WordPress Security Guide: 20 Steps to Make Your Site Unhackable

WordPress Security Guide: 20 Steps to Make Your Site Unhackable

A client called me on a Tuesday morning: their WordPress e-commerce site was showing a pharma spam overlay to all visitors. Google had already flagged it as dangerous. Sales had been zero for 12 hours.

The culprit: an outdated contact form plugin with a known SQL injection vulnerability. It had been unpatched for 4 months. The attackers had found it in an automated scan.

Recovery took two days, a professional malware removal service, and cost the client about $2,000 in lost revenue and cleanup costs. The prevention would have taken 10 minutes: keeping plugins updated.

WordPress security isn't complicated — it's mostly consistent maintenance and a handful of configuration changes. This guide covers all 20 steps, prioritized by impact.

Foundation: The Most Important Steps First

Step 1: Use a Reputable Managed WordPress Host

Your hosting provider is the foundation of your security. A quality managed WordPress host provides:

• Server-level malware scanning
• Automatic WordPress core updates
• Web application firewall at the server level
• DDoS protection
• Isolated hosting environments (one hacked site doesn't affect others)

Recommended: Kinsta, WP Engine, SiteGround, Cloudways. Avoid: cheap shared hosting with no WordPress-specific security.

Step 2: Keep Everything Updated

The #1 cause of WordPress hacks is outdated plugins (61% per Sucuri 2024).

Enable automatic updates:

• Dashboard → Updates → Enable automatic updates for WordPress core
• Or use a managed host that handles core updates

For plugins and themes:

• Review and update weekly
• Delete plugins and themes you're not using (inactive themes still have code that can be exploited)

Step 3: Use Strong, Unique Passwords and a Password Manager

WordPress's admin password protects your entire site. Use:

• Minimum 20 characters
• Mix of letters, numbers, symbols
• Unique (not used on any other site)

Use Bitwarden (free), 1Password ($36/year), or Dashlane to generate and store passwords. Never reuse passwords.

Step 4: Enable Two-Factor Authentication (2FA)

2FA means attackers need both your password AND your phone to log in — even with the password, they can't access your site.

Plugins that add 2FA:

• Wordfence (included in security plugin)
• WP 2FA (dedicated, excellent free option)
• Google Authenticator (simple and free)

After enabling 2FA, every admin account needs the authenticator app to log in.

Authentication Hardening

Step 5: Change the Default Admin Username

Never use "admin" as your WordPress username — it's the first username attackers try in brute force attacks.

To change:

1. Create a new user with Administrator role and a different username
2. Attribute all posts to the new user
3. Delete the "admin" account

Or use a security plugin that blocks login attempts on the "admin" username.

Step 6: Limit Login Attempts

By default, WordPress allows unlimited login attempts. Attackers exploit this with automated password-guessing attacks (brute force).

Wordfence (free) automatically limits login attempts. Alternatively, Limit Login Attempts Reloaded is a dedicated free plugin.

Setting: block for 24 hours after 5 failed attempts.

Step 7: Change the Default Login URL

The default WordPress login URL is yourdomain.com/wp-login.php — every attacker knows this. Moving it reduces automated attack volume dramatically.

Plugins: WPS Hide Login (free) — changes the login URL to anything you choose.

Default: yourdomain.com/wp-login.php
After: yourdomain.com/your-secret-login-page

Note: remember your new login URL and save it. Also add it to your browser bookmarks.

Step 8: Implement a Web Application Firewall (WAF)

A WAF intercepts malicious traffic before it reaches WordPress. The best options:

Cloudflare (free tier): Move your DNS to Cloudflare and enable the free WAF. Blocks the most common attack patterns, DDoS protection included.

Wordfence Premium ($119/year): WordPress-specific WAF with real-time threat intelligence. Updates firewall rules within hours of new vulnerabilities being discovered.

Plugin and Theme Security

Step 9: Only Install Plugins from Trusted Sources

Rules:

• Official WordPress.org repository for free plugins (code is reviewed)
• Premium plugins from established developers with active support
• Never install nulled (pirated) plugins — they almost always contain malware

Before installing any plugin, check:

• Last updated date (anything not updated in 2+ years is risky)
• Active installations count
• User reviews and support forum responsiveness

Step 10: Delete Unused Plugins and Themes

Every inactive plugin is attack surface. WordPress doesn't skip vulnerability scanning just because a plugin is deactivated — the code is still there and can sometimes still be exploited.

Rule: if you're not using it, delete it (not just deactivate).

This includes unused themes. Keep only your active theme and one fallback (Twenty Twenty-Five).

Server and File Security

Step 11: Set Correct File Permissions

Incorrect file permissions allow attackers to write to or modify files they shouldn't have access to.

Recommended permissions:

WordPress files: 644
WordPress directories: 755
wp-config.php: 600 (most restrictive — contains database credentials)

Most quality hosting providers set these correctly by default. Check via your host's file manager or via FTP.

Step 12: Protect wp-config.php

wp-config.php contains your database credentials. Add this to your .htaccess to block direct access:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Many managed hosts do this automatically. Verify.

Step 13: Disable XML-RPC if Not Needed

XML-RPC is a legacy WordPress feature used for remote publishing. It's also a common target for brute force amplification attacks (one XML-RPC request can test hundreds of passwords).

If you don't use mobile apps to post or Jetpack that requires XML-RPC, disable it:

# Add to .htaccess
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Or use the Disable XML-RPC plugin (free, one-click disable).

Monitoring and Backup

Step 14: Install a Security Scanner

Wordfence (free tier is excellent) scans WordPress files for malware, modified core files, and known vulnerability patterns. Run a full scan monthly.

Sucuri SiteCheck (free at sitecheck.sucuri.net) remotely scans your site for malware and blocklist status.

Step 15: Set Up Automated Backups

UpdraftPlus (free) is the standard recommendation:

• Configure automated daily backups
• Store off-site: Google Drive, Dropbox, or Amazon S3
• Keep 30 days of backups

Settings: UpdraftPlus → Settings:

• Files backup: daily
• Database backup: daily
• Remote storage: Google Drive (authenticate once)
• Retention: 30 days

Test restoring a backup to a staging site every few months.

Step 16: Monitor Uptime and Alerts

Uptime Robot (free, monitors every 5 minutes) emails you when your site goes down — an alert that's often your first signal of a hack.

Also monitor: Google Search Console → Security Issues tab shows if Google has flagged your site.

Advanced Steps

Step 17: Disable File Editing in the Dashboard

WordPress admin has a built-in theme and plugin editor. If an attacker gets admin access, they can inject malicious code through this editor.

Disable it by adding to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Step 18: Use SSL/HTTPS

HTTPS encrypts data between visitors and your server. Required for any site handling form submissions, logins, or payments. Most hosts provide free SSL via Let's Encrypt.

To enforce HTTPS:

# Add to .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Step 19: Implement Security Headers

Add these HTTP headers to prevent XSS, clickjacking, and content injection attacks:

# Add to .htaccess
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"

Step 20: Regular Security Audits

Schedule a quarterly review:

• All plugins updated, unused ones deleted
• All user accounts reviewed (remove old accounts)
• Backup restoration tested
• Wordfence scan run and clean
• Cloudflare/WAF logs reviewed for attack patterns
• Google Search Console security issues checked

For WordPress performance alongside security, see our WordPress speed optimization guide.

Frequently Asked Questions

How often do WordPress sites get hacked?

WordPress accounts for 95% of hacked CMS sites (Sucuri 2024) due to its market dominance. The primary vectors: outdated plugins (61%), weak passwords, and vulnerable themes.

Do I need paid security plugins?

Free Wordfence provides solid protection for most sites. Paid security adds real-time threat intelligence and faster malware removal support — worthwhile for business-critical sites.

What should I do if my site is hacked?

Take offline, change all passwords immediately, scan for malware, remove infected files or restore backup, update everything, request Google malware removal review.

Should I hide WordPress from visitors?

Security through obscurity is not security. Focus on actual measures: 2FA, updated plugins, WAF, strong passwords. These provide real protection.

How important are backups?

Critical — backups are your most important security tool. With a clean daily backup, recovery from a hack takes hours. Without one, it can be impossible.