WordPress powers over 43% of all websites on the internet, which makes it the most popular content management system on the planet — and the most attacked. Hackers do not discriminate by site size. A small business blog is just as valuable a target as a major e-commerce store, whether for hosting malware, sending spam, or stealing customer data. The good news is that the vast majority of WordPress breaches are entirely preventable. These 12 security measures cover the most exploited attack vectors and give you a hardened site without requiring a computer science degree.
1. Keep WordPress Core, Themes, and Plugins Updated
Outdated software is the single leading cause of WordPress compromises. When a vulnerability is discovered, it is often publicly disclosed at the same time a patch is released — meaning attackers immediately know what to look for on unpatched sites.
- Enable automatic updates for minor WordPress core releases
- Review and update plugins and themes at least once a week
- Remove any plugins or themes you are not actively using
2. Use Strong, Unique Passwords and a Password Manager
Brute-force attacks cycle through common passwords at scale. If your admin password is “password123” or your business name, it will be cracked. Use a password manager like Bitwarden or 1Password to generate and store credentials that are at least 20 characters long with mixed character types.
3. Enable Two-Factor Authentication (2FA)
A compromised password alone should not be enough to access your admin panel. Two-factor authentication adds a second verification step — typically a time-based code from an authenticator app — that makes stolen credentials useless on their own. Plugins like WP 2FA or Google Authenticator make this straightforward to configure for every admin and editor account.
4. Change the Default Admin Username
WordPress historically defaulted to “admin” as the administrator username. Attackers know this and target it specifically in brute-force campaigns. During installation, choose a unique username. If you are already running a site with the username “admin,” create a new administrator account with a different username, transfer all content to it, and delete the original account.
5. Limit Login Attempts
By default, WordPress allows unlimited login attempts, which makes brute-force attacks easy to run. Install a plugin like Limit Login Attempts Reloaded or use a security suite like Wordfence to cap the number of failed login attempts from any single IP address and lock out repeat offenders automatically.
6. Install a WordPress Security Plugin
A dedicated security plugin acts as an always-on monitoring layer. Look for one that provides:
- Firewall protection to block malicious traffic before it reaches WordPress
- Malware scanning to detect infected files
- Login security features including 2FA and IP blocking
- Real-time alerts for suspicious activity
Wordfence, Sucuri Security, and iThemes Security are three well-regarded options with free tiers that cover the fundamentals.
7. Move Your Site to HTTPS
If your site still runs on HTTP, this is non-negotiable. HTTPS encrypts data in transit between your server and visitors, prevents man-in-the-middle attacks, and is a confirmed Google ranking signal. Most hosts offer free SSL certificates through Let’s Encrypt. Once installed, enforce HTTPS by redirecting all HTTP traffic and updating your WordPress URL settings.
8. Keep Regular, Off-Site Backups
No security stack is perfect. If your site is ever compromised, a clean, recent backup is the difference between a 30-minute recovery and starting from scratch. Read our guide on how to backup WordPress for a step-by-step walkthrough of automated backup strategies, including off-site storage to services like Amazon S3 or Google Drive so your backup is never on the same server that gets hacked.
9. Harden Your wp-config.php and .htaccess Files
Your wp-config.php file contains your database credentials and secret keys — it should never be publicly accessible.
- Move
wp-config.phpone directory above the WordPress root if your hosting allows it - Add rules to your
.htaccessfile to deny direct HTTP access towp-config.php - Disable file editing from the WordPress dashboard by adding
define('DISALLOW_FILE_EDIT', true);towp-config.php
The official WordPress security documentation provides a comprehensive reference for server-level hardening steps.
10. Use a Web Application Firewall (WAF)
A web application firewall sits between your site and incoming traffic, filtering out malicious requests before they reach your server. DNS-level WAFs like those offered by Cloudflare or Sucuri are especially effective because they block threats at the network edge rather than at the WordPress application layer, reducing server load alongside improving security.
11. Restrict Access to the Admin Dashboard by IP
If you and your team always log in from predictable office or home IP addresses, you can whitelist those addresses in your .htaccess file or through your host’s firewall rules. This means that even if someone has valid credentials, they cannot access /wp-admin from an unrecognized IP. It is a highly effective control for sites managed by a small, known team.
12. Audit User Roles and Permissions Regularly
Every user account with unnecessary privileges is a potential attack surface. Review your WordPress user list regularly and apply the principle of least privilege:
- Contributors and authors do not need editor or administrator access
- Remove inactive accounts entirely
- Use the free plugin User Role Editor if you need granular control over what each role can do
This is one of several ongoing tasks covered in our WordPress maintenance guide, which walks through a monthly routine to keep your site healthy and secure over the long term.
Putting It All Together
WordPress security is not a one-time setup — it is an ongoing practice. The tips above are not in order of difficulty for a reason: the most impactful steps (keeping software updated, using strong passwords, enabling 2FA) also happen to be the easiest to implement. Start there, then work through the rest of the list. A site that follows all 12 of these recommendations is dramatically harder to compromise than the average WordPress install, and most attacks will move on to softer targets.
If you want expert eyes on your WordPress setup or need help implementing any of these measures, get in touch with the team at blogthememachine.com. And for a steady stream of practical WordPress, SEO, and web design guidance delivered straight to your inbox, subscribe to our newsletter below — no spam, just actionable advice every week.
