WordPress Development
WordPress Security Hardening: A Complete Guide to Protecting Your Site
43% of the web runs on WordPress making it the largest target. Here is every practical hardening measure in order of impact.
WordPress powers 43% of the web, making it the largest attack surface of any CMS. Most successful attacks exploit outdated software, weak credentials, or misconfigured permissions – not sophisticated zero-day exploits. This guide covers every practical hardening measure, in order of impact.
The WordPress security threat landscape
| Attack vector | Percentage of compromises | Primary prevention |
|---|---|---|
| Outdated plugins/themes | 50-60% | Automatic updates and plugin audits |
| Weak passwords / credential stuffing | 20-30% | Strong passwords plus 2FA plus login limits |
| Insecure hosting | 10-15% | Choose reputable managed WordPress hosting |
| Nulled plugins/themes | 5-10% | Never use pirated premium plugins or themes |
| Brute force attacks | Constant | Login attempt limits plus CAPTCHA plus 2FA |
The single most impactful security action is keeping WordPress core, plugins, and themes updated. Most vulnerabilities are patched within 24-48 hours of disclosure – but only if you apply the update.
Layer 1 – Updates and software hygiene
WordPress 5.5+ automatically applies minor security releases. Verify this is enabled: check wp-config.php for define('AUTOMATIC_UPDATER_DISABLED', true) – if present, remove it.
Go to Dashboard › Updates every week and apply all available updates. Apply major plugin version updates to staging first.
Deactivated plugins are still present in the file system and can be exploited. Delete, not just deactivate, everything you are not actively using.
Nulled plugins are the most common distribution vector for backdoors and malware. The free premium plugin always has a cost paid in your site’s security.
Layer 2 – Authentication hardening
The default ‘admin’ username is targeted by every automated brute force tool. Create a new administrator account with a non-obvious username, log in with it, then delete the ‘admin’ account.
Install Force Strong Passwords plugin. Use a password manager (Bitwarden, 1Password) to generate and store credentials.
Install WP 2FA or Google Authenticator plugin. Require 2FA for all Administrator and Editor accounts. 2FA makes brute force attacks effectively impossible.
Install Limit Login Attempts Reloaded. Set maximum attempts to 5 per IP before a lockout.
Use WPS Hide Login to change the login URL from /wp-login.php to a custom path known only to your team. This eliminates the majority of automated login attacks.
Layer 3 – Server and file security
- Protect wp-config.php: add rules to .htaccess to prevent direct HTTP access to your configuration file
- Disable file editing in the dashboard: add
define('DISALLOW_FILE_EDIT', true);to wp-config.php to remove the Theme and Plugin Editors - Set correct file permissions: files should be 644; directories 755; wp-config.php 600
- Disable XML-RPC if unused: if you do not use the WordPress mobile app or any XML-RPC-dependent service, disable it via Wordfence or .htaccess
Layer 4 – Security plugin and monitoring
What to do if your WordPress site is hacked
If malware is actively serving spam or redirecting visitors, enable maintenance mode or contact your host to suspend the site.
If you have a backup from before the infection, restore it. This is by far the fastest remediation path.
Use Sucuri SiteCheck for a free external scan. Install Wordfence for a server-side file scan. Identify all infected files.
Change every password: WordPress admin accounts, FTP/SFTP, database, and hosting control panel.
Check server access logs to identify how the attacker got in. Update the vulnerable plugin or theme and apply all hardening measures above to prevent reinfection.
Need your WordPress site security hardened or post-hack cleaned?
Simple Automation Solutions performs WordPress security audits, hardening, and post-compromise recovery for businesses worldwide.
Frequently asked questions
Is WordPress inherently insecure?+
No. WordPress core is actively maintained by a security team that patches vulnerabilities quickly, typically within 24-48 hours of disclosure. The security issues that affect most sites are caused by outdated third-party plugins and themes, weak passwords, and misconfigured servers – not WordPress core itself.
Should I use a security plugin if my host already provides security?+
Yes. Managed WordPress hosts provide server-level security but cannot monitor WordPress application-level threats: a compromised admin account, a malicious plugin, or a PHP file uploaded through a vulnerability. A security plugin like Wordfence provides application-level monitoring that complements hosting-level security.
How often should I run a WordPress malware scan?+
Weekly automated scans are the minimum. Configure Wordfence or Sucuri to email you weekly scan results. Run an additional manual scan after installing a new plugin from an unfamiliar source, after a security incident on your hosting account, or whenever your site behaves unexpectedly.
