WordPress Security: 15 Tips to Protect Your Site from Hackers

WordPress powers over 40% of the web, which makes it a prime target for hackers. Every day, thousands of WordPress sites get compromised through outdated plugins, weak passwords, and unpatched vulnerabilities. But here is the good news: 90% of WordPress hacks are preventable with basic security hygiene. This guide covers 15 actionable tips organized into three tiers — start with the basics, then work your way up to advanced hardening.

Tier 1: Basic Security (Do These First)

These five steps form your minimum viable security baseline. Implement them today — each takes under 10 minutes and dramatically reduces your attack surface.

1. Install Wordfence WAF: Wordfence is the most popular WordPress security plugin for a reason. Its Web Application Firewall blocks malicious traffic before it reaches your site, and the malware scanner detects compromised files instantly. The free version covers essentials; the Premium tier ($119/year) adds real-time firewall rule updates so you get protected against new vulnerabilities the moment they are discovered.
2. Keep Everything Updated: Outdated plugins and themes are the number one entry point for attackers. Over half of all WordPress intrusions exploit vulnerabilities that already have patches available. Enable auto-updates for minor WordPress core releases and check for plugin updates at least weekly. A plugin sitting dormant with a known vulnerability is an open door — do not leave it unlocked.
3. Use Strong Passwords + Two-Factor Authentication: "admin" and "password123" are not credentials — they are invitations. Use a password manager to generate unique 20-plus-character passwords for every account. Then enable two-factor authentication (2FA) for all user accounts. Wordfence includes 2FA in its free tier, and it instantly blocks 99% of credential-stuffing attacks.
4. Change the Default Login URL: Every WordPress site ships with the same login page at /wp-admin or /wp-login.php. Bots relentlessly hammer these URLs with brute-force attacks. Use a lightweight plugin like WPS Hide Login to change your login URL to something unique — for example, /portal-9x2k. This alone stops most automated attacks dead in their tracks.
5. Delete Unused Themes and Plugins: Inactive does not mean harmless. Old themes and deactivated plugins still sit on your server, and if they contain unpatched vulnerabilities, attackers can exploit them regardless of activation status. Keep only what you actively use and trust.

Tier 2: Intermediate Hardening

Once the basics are in place, layer on these five additional protections for defense-in-depth:

6. Enforce SSL Everywhere: SSL (TLS) encrypts all data between your visitors and your server, preventing man-in-the-middle snooping. Most hosts now offer free Let's Encrypt certificates. Install the Really Simple SSL plugin to automatically enforce HTTPS across your entire site and fix any mixed-content warnings. Bonus: Google uses HTTPS as a ranking signal, so this helps SEO too.
7. Limit Login Attempts: Without rate limiting, a bot can try thousands of password combinations per minute against any account. Configure Wordfence or the Limit Login Attempts Reloaded plugin to cap failed attempts at five per IP, with a 15-minute lockout after that. For high-value admin accounts, consider even stricter thresholds.
8. Disable the Built-in File Editor: WordPress includes a theme and plugin editor accessible from the admin panel. If an attacker gains admin access, this editor lets them inject malicious PHP code directly into your files. Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php file to disable it permanently. Use SFTP or your host's file manager instead for legitimate edits.
9. Set Up Regular Automatic Backups: Security is not just about prevention — it is also about recovery. If the worst happens, a recent backup means you can restore your site in minutes, not days. Use UpdraftPlus to schedule daily automatic backups to Google Drive, Dropbox, Amazon S3, or OneDrive. Store backups off-server so a compromised server cannot delete them.
10. Change the Database Table Prefix: By default, WordPress uses wp_ as the database table prefix, which makes SQL injection attacks far easier to craft. During installation, or afterward with a tool like Brozzme DB Prefix, change it to something random like s7bq_. This is a small change that significantly complicates automated SQL injection attempts.

Tier 3: Advanced Protection

For business sites handling customer data, payments, or login-protected areas, these five measures provide enterprise-grade security:

11. Set Correct File Permissions: Incorrect file permissions let attackers write malicious files to your server. Set all directories to 755 and all files to 644. The wp-config.php file should be locked down to 440 or 400. Most hosts can apply correct permissions for you; if you have SSH access, commands like find . -type d -exec chmod 755 {} \; handle it in seconds.
12. Disable XML-RPC: XML-RPC is a legacy API that enabled remote publishing but is now heavily abused for brute-force amplification and DDoS attacks. Unless you use the WordPress mobile app or Jetpack, you almost certainly do not need it. Wordfence can block XML-RPC traffic, or you can use the Disable XML-RPC plugin to shut it off entirely.
13. Hide Your WordPress Version: Displaying your WordPress version number in the page source helps attackers target version-specific vulnerabilities. Strip the generator meta tag by adding remove_action('wp_head', 'wp_generator'); to your theme's functions.php, or let Perfmatters handle it automatically along with other performance tweaks.
14. Deploy a CDN Security Layer: Cloudflare's free plan provides DDoS protection, a web application firewall, bot management, and IP masking that hides your origin server's real address. During active threats, enable "Under Attack Mode" to challenge every visitor with a JavaScript check before they reach your server.
15. Choose Secure Hosting: Your hosting provider is your first and most important line of defense. Look for hosts that offer server-level firewalls, proactive malware scanning, automatic daily backups stored off-server, account isolation (so a compromised neighbor cannot infect you), and 24/7 security monitoring. SiteGround, Kinsta, Cloudways, and WP Engine all have strong security reputations with dedicated WordPress security teams.

What to Do If Your Site Gets Hacked

Even with all precautions, no site is 100% immune. If you discover a compromise: (1) take the site offline immediately via your host's control panel, (2) restore from a known-clean backup, (3) change every password and SSH key, (4) run a deep Wordfence scan on every file, and (5) review access logs to understand how they got in so you can close that door.

WordPress security is a habit, not a one-time checklist. Check your security dashboard weekly, keep everything updated, and always maintain a recent, tested backup. If managing security feels overwhelming alongside running your business, our maintenance plans include 24/7 security monitoring, daily backups, and instant incident response — so you can focus on growth while we handle the locks.