Skip to content 
A pediatric dental practice in Charlotte hired me through Upwork to build their WordPress site in 2023. Beautiful site, fast loading, converting well. Then in March 2025, they called in a panic. Their homepage was redirecting visitors to a pharmaceutical spam site. Google had flagged the domain with a “This site may be hacked” warning. Organic traffic dropped to zero overnight. Patient appointment requests stopped completely. I cleaned the malware in under four hours using the process in my malware recovery guide. But the real question was: how did they get hacked in the first place? The answer was simple and preventable. Their hosting account used a password from 2019. They hadn’t updated WordPress core in 7 months. A vulnerable plugin (an abandoned slider they’d stopped using but never deleted) had a known exploit published publicly for weeks. Three failures. All avoidable. This guide covers every security measure that would have prevented that breach.
Why WordPress Gets Hacked
WordPress itself is secure. The core software undergoes rigorous security review and patches vulnerabilities quickly. The problems come from the ecosystem around it: weak passwords, outdated plugins, cheap hosting with poor isolation, and human error. Understanding attack vectors helps you prioritize defenses.
Outdated plugins and themes (52% of breaches). Every plugin is code written by a third-party developer. When a vulnerability is discovered and patched, the changelog announces it publicly. Hackers scan for sites still running the old version. The window between patch release and exploitation is often under 48 hours for popular plugins. This is why the weekly maintenance checklist prioritizes updates above everything else.
Weak credentials (brute force attacks account for ~16% of breaches). Automated bots attempt thousands of username/password combinations per hour on WordPress login pages. Default usernames like “admin” with common passwords fall within minutes. Sites without login protection face thousands of attempts daily.
Vulnerable hosting environments (~12%). Shared hosting with poor account isolation means one compromised site on the server can infect neighbors. Outdated PHP versions, exposed server configuration files, and weak file permissions create entry points that no plugin can fully protect.
Nulled themes and plugins (~8%). Pirated premium plugins almost always contain backdoors. The “$59 theme for free” download includes obfuscated code that gives the attacker persistent access to your site. There is no safe source for nulled WordPress software. Zero exceptions.
Hosting Security: Your First Line of Defense
Your hosting environment determines the security floor for your entire site. No amount of plugin-level security compensates for a weak hosting setup.
Choose hosting with account isolation. Cloudways, Kinsta, SiteGround, and WP Engine all provide proper account isolation. Your site runs in its own container or virtual environment. A breach on another customer’s site cannot cross into yours. Avoid bottom-tier shared hosting where hundreds of sites share the same file system with minimal separation.
Enable server-level firewalls. Quality hosting providers include Web Application Firewalls (WAF) that filter malicious traffic before it reaches WordPress. Cloudflare (free plan includes basic WAF) adds another layer in front of your hosting. A WAF blocks common attack patterns: SQL injection, cross-site scripting, file inclusion attacks, and known exploit signatures.
Keep PHP updated. Run PHP 8.2 or 8.3 as of early 2026. Older PHP versions no longer receive security patches. Check your PHP version in your hosting control panel. Test on staging before upgrading in production, as some legacy plugins have compatibility issues with newer PHP.
Force HTTPS everywhere. SSL certificates are free through Let’s Encrypt (most hosting providers install automatically). Force all traffic to HTTPS through your hosting or .htaccess. HTTPS encrypts data in transit between visitor and server, prevents session hijacking on public WiFi, and is a confirmed Google ranking signal for SEO.
WordPress Core Hardening
These are configuration changes that strengthen WordPress itself before any security plugin gets involved.
Change the default database prefix. WordPress installs with wp_ as the default table prefix. This makes SQL injection attacks trivial because attackers know exactly what to target. Change the prefix to something random (like xk7m_) during installation or through careful database migration on existing sites. This single change defeats a significant category of automated attacks.
Disable file editing in wp-admin. WordPress includes a built-in Theme Editor and Plugin Editor that let administrators modify PHP files directly from the dashboard. If an attacker gains admin access, these editors let them inject malware without FTP access. Add this line to wp-config.php: define(‘DISALLOW_FILE_EDIT’, true). It disables the editor completely. You can still edit files through FTP or your hosting file manager when needed.
Protect wp-config.php. This file contains your database credentials and security keys. Set file permissions to 400 (read-only by owner). Move it one directory above your WordPress root if your hosting supports it (WordPress automatically checks the parent directory). Add rules to .htaccess to deny direct access to this file from the web.
Disable XML-RPC. XML-RPC (xmlrpc.php) enables remote connections to WordPress. It was essential for mobile apps and remote publishing, but the WordPress REST API has replaced most of its functionality. XML-RPC is a common vector for brute force amplification attacks, where a single request can test hundreds of passwords simultaneously. Disable it through your security plugin or .htaccess unless you specifically need it for Jetpack or the WordPress mobile app.
Limit login attempts. By default, WordPress allows unlimited login attempts. This enables brute force attacks to run indefinitely. Use a plugin like Limit Login Attempts Reloaded or your security plugin’s built-in feature to lock out IP addresses after 3-5 failed attempts. Set lockout duration to at least 30 minutes with escalating lockout periods for repeat offenders.
Regenerate security keys annually. WordPress uses security keys and salts in wp-config.php to encrypt cookies and session data. Generate fresh keys annually at the WordPress salt generator (api.wordpress.org/secret-key/1.1/salt/) and replace the existing keys in wp-config.php. This invalidates all existing sessions, forcing every logged-in user (including any attacker with stolen session cookies) to re-authenticate.
User Access Security
User management mistakes create some of the easiest attack vectors to exploit and the easiest to prevent.
Eliminate the “admin” username. Create a new administrator account with a non-obvious username. Transfer all content ownership to the new account. Delete the original “admin” account. Bots target “admin” and “administrator” as the first usernames in brute force attacks. Removing them eliminates half the equation.
Enforce strong passwords. Every WordPress user account should use a password that is at least 16 characters, randomly generated, and unique to this site. Use a password manager (Bitwarden, 1Password) to generate and store passwords. WordPress includes a built-in password strength meter, but it still allows weak passwords. Consider a plugin that forces minimum password complexity for all user roles.
Enable two-factor authentication (2FA). This is the single highest-impact security measure you can implement. Even if an attacker obtains the correct password, they can’t log in without the second factor. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA, which is vulnerable to SIM swapping. Wordfence and iThemes Security both include 2FA functionality. Enable it for every administrator and editor account, no exceptions.
Apply the principle of least privilege. Give each user the minimum role they need. Content writers need Author or Contributor, not Editor or Administrator. Clients reviewing their site need Subscriber or a custom limited role. The fewer Administrator accounts on your site, the smaller the attack surface. Review user roles monthly as part of your maintenance routine.
Plugin and Theme Security
Only install plugins from trusted sources. The WordPress.org plugin repository reviews submissions, but can’t catch everything. For premium plugins, buy directly from the developer’s official website. Never download plugins from third-party “discount” sites. Every nulled plugin I’ve examined in malware cleanups contained backdoor code. Every single one.
Audit your plugin stack quarterly. Deactivate and delete plugins you’re not using. Check the “Last Updated” date for every active plugin. If a plugin hasn’t been updated in over 12 months, the developer may have abandoned it. Abandoned plugins with known vulnerabilities don’t get patches. Find an actively maintained alternative. Keep your total plugin count as low as possible. Fewer plugins means fewer potential vulnerabilities. The speed guide covers plugin audit strategy in detail because security and performance share the same best practice: run only what you need.
Use a security plugin. Wordfence (free) provides a firewall, malware scanner, login security, and real-time threat defense. It’s the security plugin I install on every client site. The free version handles 90% of security needs. The premium version adds real-time firewall rules, country blocking, and premium support. Sucuri Security is the main alternative, with a stronger emphasis on external monitoring and a cloud-based WAF in its premium tier. One security plugin is essential. Two is redundant and causes conflicts.
Keep themes minimal. Delete every theme except your active theme and one default WordPress theme (as a fallback). Each installed theme is potential attack surface. If you’re using a child theme, keep only the parent theme, child theme, and one default. The theme customization approach I use with Astra keeps the theme layer lean and secure.
Backup Strategy: Your Safety Net
Backups don’t prevent attacks, but they make recovery straightforward instead of catastrophic. A proper backup strategy follows the 3-2-1 rule: 3 copies of your data, on 2 different storage types, with 1 copy offsite.
Automated daily backups. Use UpdraftPlus, BlogVault, or your hosting provider’s backup system to create automatic daily backups. Store backups on external cloud storage (Google Drive, Amazon S3, Dropbox) rather than on the same server as your site. If the server is compromised, on-server backups may be compromised too.
Retain at least 30 days of backups. Malware sometimes sits dormant for weeks before activating. If you only keep 7 days of backups and the infection started 10 days ago, all your backups are infected. Thirty days of retention gives you a clean restore point for most scenarios.
Test restores quarterly. Verify that your backups actually work by restoring to staging once per quarter. A backup that fails during restoration is not a backup. This is part of the quarterly maintenance checklist.
Monitoring and Detection
Uptime monitoring. UptimeRobot (free for up to 50 monitors) checks your site every 5 minutes and alerts you via email or Slack if it goes down. A hacked site that starts redirecting or throws errors will trigger a downtime alert. This is often the first sign of a breach.
File integrity monitoring. Wordfence scans core WordPress files, plugin files, and theme files against known clean versions. Any unauthorized modification triggers an alert. Enable email notifications for critical file changes. This catches injected malware within hours rather than weeks.
Google Search Console monitoring. Google will notify you through Search Console if it detects malware, phishing, or hacked content on your site. Check the Security & Manual Actions section weekly. Google’s detection is often faster than plugin-based scanning for certain types of SEO spam injections. Technical SEO monitoring and security monitoring overlap significantly.
Login activity logging. Track who logs in, when, and from where. Wordfence logs all login activity including failed attempts. Review the log monthly for anomalies: successful logins at unusual hours, from unfamiliar locations, or for accounts that should be inactive.
Advanced Security Measures
Content Security Policy headers. CSP headers tell browsers which resources are allowed to load on your pages. They prevent cross-site scripting (XSS) attacks by blocking unauthorized JavaScript execution. Implement through your .htaccess file or a headers plugin. Start with report-only mode to identify legitimate resources before enforcing.
HTTP security headers. Beyond CSP, implement X-Content-Type-Options (prevents MIME sniffing), X-Frame-Options (prevents clickjacking), Referrer-Policy (controls referrer information), and Permissions-Policy (restricts browser features). Test your headers at securityheaders.com. These headers are free, require no plugins, and significantly harden your site against common web attacks.
Disable directory browsing. Add “Options -Indexes” to your .htaccess file. Without this, anyone can view the contents of directories without an index file, potentially discovering vulnerable plugins, backup files, or configuration information. This is a one-line fix that should be on every WordPress site.
Custom login URL. Moving the login page from /wp-admin/ and /wp-login.php to a custom URL reduces automated bot attacks by 95% or more. WPS Hide Login (free, lightweight) handles this with zero configuration complexity. Bots that target /wp-login.php will get a 404 instead of a login form. This doesn’t replace other login security measures but dramatically reduces brute force noise in your logs.
Frequently Asked Questions
Is WordPress secure enough for business websites? WordPress core is secure and maintained by a dedicated security team. Vulnerabilities arise from plugins, themes, and configuration, not from WordPress itself. A properly hardened WordPress site with quality hosting is secure enough for enterprise use. Major organizations including universities, government agencies, and media companies run on WordPress.
Do I need a paid security plugin? For most small business sites, Wordfence free provides excellent protection: firewall, malware scanning, login security, and file integrity monitoring. The premium version adds real-time firewall rules (30-day delay on free), country blocking, and real-time IP blocklist. If your site handles sensitive data or generates significant revenue, premium is worth the $119/year.
How often should I change my WordPress password? With 2FA enabled, annual password changes are sufficient unless you suspect a breach. Without 2FA, change passwords every 90 days. Always use unique, randomly generated passwords stored in a password manager. The combination of a strong unique password and 2FA makes brute force attacks practically impossible.
Can Cloudflare replace a security plugin? Cloudflare’s WAF and DDoS protection complement WordPress security plugins but don’t replace them. Cloudflare protects at the network and application layer before traffic reaches your server. Security plugins protect at the WordPress application layer after traffic reaches your server. Use both for defense in depth. The free Cloudflare plan provides significant security value.
What should I do immediately if I think my site is hacked? Don’t delete anything. Take the site offline if possible by enabling maintenance mode. Run a malware scan through Wordfence. Check for unauthorized admin accounts. Review recently modified files. Follow the step-by-step WordPress malware recovery guide or contact a professional for same-day cleanup.
Secure Your WordPress Site Before It’s Too Late
Every security measure in this guide takes minutes to implement but can prevent weeks of downtime, thousands in lost revenue, and the trust damage that comes with a hacked site. If you’d rather have an expert lock everything down properly, my maintenance service includes comprehensive security hardening and ongoing monitoring. Get in touch for a security review of your current setup.
Browse the portfolio, case studies, and reviews for verified results. Background on the about page. Related: WordPress development, design, Elementor, speed optimization, WooCommerce, migration, theme customization, and advanced solutions. SEO: SEO services, technical SEO, on-page SEO, audits, link building, and WordPress SEO. FAQ. Contact.
