WordPress powers over 43% of the internet — which also makes it the most targeted CMS by hackers. The vast majority of WordPress hacks aren’t the result of sophisticated targeted attacks. They’re automated bots scanning for known vulnerabilities in outdated plugins, weak passwords, and misconfigured servers. That’s the good news — because every vulnerability on that list is preventable.
Here are 12 security measures every WordPress site owner should implement. Some take minutes. Some require a developer. All of them matter.
1. Keep WordPress Core, Plugins, and Themes Updated
The majority of successful WordPress hacks exploit known vulnerabilities in outdated software — vulnerabilities that have already been patched in newer versions. Keeping everything updated is the single highest-impact security action you can take. Enable automatic updates for minor WordPress core releases. For major releases and plugins, review the changelog first and test on a staging copy before applying to your live site.
2. Use Strong, Unique Passwords and a Password Manager
‘admin’ as a username and ‘password123’ as a password sounds like an obvious mistake — yet credential-stuffing attacks succeed constantly because people reuse weak passwords across services. Use a password manager (1Password, Bitwarden) to generate and store strong unique passwords. Every WordPress user account should have its own strong password. No exceptions.
3. Change the Default Admin Username
The default WordPress admin username is — predictably — ‘admin’. Brute force attacks start by trying ‘admin’ as the username. Create a new administrator account with a non-obvious username, log in as that new user, and delete the original ‘admin’ account. It takes five minutes and eliminates an entire category of attack vector.
4. Enable Two-Factor Authentication (2FA)
Even a strong password can be compromised. 2FA adds a second layer — a time-based code from an authenticator app (Google Authenticator, Authy) that changes every 30 seconds. Even if a password is stolen, an attacker cannot log in without physical access to the authenticator device. Plugins like WP 2FA make this straightforward to implement.
5. Install a Security Plugin
A dedicated WordPress security plugin handles several defences simultaneously: firewall rules, malware scanning, login attempt monitoring, and file integrity checking. Wordfence (free and premium) and Solid Security (formerly iThemes Security) are the two most widely used. Configure your chosen plugin properly — the default settings are a starting point, not a complete configuration.
6. Limit Login Attempts
By default, WordPress allows unlimited login attempts. Brute force attacks work by trying thousands of username/password combinations rapidly. Limiting login attempts (lock out an IP after 5 failed attempts) stops this category of attack entirely. Most security plugins include this feature. Enable it.
7. Disable XML-RPC if You Don’t Use It
XML-RPC is a WordPress feature that allows remote publishing and mobile app access. Most site owners never use it — but it’s a common attack vector for both brute force attacks and DDoS amplification. If you don’t use the WordPress mobile app or any service that requires XML-RPC, disable it entirely via your security plugin or by adding a rule to your .htaccess file.
8. Use HTTPS — and Force It Everywhere
SSL (the ‘S’ in HTTPS) encrypts data transmitted between your visitor’s browser and your server. Google treats HTTPS as a ranking signal. Modern browsers flag HTTP sites as ‘Not Secure’. And without SSL, login credentials are transmitted in plain text across the network. Free SSL certificates are available from Let’s Encrypt — most good hosts install them automatically. Force all traffic to HTTPS via your .htaccess or Cloudflare.
9. Set Correct File Permissions
WordPress files and directories should have specific permission settings. The wp-config.php file (which contains your database credentials) should be 400 or 440. The .htaccess file should be 644. wp-content directories should be 755. Incorrect permissions — particularly files set to 777 (writable by everyone) — are a significant security risk. Your host’s cPanel or a plugin like Solid Security can audit and correct these.
10. Configure Automated Offsite Backups
Backups are your last line of defence. If everything else fails and your site is compromised, a clean recent backup means recovery takes hours rather than days. ‘Offsite’ is the critical word — if your backup is stored only on your hosting server and the server is compromised, the backup may be compromised too. Store backups on Google Drive, Dropbox, or Amazon S3. Automate daily backups for e-commerce sites, weekly for content sites.
11. Use a Web Application Firewall (WAF)
A WAF sits in front of your website and filters malicious traffic before it ever reaches your server. Cloudflare’s free plan provides basic WAF protection. Wordfence Premium includes a WAF that updates its rules in real time as new threats emerge. For e-commerce sites or any site handling sensitive customer data, a WAF is non-negotiable.
12. Run Regular Malware Scans
Malware can be injected into WordPress files quietly — sometimes sitting dormant for weeks or months before activating. Run automated malware scans at least weekly. Wordfence, Solid Security, and MalCare all include scanning. If a scan flags infected files, don’t just delete them — understand how the malware got in and close the vulnerability first, or it will simply reinfect.
The Honest Reality
Most of these measures take a few hours to implement properly. The cost of ignoring them — malware cleanup, search engine blacklisting, data loss, customer trust damage — is orders of magnitude higher. If you’re not confident managing these yourself, a professional WordPress maintenance plan handles all of them proactively, including immediate response if something does go wrong.
If your site was built without these security foundations in place, our WordPress development team can audit your current setup and implement proper hardening without requiring a full rebuild.
Rohit Hedda has been building websites since 2004 — back when tables were layout and Flash was “the future.” Today he runs Maarich Design, a founder-led studio where he personally handles every project from discovery to launch. No juniors, no handoffs, no surprises.