WordPress Security: The Essential Steps Every Site Owner Should Take
WordPress runs 43% of all websites on the internet. which also makes it the most targeted platform for hackers, bots, and automated exploit tools. The good news: most WordPress compromises are preventable. They happen because of predictable, avoidable mistakes. outdated software, weak credentials, default settings that expose more than they should, and hosting environments that weren't built with security in mind. This guide covers every meaningful security step you should take, from the basics to the advanced hardening techniques most guides skip.
Why WordPress Sites Get Hacked
Before diving into fixes, it's worth understanding what attackers are actually after.
According to Sucuri's annual Website Threat Research Reports, the leading cause of WordPress compromises is outdated or vulnerable plugins and themes. accounting for the majority of infections they clean up each year. Weak or reused passwords and brute force attacks account for a significant but smaller share. Insecure hosting environments (shared servers where a neighbor site's vulnerability affects yours) account for another meaningful percentage.
The idea that simply "having a security plugin" is enough is a myth. A security plugin adds valuable monitoring and firewall capability, but it can't compensate for an unpatched plugin vulnerability, a compromised admin password, or a hosting environment that runs outdated PHP.
What attackers want from compromised WordPress sites: - Redirect visitors to spam or malicious sites (SEO spam injections) - Steal customer data (especially on WooCommerce stores with stored payment info) - Use your server resources for spam email campaigns or crypto mining - Serve malware to your visitors without your knowledge
In many cases, site owners don't realize they've been compromised for weeks or months.
Security Foundations: Start Here
1. Keep Everything Updated
This sounds obvious, but it's the single most impactful thing you can do. Vulnerabilities in WordPress core, themes, and plugins are disclosed publicly. and automated scanners immediately start looking for sites running vulnerable versions.
What to update: - WordPress core (Settings → Updates) - All active plugins - All active themes (including inactive ones. they can still be exploited) - PHP version (set in your hosting control panel)
Set up automatic updates for minor WordPress releases (these are security patches):
// Add to wp-config.php to enable automatic minor updates
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
For plugins, enable auto-updates on a plugin-by-plugin basis via the WordPress admin (Plugins → Auto-updates column). Be selective. major plugin updates occasionally break things. Enable auto-updates for security plugins, caching plugins, and stable utility plugins. Test major updates on a staging environment first.
PHP version matters: Running PHP 7.4 or below puts you on an unsupported version with no security patches. PHP 8.1 or 8.2 is significantly faster and actively maintained. Check your current version under Tools → Site Health → Info → Server.
2. Use Strong, Unique Passwords and Two-Factor Authentication
Brute force attacks are automated. bots cycle through millions of password combinations against your /wp-login.php endpoint. Weak passwords fall fast.
Password requirements for WordPress: - Minimum 16 characters - Mix of uppercase, lowercase, numbers, and symbols - Unique. never reused from another site - Use a password manager (Bitwarden is free and excellent)
Enable Two-Factor Authentication (2FA):
Install WP 2FA (free plugin) or use Wordfence Login Security:
- Install and activate the plugin
- Go through the setup wizard to configure TOTP (Time-based One-Time Passwords)
- Link to an authenticator app (Google Authenticator, Authy, or 1Password)
- Enforce 2FA for all admin-level accounts
2FA means that even if an attacker gets your password, they can't log in without the time-sensitive code from your authenticator app.
3. Limit Login Attempts
By default, WordPress allows unlimited login attempts. This enables brute force attacks.
Install Limit Login Attempts Reloaded (free) or use the login protection built into Wordfence:
- Lock out IPs after 3. 5 failed login attempts
- Set a lockout duration of 20. 60 minutes
- Enable email notifications for lockouts
- Whitelist your own IP address to avoid accidentally locking yourself out
You can also change your login URL from the default /wp-login.php to something custom (e.g., /my-account-login) using a plugin like WPS Hide Login. This won't stop a determined attacker, but it eliminates the automated bots that only target the default URL.
4. Install a Security Plugin
A dedicated security plugin adds a web application firewall (WAF), malware scanning, and activity monitoring. Two strong options:
Wordfence Security (free tier available) - Blocks malicious traffic before it reaches WordPress - Scans files against known malware signatures - Logs all login attempts and admin activity - Email alerts for locked-out users and malware detections
Sucuri Security (free plugin + paid firewall) - Website integrity monitoring - Post-hack security actions - DNS-level WAF with paid plan (routes traffic through Sucuri's servers before it reaches yours)
For most small business sites, Wordfence free is sufficient. For WooCommerce stores handling payments, consider Sucuri's paid WAF. the DNS-level filtering stops more attacks before they ever reach your server.
5. Install an SSL Certificate
An SSL certificate encrypts data transmitted between your website and visitors. Without it, sensitive data (login credentials, checkout information) can be intercepted on unsecured networks.
Check if you have SSL: Your site URL should start with https://. If it starts with http://, you're not protected.
Most managed WordPress hosts (including Hyperscale) include free SSL certificates via Let's Encrypt. If your current host doesn't, or if you're on shared hosting with a complicated SSL setup, this is another reason to consider moving.
After installing SSL, force HTTPS site-wide in your .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
And add to wp-config.php:
define('FORCE_SSL_ADMIN', true);
Advanced Hardening: Beyond the Basics
Most security guides stop at the five steps above. But for sites that handle customer data, payments, or sensitive information, the following measures provide significantly better protection.
6. Harden wp-config.php
wp-config.php is the most sensitive file in your WordPress installation. It contains your database credentials, security keys, and core configuration settings.
Move it up one directory level (if your host allows it):
WordPress automatically looks for wp-config.php one level above the web root, making it inaccessible via the browser.
Set strong secret keys and salts:
Generate new keys at https://api.wordpress.org/secret-key/1.1/salt/ and replace the defaults in wp-config.php. This invalidates all existing sessions.
Disable file editing from the WordPress admin:
// Add to wp-config.php
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true ); // Also prevents plugin/theme installation from admin
This prevents attackers who gain access to your WordPress admin from editing PHP files directly through the browser. one of the most common post-compromise escalation methods.
Set the correct debug mode for production:
// Ensure debug is OFF on live sites
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );
A live site with WP_DEBUG set to true exposes error messages that reveal your server configuration, file paths, and sometimes credentials.
7. Set Correct File Permissions
Incorrect file permissions are a significant attack vector. The WordPress recommended permissions:
# Directories: 755
find /path/to/wordpress/ -type d -exec chmod 755 {} \;
# Files: 644
find /path/to/wordpress/ -type f -exec chmod 644 {} \;
# wp-config.php: 440 or 400 (no web server write access)
chmod 440 wp-config.php
Critical permission rules:
- WordPress directories should not be 777 (world-writable)
- wp-config.php should be readable only by the file owner
- Your web server user (usually www-data) should own the files, not root
If you're on shared hosting, you may not be able to run these commands directly. contact your host for assistance.
8. Disable XML-RPC (If You Don't Need It)
XML-RPC is a WordPress feature that allows remote publishing and app connectivity. It's also a major attack vector. bots use it to run brute force attacks at scale (one XML-RPC request can try thousands of passwords simultaneously).
Unless you're using the WordPress mobile app, the Jetpack plugin, or a remote publishing tool, disable it:
Option A: Via .htaccess
# Block XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Option B: Via plugin
The Disable XML-RPC plugin does exactly what it says, with one click.
Option C: Via functions.php (selective disable)
// Add to your theme's functions.php or a site plugin
add_filter( 'xmlrpc_enabled', '__return_false' );
9. Protect the WordPress Admin Directory
Add an additional authentication layer to /wp-admin/ via .htaccess. so even if someone gets past WordPress's login, they hit a second prompt:
# In .htaccess inside /wp-admin/ directory
AuthType Basic
AuthName "Admin Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
Generate a .htpasswd file using your host's tools or an online generator. This is "security through obscurity" but it meaningfully reduces automated attack traffic on your login page.
10. Set Up Regular Backups
A backup isn't a security measure per se. but it's your most important recovery tool. If you're ever compromised, having a clean backup from before the infection dramatically reduces recovery time and cost.
See our complete guide: WordPress Backup Strategy: Why It Matters and How to Get It Right
Minimum backup requirements for security purposes: - Daily automated backups, stored offsite - At least 30 days of backup history (malware infections are often dormant for weeks) - Regular restore tests. a backup you've never tested is a backup you can't trust
WordPress Security Hardening Checklist
Use this as your implementation guide:
Foundational (do these today): - [ ] Update WordPress core, all plugins, all themes - [ ] Check and upgrade PHP version (to 8.1 or 8.2) - [ ] Change default admin username away from "admin" - [ ] Set strong, unique passwords for all accounts - [ ] Enable 2FA on all admin accounts - [ ] Install SSL certificate; force HTTPS - [ ] Install Wordfence or Sucuri - [ ] Enable login attempt limiting
Hardening (do these this week):
- [ ] Add DISALLOW_FILE_EDIT to wp-config.php
- [ ] Set correct file permissions (644/755)
- [ ] Disable XML-RPC if not needed
- [ ] Disable wp-config.php browser access via .htaccess
- [ ] Set debug mode to false on production
- [ ] Remove unused themes and plugins
- [ ] Delete default admin user if it exists
Advanced (for sites handling payments or sensitive data): - [ ] Move wp-config.php above web root - [ ] Add .htpasswd protection to /wp-admin/ - [ ] Enable DNS-level WAF (Sucuri or Cloudflare) - [ ] Set up 30-day offsite backup retention - [ ] Set up uptime monitoring with security alerts
How Hyperscale Approaches Security
Security isn't just your responsibility. your host's environment plays a major role. On shared hosting, a compromised neighbor site can affect yours. Outdated server software creates vulnerabilities at the infrastructure level. Hosts that don't isolate accounts leave you exposed to lateral attacks.
At Hyperscale, security is built in at the infrastructure level:
- Server-level malware scanning. not just plugin-based
- Automatic SSL via Let's Encrypt, with auto-renewal
- PHP 8.2 available with easy version switching
- Account isolation. other customers' sites can't affect yours
- Daily backups with 30-day retention. included on all plans
- 24/7 monitoring with automated alerts
Try Hyperscale free →. Built-in security from the infrastructure level. No extra plugins needed for server hardening.
Related reading: WordPress Backup Strategy | Why Your Website Keeps Going Down | Signs Your Web Host Is Failing You
Protecting Your Site Starts Today
WordPress security isn't complicated, but it does require consistency. The sites that get hacked aren't the ones with malicious targeting. they're the ones that let updates slide for six months, kept the default admin username, or trusted their $5/month host to handle security at the infrastructure level.
Run through the checklist above. Enable 2FA. Keep your site updated. Back up regularly.
And if your current host isn't holding up their end of the deal. try Hyperscale for free. We handle the infrastructure security so you can focus on the WordPress-level hardening that's actually your responsibility.
