WordPress security advice tends to either ignore the issue entirely or treat your blog like it’s about to be hit by nation-state actors. The reality is in between. Most attacks on WordPress sites are automated, targeting known weaknesses. Defending against them takes a few hours of setup and modest ongoing maintenance.

Short answer: Strong passwords + 2FA + keep WordPress core and plugins updated + a basic security plugin + automated backups. This covers 95% of real threats. Skip the fortress-level setups unless you’re actually being targeted.
WordPress security checklist showing the essential steps from passwords to backups

What attackers actually do

Real WordPress attacks fall into a few categories:

1. Brute-force login attempts

Bots try common username/password combinations at /wp-login.php. Constant background noise on every WordPress site.

2. Exploiting outdated plugins/themes

A vulnerability is published in a plugin. Bots scan for sites running the vulnerable version. If yours hasn’t updated, they exploit it.

3. SQL injection and XSS

Targeting outdated WordPress core or plugins with known flaws.

4. Spam injection

Comment spam, hidden links inserted into posts, redirect malware.

5. Malware uploads via compromised plugins

“Nulled” or pirated plugins from sketchy sources contain malware that establishes persistent access.

Defending against these is well-known and tractable. None of it requires advanced security expertise.

The essential security checklist

1. Strong passwords

Use a unique, randomly generated password for every WordPress login. Stored in a password manager (1Password, Bitwarden, etc.).

Don’t use:

  • The same password you use elsewhere.
  • Anything dictionary-based.
  • The default admin username “admin” — change to something else.

2. Two-factor authentication

2FA on the admin account. Plugins:

  • Two Factor (free, official WP plugin team).
  • Wordfence Login Security (free).
  • WP 2FA (free).

Adds a 6-digit code from your phone after the password. Stops 99% of brute-force attacks even if your password leaks.

3. Keep WordPress core, themes, and plugins updated

The single most important security practice. Most successful WordPress attacks exploit known vulnerabilities in outdated software.

Auto-update minor versions of plugins. Manually approve major updates after testing on staging.

4. A security plugin

One. Not five.

Options:

  • Wordfence (free + paid). Most popular. Firewall, malware scanning, login security.
  • Solid Security (formerly iThemes Security). Solid features, simpler interface.
  • Sucuri Security (free; paid CDN service separately). Malware scanning, security hardening.
  • Your host’s built-in security. Managed WordPress hosts often include this. May replace the need for a plugin.

Pick one. Run it. Read the dashboard occasionally.

5. Automated backups

Daily backups stored off-site. Already covered in our backup post. The “fix” for almost any attack is “restore from backup.”

6. SSL / HTTPS

Free via Let’s Encrypt on virtually every host. Encrypts data in transit. Essential for any site with logins (which is every WordPress site).

If your host doesn’t offer free SSL, switch hosts.

7. Hide the WordPress version

WordPress includes its version in the page source by default. Attackers use this to target known vulnerabilities.

Most security plugins remove or randomize this. Or add to your theme’s functions.php:

remove_action('wp_head', 'wp_generator');

8. Limit login attempts

After 5 failed attempts, block the IP for an hour. Stops brute-force attacks cold.

Built into most security plugins. Wordfence’s “Login Security” handles this well.

9. Disable file editing in the admin

WordPress lets you edit theme and plugin code from the admin. If an attacker gets in, this is how they install backdoors.

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

You can still edit files via SFTP. Just not through the admin.

A security plugin dashboard showing firewall, scan status, and recent blocked attacks

The “advanced” hardening to consider

For higher-risk sites or extra paranoia:

Change the admin URL

Instead of /wp-admin/, move it to something obscure. Stops most automated attacks.

Plugins: WPS Hide Login (free).

Disable XML-RPC

Old protocol used for some integrations. Common attack vector. If you don’t use the Jetpack app or pingbacks, disable.

Most security plugins offer this as a toggle.

Restrict admin by IP

If you only ever log in from a few IPs (home, office), restrict access to those. Via .htaccess or your security plugin.

Only practical if your IPs are stable. Not for travelers.

Database table prefix

WordPress defaults database tables to wp_. Changing to something random (e.g., x7r_) reduces some automated attack types.

Set during initial install. Hard to change later.

What NOT to install

  • Multiple security plugins. They conflict. Pick one.
  • “Premium security” plugins that promise to make you bulletproof. Marketing, mostly.
  • Plugins that scan and clean malware constantly. Heavy resource usage. Backup-based recovery is more reliable.

What to do if your site is hacked

If you discover an attack:

  1. Don’t panic. Document what you see (screenshots, log entries).
  2. Take the site offline temporarily. Maintenance mode or hosting pause.
  3. Restore from a clean backup (one from before the attack).
  4. Update everything. WordPress core, all plugins, all themes.
  5. Change all passwords. WordPress, hosting, FTP, email, database.
  6. Run a malware scan. Wordfence has free scanning.
  7. Check Google Search Console for security warnings. If listed, request a review after cleanup.

If you can’t clean it yourself, services like Sucuri or Astra Security offer paid malware removal. $200–$500 typical.

The host’s role

Good WordPress hosting includes:

  • Daily backups.
  • Malware scanning.
  • Web application firewall (WAF) at the server level.
  • Free SSL.
  • Two-factor authentication on the hosting account itself.

If your host doesn’t offer these, the burden shifts to plugins. Higher-tier managed hosts (Kinsta, WP Engine, SiteGround) cover most of this at the server level.

The “I don’t have anything worth attacking” objection

Most WordPress attacks aren’t targeted. They’re automated bots looking for any vulnerable site to:

  • Send spam.
  • Host phishing pages.
  • Mine cryptocurrency.
  • Add backlinks to other sketchy sites.
  • Pivot to attack other targets.

Your blog doesn’t have to be important. It just has to be vulnerable. The defenses above stop automated bots, which is 99% of the threat.

The honest summary

Most WordPress security is automation defense: strong passwords + 2FA + updates + a security plugin + backups + SSL. Skip the fortress-level hardening unless you’re actually being targeted. Don’t run multiple security plugins. Update everything regularly. Trust your backups as the recovery plan. Most real “hacks” are preventable with an afternoon of setup once.