WordPress powers over 40% of the web, making it a primary target for hackers. While the core software is secure, most vulnerabilities come from outdated plugins, weak passwords, and poor server configurations.
Don’t wait for a “Hacked” message to appear. Follow these 16 steps to harden your WordPress security and protect your business data.
The Foundations of Security
1. Install a Robust Security Plugin
We recommend Solid Security (formerly iThemes Security) or Wordfence. These plugins act as a digital firewall, offering features like file integrity monitoring, brute force protection, and real-time vulnerability scanning.
2. Mandatory Two-Factor Authentication (2FA)
2FA is the single most effective way to stop unauthorized logins. By requiring a code from a mobile app (like Google Authenticator) in addition to a password, you render stolen credentials useless.
3. Move Your Login URL
Hackers use automated bots to “hammer” the default yourdomain.com/wp-admin page with thousands of password guesses. Changing this URL to something unique (e.g., /portal-access) hides the “front door” from most automated attacks.
4. Enforce Strong, Unique Passwords
Use a password manager (like LastPass or 1Password) to generate 16+ character passwords. Avoid using the same password for your WordPress admin, hosting panel, and email.
Technical Hardening
5. Disable XML-RPC
Unless you are using the WordPress Mobile App or Jetpack, you should disable XML-RPC. It is an outdated API that is frequently exploited by hackers to perform massive brute-force attacks in a short amount of time.
6. Limit Login Attempts
Configure your security plugin to “lock out” an IP address after three or five failed login attempts. This prevents hackers from trying millions of password combinations.
7. Enforce SSL Everywhere
An SSL certificate (HTTPS) is no longer optional. It encrypts the data sent between a user’s browser and your server, ensuring that login credentials cannot be “sniffed” on public Wi-Fi.
8. Use a Clean Username
Never use “admin” or your domain name as a username. These are the first names a bot will try. Create a custom, non-obvious username for all accounts with “Administrator” privileges.
Maintenance and Best Practices
9. Regular Updates are Mandatory
Most WordPress hacks happen because of vulnerabilities in old versions of plugins, themes, or the WordPress core. If you aren’t on a proactive maintenance plan, set aside time every week to run updates.
10. Audit Your Plugins and Themes
Only download themes and plugins from the official WordPress repository or reputable “Pro” developers. Delete any plugins you are not actively using; even deactivated plugins can contain vulnerabilities.
11. Implement Off-Site Backups
A backup stored on your own server is useless if the server gets wiped. Use a solution like UpdraftPlus or BlogVault to send encrypted backups to a third-party location like Amazon S3 or Google Drive.
12. Use Secure Hosting
Your security is only as good as your server. Avoid “bargain-bin” shared hosting. Quality managed WordPress hosts offer server-side firewalls and malware scanning that stop attacks before they even reach your site.
13. Disable File Editing
By default, WordPress allows admins to edit theme and plugin code directly in the dashboard. If a hacker gains access, they can use this to inject malware. You can disable this by adding define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php file.
14. Protect Your wp-config.php File
This file contains your database credentials. You can add specific rules to your .htaccess file to prevent anyone from accessing it from the web.
15. Train Your Team
Security is a human issue. Ensure anyone with login access understands the risks of public Wi-Fi, phishing emails, and password sharing.
16. Monitor for File Changes
Use your security plugin to alert you if a file is modified. If a core WordPress file changes unexpectedly, it’s a major red flag that your site may have been breached.
Final Thoughts: The “Small Site” Myth
It is a dangerous misconception that hackers don’t care about small or “unattractive” websites. In reality, hackers want any server they can get. They use small sites to send millions of spam emails, host “phishing” pages for banks, or infect your visitors’ computers.
Security is an ongoing process, not a one-time setup. Is your site currently protected? If you need help hardening your site or cleaning up a malware infection, consider our WordPress security services for your site.