How to Secure Your WordPress Site from Hackers

Over 90,000 WordPress sites are attacked every minute. The vast majority of successful breaches are preventable — they exploit outdated software, weak passwords, or misconfigured servers. This guide covers everything you need to lock down your site.

Understanding the WordPress threat landscape

The most common WordPress attack vectors, in order of frequency:

• Vulnerable plugins and themes — responsible for over 55% of WordPress breaches
• Brute-force login attacks — automated bots trying thousands of username/password combinations
• Compromised passwords — reused credentials from other data breaches
• Outdated WordPress core — known vulnerabilities in old versions that are publicly documented
• File inclusion attacks — exploiting poorly coded plugins to inject and execute malicious code

Step 1 — Keep WordPress, themes, and plugins updated

Most WordPress hacks exploit known vulnerabilities that have already been patched — the victim simply hadn’t applied the update. Staying current is the single highest-leverage security action you can take.

Step 2 — Strengthen login security

• Use a strong, unique password (20+ characters, generated by a password manager)
• Change the default admin username — never use “admin” as your WordPress login
• Enable Two-Factor Authentication (2FA) — WP 2FA or Google Authenticator plugins are free
• Limit login attempts using Wordfence or Login LockDown
• Consider moving the login URL — plugins like WPS Hide Login change /wp-admin to a custom URL, blocking automated scanners

Step 3 — Add a Web Application Firewall (WAF)

A WAF sits between your site and incoming traffic, filtering out malicious requests before they reach your WordPress installation. Install Wordfence Security (free tier is excellent) or use Cloudflare’s WAF at the DNS level for even stronger protection.

Step 4 — Automate your backups

A reliable backup strategy is your last line of defence. Even with perfect security, mistakes happen — and a clean backup means recovery in minutes rather than days.

• Use UpdraftPlus to schedule daily backups to off-site storage (Google Drive, Dropbox, or S3)
• Keep at least 30 days of backup history — some attacks are only discovered weeks after they occur
• Test your restore process — a backup you’ve never tested is a backup you can’t trust

Step 5 — Enforce HTTPS across your entire site

HTTPS encrypts all data transferred between your server and your visitors’ browsers. It’s also a Google ranking signal. Every WordPress site should run exclusively on HTTPS in 2026.

• Install a free SSL certificate via Let’s Encrypt (available through most hosting control panels)
• Redirect all HTTP traffic to HTTPS using your .htaccess file or a plugin like Really Simple SSL
• Ensure your WordPress Address and Site Address in Settings → General both begin with https://

Step 6 — Harden file permissions

• Set WordPress directories to permission 755
• Set WordPress files to permission 644
• Set wp-config.php to permission 440 or 400 — this file contains your database credentials
• Disable file editing from the WordPress dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php

Step 7 — Monitor for intrusions

• Enable Wordfence’s email alerts for new admin users, failed logins, and file changes
• Run a malware scan monthly — Wordfence and Sucuri both offer free scanning
• Monitor your Google Search Console for security warnings and manual actions
• Set up uptime monitoring (UptimeRobot is free) — you’ll know immediately if your site goes down