Overview:
Keep hackers at bay with basic security best practices.
Because of WordPress’s popularity, it’s a common target for attacks. Contrary to popular belief, WordPress itself is not insecure; quite the opposite, if used correctly, it is highly reliable and secure.
The good news: by taking some simple precautions, even a non-technical user can dramatically improve their site’s security.
Not everyone needs all the items checked from this list, so we separated them into 3 sections:
Basics (every website should incorporate these), Medium, and Advanced, and it is on you to determine which ones suit your website the best.
Basics – A must-have
Keep WordPress Core, Themes, and Plugins Updated
An outdated plugin or theme is the #1 way hackers gain entry. Always update the WordPress core promptly when a new version releases-minor versions especially contain crucial fixes and security patches. For the major releases, test the updates on the website’s staging environment. If a new version contains a bug that the developers missed, a staging website will save you the website downtime and give you peace of mind when you click that ‘update’ button.
If you have a plugin or a theme that you completely trust, you can always enable auto-updates in the WordPress dashboard.
Use Strong Passwords
It sounds obvious, but weak passwords are one of the biggest, if not the biggest, causes of security breaches. Always use complex passwords (mix upper/lowercase, numbers and, symbols) or a secure password generator to generate them. Ensure all user accounts (especially any with the Administrator role) use strong passwords.
User Permissions
Not everyone needs to be an Administrator on the website. Limit admin access, and assign an appropriate role to each user on the website. If you run a multi-author site, give writers the Author or Editor role rather than Admin. Principle of least privilege goes a long way.
Regular Backups
While backups don’t prevent hacks, they are your safety net if something goes wrong. Every decent hosting makes frequent backups of your website, but it is a good idea to keep another backup copy off-server.
If a site and its backups are on the same server, and in the off chance that something happens to that server, your site and updates are gone forever. You can keep site backup files on your machine, Google Drive, Dropbox, etc.
We recommend using a service like ManageWP; it is simple to use and offers a free tier with one automatic backup per month, while its paid plans unlock more frequent backups, and the frequency is controlled by your needs.
In case of a security breach, you can quickly restore a clean site. This can save you from paying ransoms or spending countless hours trying to salvage a compromised site.
Secure Hosting and HTTPS
Choose a reputable host with a focus on security – many managed WordPress hosts implement server-level protections. Ensure you have an SSL certificate so your site runs on HTTPS. HTTPS not only encrypts data (important for protecting login credentials and user data) but also is a Google ranking factor. Most hosts, like Cloudways, provide free Let’s Encrypt SSL that you can activate easily, and WordPress will then show the secure padlock to visitors.
Recommended – for a higher traffic websites
Install a Security Plugin
WordPress security plugins make hardening your site easy. Great options include Wordfence, Sucuri Security, and All-In-One WP Security. These can scan for malware, monitor login attempts, and enforce security practices. For example, Wordfence includes a firewall and malware scanner; Sucuri offers activity auditing and brute force protection. Even the free versions of these are very helpful for basic protection.
Enable Two-Factor Authentication (2FA)
Add an extra login step requiring a code from your phone. Many security plugins or standalone plugins like Two Factor or Google Authenticator allow this. 2FA significantly decreases the chance of unauthorized logins, even if someone cracks your password.
Change the Default Login URL:
Bots commonly target wp-login.php. Using a plugin like WPS Hide Login, you can change the admin login URL to something unique (e.g., yoursite.com/mysecretlogin). This obscurity can reduce the volume of automated attacks. (Just be sure to remember the new URL!)
Use a Web Application Firewall (WAF)
A WAF filters malicious traffic before it hits your site. Some security plugins include a firewall (Wordfence, for instance). Or you can use cloud services like Cloudflare that sit between your site and the internet. These can block common threats (SQL injections, XSS, etc.) and even DDoS attacks.
Advanced – if there is a necessity
Disable File Editing in WP-Admin:
WordPress allows editing plugin and theme files in the dashboard (under Appearance » Theme Editor). This is convenient but a risk – if an attacker gets into an admin account, they can inject malicious code here. As a precaution, add this to your wp-config.php:
define('DISALLOW_FILE_EDIT', true);
This prevents any file edits from the WP backend.
Use Secure FTP and Database Prefix:
When transferring files, use SFTP or SSH instead of plain FTP for encryption. Also, if you’re installing WordPress manually, during installation (or via a security plugin later, or ask a hosting provider to do it for you), you can change the default database prefix (wp_) to something random. This can thwart some automated SQL injection attacks that target default table names. It’s a minor security-through-obscurity measure, but every little bit helps.
Monitor and Log Activity:
Knowing what’s happening on your site can alert you to issues. Security plugins can log login attempts, file changes, etc. There are plugins like Simple History that keep an activity log of changes. If you notice a new admin account created that you didn’t authorize, that’s a red flag to act immediately.
Conclusion
By following these steps, you eliminate the majority of common vulnerabilities.
Think of it like securing a house: you’ve locked the doors (strong passwords, 2FA), installed an alarm (security plugin), and maybe got a guard dog (WAF). While no site is “unhackable,” these measures will put yours in the “hard target” category so attackers move on to easier prey. And if something ever does happen, your backups ensure you can recover quickly.
Security is largely about diligence – keep things updated, be cautious with new plugins/themes (stick to reputable sources), and periodically review your settings. This basic hygiene goes a long way in keeping your WordPress site safe.
