Why WordPress Is a Target
WordPress powers 43% of all websites. That popularity makes it the number one target for hackers. The good news is that WordPress itself is quite secure. The vulnerabilities come from poor maintenance, weak passwords, and low-quality plugins and themes.
I clean approximately 2-3 hacked WordPress sites per month. In almost every case, the breach was preventable with basic security measures. Follow this checklist and your site will be more secure than 90% of WordPress installations.
1. Keep Everything Updated
Outdated software is the number one cause of WordPress hacks. Update:
- WordPress core: Enable automatic minor updates. Test major updates on staging first.
- Plugins: Update within 48 hours of new versions. Remove plugins that are not updated regularly by their developers.
- Themes: Update premium themes promptly. Remove unused themes entirely.
- PHP version: Use PHP 8.0 or higher. Older versions have known security vulnerabilities.
2. Strong Authentication
- Admin username: Never use "admin" as your username. Create a unique admin username.
- Password strength: Use passwords with 16+ characters, mixing letters, numbers, and symbols. Use a password manager.
- Two-factor authentication: Enable 2FA on all admin accounts. This is the single most effective security measure.
- Login attempts: Limit failed login attempts to prevent brute force attacks.
- Change login URL: The default /wp-login.php is known to attackers. Change it with a security plugin.
3. File Permissions
Incorrect file permissions allow unauthorized access to your files. Correct permissions:
- Directories: 755 (owner can read/write/execute, others can read/execute)
- Files: 644 (owner can read/write, others can read)
- wp-config.php: 400 or 440 (owner can read only)
4. Security Plugins
A good security plugin handles many protection layers automatically:
- Wordfence: Firewall, malware scanning, brute force protection
- Sucuri: Website firewall and security monitoring
- iThemes Security: Comprehensive security hardening
Choose one security plugin and configure it properly. Do not run multiple security plugins - they conflict with each other.
5. Regular Backups
Backups are your last line of defense. If everything else fails, a recent backup means you can restore your site within minutes.
- Automate daily backups with UpdraftPlus or BlogVault
- Store backups off-site (Google Drive, Dropbox, Amazon S3)
- Test your backups periodically by restoring them on a staging site
- Keep at least 7 days of backups
6. Database Security
- Change table prefix: The default wp_ prefix makes SQL injection attacks easier. Change it during installation.
- Regular cleanup: Remove post revisions, spam comments, and transient options
- Limit database user privileges: The database user only needs SELECT, INSERT, UPDATE, and DELETE - not DROP or ALTER
7. Hosting Security
Your hosting environment is your first line of defense. Choose a host that provides:
- Server-level firewall
- Malware scanning
- Automatic backups
- PHP version management
- Isolation from other hosted sites (especially on shared hosting)
8. SSL Certificate
HTTPS encrypts data between your server and visitors' browsers. It protects login credentials, form submissions, and payment information. Most hosting providers offer free SSL certificates through Let's Encrypt. Install it and force HTTPS on all pages.
9. Disable Unnecessary Features
- Disable file editing in wp-config.php (define('DISALLOW_FILE_EDIT', true))
- Disable XML-RPC if you do not use it
- Remove WordPress version number from page source
- Disable directory browsing
10. Monitor and Respond
Set up monitoring so you know immediately if something goes wrong:
- Uptime monitoring (UptimeRobot, Pingdom)
- Security scan alerts from your security plugin
- Google Search Console for security warnings
- Regular manual checks of site integrity
Security Is Ongoing
Security is not a one-time setup - it is an ongoing process. New vulnerabilities are discovered daily. Stay informed, keep everything updated, and respond quickly to alerts. The 30 minutes you spend on security each month prevents days of downtime and thousands in recovery costs.