be 644 and folders 755. wp-config.php should be 600. If your host is letting you set things to 777 because something "wasn't working," that's the problem — not the permissions.
9. Disable file editing in the dashboard
WordPress lets you edit theme and plugin files directly from the admin. If an attacker gets in, this is how they upload a backdoor without ever touching FTP. Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);10. Take backups. Test them.
Backups aren't security — they're recovery. But the day you really need them, you'll thank yourself. Daily automated backups, stored off-server, and tested at least once. If you've never restored a backup, you don't have backups; you have hope.
If we had to pick three of these to do first: a unique password in a manager, two-factor authentication, and automatic updates for minor versions. Those three close maybe 90% of the doors attackers walk through.
What you can safely ignore
Some advice you'll see online is more theatre than security:
- Hiding /wp-admin behind a custom URL. Security through obscurity. Doesn't stop a real attacker, breaks legitimate workflows.
- Renaming the wp_ table prefix on existing sites. Riskier than it sounds, and modern attacks don't care.
- Disabling XML-RPC entirely. Useful in some cases, but breaks Jetpack and a lot of mobile apps. Rate-limit it instead.
Security is about doing the boring things consistently. If your WordPress site is updated, has a real password, 2FA on, daily backups, and a firewall — you're already ahead of 95% of sites on the web.