WordPress powers 43% of the web. That makes it the most targeted platform on the internet. But most WordPress hacks aren't sophisticated — they exploit known vulnerabilities in outdated plugins, weak passwords, and misconfigured servers. Here are 15 concrete steps to close those doors.
1. Keep Everything Updated
Outdated plugins are the #1 cause of WordPress hacks. When a vulnerability is discovered in a plugin, it's patched in the next update — and simultaneously announced to the world, including attackers. An unpatched plugin is an open door.
Enable automatic updates for minor versions. Review and apply major updates monthly. Remove plugins you're not actively using.
2. Use a Unique, Strong Admin Username
Never use "admin" as your WordPress username. It's the first thing automated bots try. Create a new administrator account with a unique username, then delete the original "admin" account.
3. Use a Strong Password + Password Manager
Use a randomly generated password of 20+ characters for your WordPress admin, hosting account, FTP, and database. A password manager (1Password, Bitwarden) handles remembering them.
4. Enable Two-Factor Authentication
Add a second layer to your login with a plugin like WP 2FA or Wordfence. Even if your password is compromised, 2FA blocks unauthorized access.
5. Limit Login Attempts
By default, WordPress allows unlimited login attempts. Brute force attacks try thousands of password combinations automatically. Limit Login Attempts Reloaded or Wordfence blocks IPs after too many failed attempts.
6. Change the Default Login URL
The default WordPress login is at /wp-admin or /wp-login.php. Every bot knows this. WPS Hide Login lets you change it to anything you want — immediately eliminating bot traffic targeting your login page.
7. Install a Security Plugin
Wordfence (free tier is solid) or Solid Security provide a firewall, malware scanner, login protection, and file change detection. Install one and run the initial setup wizard.
8. Keep Regular Backups (and Test Them)
A backup you haven't tested is not a backup. Use UpdraftPlus or your host's backup solution to run daily backups stored off-site (Google Drive, Dropbox, or S3). Restore a backup to a staging environment at least once a quarter to verify it works.
9. Use HTTPS Everywhere
If your site isn't on HTTPS, get a free SSL certificate through Let's Encrypt (most hosts offer this one-click). Then force HTTPS by redirecting all HTTP traffic. Mixed HTTP/HTTPS content creates security warnings and can expose data.
10. Harden File Permissions
WordPress files should be 644 and directories should be 755. The wp-config.php file should be 600 (or 640). Overly permissive file permissions let attackers write malicious files to your server.
11. Disable File Editing from the Dashboard
Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php. This disables the built-in theme and plugin code editor — if an attacker gets admin access, they can't use it to inject malicious code.
12. Protect wp-config.php
Add this to your .htaccess file to block direct access to wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>
13. Disable XML-RPC (Unless You Need It)
XML-RPC is a WordPress feature that enables remote publishing and Jetpack connections. It's also heavily exploited for brute force attacks and DDoS amplification. If you don't use Jetpack or remote publishing, disable it with a plugin like Disable XML-RPC.
14. Use a Reputable Host
Cheap shared hosting is a security liability. Good hosts (Kinsta, WP Engine, SiteGround) have server-level firewalls, malware scanning, and isolation between accounts. A compromised neighboring account on bad shared hosting can affect your site.
15. Monitor for Changes
File integrity monitoring alerts you when core WordPress files change unexpectedly — a key early warning sign of compromise. Wordfence and Solid Security both include this feature.
Frequently Asked Questions
How do I know if my WordPress site has already been hacked?
Common signs: spam links appearing in content, visitors being redirected to other sites, Google showing a warning to visitors, your host sending a malware alert, a sudden drop in Google rankings, or unknown admin user accounts.
Do I need to do all 15 of these?
The top 5 (updates, strong username, strong password, 2FA, login limits) cover the vast majority of attack vectors. The rest provide defense in depth. Implement them in order — the first five have the highest impact.
Is a security plugin enough?
A security plugin is one layer, not a complete solution. It won't protect you from bad passwords or outdated plugins. Use it alongside the other steps, not instead of them.
How often should I run a security scan?
Monthly at minimum. Weekly for ecommerce sites or sites handling sensitive data. Our WordPress Care Plans include monthly security scans as standard.