Why WordPress Security Matters
WordPress powers over 43% of all websites. This popularity makes it the #1 target for hackers. Most attacks are automated bots scanning for known vulnerabilities — proper hardening stops 99% of them.
Immediate Security Steps
1. Keep Everything Updated
The #1 cause of WordPress hacks is outdated software:
- WordPress core — enable auto-updates
- Themes — update monthly, delete unused themes
- Plugins — update weekly, remove unused plugins
Before updating, always take a full backup. Use your hosting backup feature or a plugin like UpdraftPlus.
2. Secure Login Page
The default /wp-admin login page faces constant brute-force attacks:
Limit login attempts:
// In functions.php or via a security plugin
// Limit to 3 failed attempts, 15-minute lockoutChange the login URL:
Use a plugin to move /wp-admin to a custom URL like /my-secret-login.
Enable Two-Factor Authentication (2FA):
Add TOTP-based 2FA for all admin accounts.
3. Strong Passwords
- Minimum 16 characters
- Mix of uppercase, lowercase, numbers, symbols
- Unique per account — never reuse passwords
- Use a password manager
4. User Role Management
- Use Admin only for site administrators
- Use Editor for content managers
- Never share admin credentials
- Remove unused accounts immediately
File-Level Security
Protect wp-config.php
Move wp-config.php one directory above the web root, or add:
# .htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>Disable File Editing
Prevent plugin/theme editing from the admin panel:
// wp-config.php
define('DISALLOW_FILE_EDIT', true);Correct File Permissions
# Directories: 755
find /path/to/wordpress -type d -exec chmod 755 {} \;
# Files: 644
find /path/to/wordpress -type f -exec chmod 644 {} \;
# wp-config.php: 600
chmod 600 wp-config.phpDatabase Security
Change Table Prefix
The default wp_ prefix is a known target. During installation, use a custom prefix like site7x_.
Regular Database Optimization
Use phpMyAdmin or WP-CLI to optimize tables:
wp db optimizeServer-Level Protection
Security Headers
Add these to your .htaccess or Nginx config:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Content-Security-Policy "default-src 'self'"Disable XML-RPC
If you don't use remote publishing or Jetpack:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>Block PHP Execution in Uploads
Prevent malicious PHP files in the uploads directory:
# wp-content/uploads/.htaccess
<Files *.php>
deny from all
</Files>Monitoring & Recovery
Security Scanning
- Run weekly malware scans
- Monitor file integrity (detect unauthorized changes)
- Check Google Safe Browsing status
Backup Strategy
Follow the 3-2-1 rule:
- 3 copies of your data
- 2 different storage types
- 1 offsite backup
Incident Response
If your site is hacked:
- Take the site offline immediately
- Scan and clean all files
- Change ALL passwords (WordPress, FTP, database, hosting)
- Restore from a clean backup
- Update everything to latest versions
- Submit for Google review if blocklisted
Security Checklist
- WordPress, themes, and plugins updated
- Strong, unique passwords for all accounts
- Two-factor authentication enabled
- Login attempts limited
- File editing disabled
- Correct file permissions set
- Security headers configured
- Regular backups configured
- SSL certificate installed and forced
- Unused themes and plugins removed
Conclusion
WordPress security isn't a one-time task — it's an ongoing practice. Implement these measures and your site will be protected against the vast majority of attacks. Remember: most hacks exploit known vulnerabilities in outdated software. Keep everything updated and you're already ahead of 90% of WordPress sites.