WordPress is the most targeted CMS on the internet — not because it’s insecure, but because its 43% market share makes it the most valuable target. A hacked website can cost you customers, rankings, and data. Here are 12 steps to harden your WordPress site today.
1. Keep WordPress, Themes & Plugins Updated
Over 56% of WordPress hacks exploit outdated plugins and themes. Enable auto-updates for minor WordPress versions and make a habit of updating plugins weekly. Before major updates, test on a staging site first.
2. Use Strong, Unique Passwords
Use a password manager (1Password, Bitwarden) to generate and store unique passwords for every account. Your WordPress admin, hosting control panel, FTP, and database should all have different strong passwords.
3. Enable Two-Factor Authentication
Install the WP 2FA plugin and require 2FA for all administrator and editor accounts. Two-factor authentication blocks 99.9% of automated login attacks even if a password is compromised.
4. Change the Default Admin Username
Never use “admin” as your username. Create a new administrator account with a unique username, then delete the old “admin” account. Bots constantly try to brute-force the username “admin”.
5. Limit Login Attempts
Install Limit Login Attempts Reloaded (free) to block IP addresses after a set number of failed login attempts. This stops brute-force attacks dead in their tracks.
6. Change the WordPress Login URL
The default login page at /wp-admin and /wp-login.php is hammered by bots daily. Use the WPS Hide Login plugin to move it to a custom URL like /my-secure-login. This won’t stop a determined attacker but eliminates 99% of automated attacks.
7. Install a Web Application Firewall (WAF)
Cloudflare (free tier) or Wordfence provides a WAF that filters malicious traffic before it reaches your server. Wordfence also provides malware scanning, file integrity checking, and real-time threat intelligence.
8. Disable XML-RPC
XML-RPC is a remote publishing API that is frequently abused for brute-force attacks and DDoS amplification. Unless you use a mobile app or remote publishing tool, disable it by adding this to your .htaccess:
# Disable XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
9. Set Correct File Permissions
Incorrect file permissions are a major security risk. Correct permissions:
- Directories: 755
- Files: 644
- wp-config.php: 440 or 400
10. Regular Backups to Off-Site Storage
Backups don’t prevent hacks but they are your safety net. Use UpdraftPlus to schedule daily backups to Amazon S3, Google Drive, or Dropbox. Test your backup restoration process quarterly.
11. Secure wp-config.php
Move wp-config.php one level above your WordPress root (WordPress checks there automatically) and set its permissions to 400. Also add secret keys using the WordPress secret key generator.
12. Use HTTPS / SSL
If you’re still running on HTTP in 2025, that’s both a security issue and an SEO penalty. Most hosts offer free Let’s Encrypt SSL certificates. After installing SSL, force HTTPS by adding a redirect in .htaccess and updating your WordPress site URL settings.
Need Professional WordPress Security?
Our WordPress maintenance plans include security hardening, 24/7 monitoring, daily backups, and malware removal. Get protected today.
Leave a Reply