Over 90,000 WordPress websites are hacked every single day. The overwhelming majority of these hacks are entirely preventable with basic security measures that take less than an afternoon to implement. Because WordPress powers 43% of the internet, it is the most targeted platform for automated attacks. Here are the twelve steps every WordPress site owner should implement immediately.
If you are still setting up your site, start with our WordPress beginner’s guide first, then come back here to lock it down. Security and speed go hand in hand — see our speed optimisation guide too.
1. Keep Everything Updated
The most common entry point for WordPress hacks is outdated software. Update WordPress core, themes, and plugins regularly. Enable automatic updates for minor releases and check for updates at least once a week.
2. Use Strong, Unique Passwords
Use a password manager like 1Password or Bitwarden to generate and store unique, strong passwords for every account. Brute force attacks try millions of password combinations — never use simple passwords.
3. Change the Default Admin Username
Every WordPress installation used to default to ‘admin’ as the administrator username. Hackers know this and target it specifically. Create a new administrator account with a unique username and delete the old ‘admin’ account.
4. Install a Security Plugin
Wordfence (free tier is excellent) provides a web application firewall, malware scanner, login attempt monitoring, and real-time threat intelligence. It is one of our top-recommended essential WordPress plugins.
5. Enable Two-Factor Authentication
Two-factor authentication (2FA) means even if an attacker has your password, they cannot log in without access to your phone. Wordfence includes built-in 2FA.
6. Limit Login Attempts
By default, WordPress allows unlimited login attempts. Install Login LockDown or Limit Login Attempts Reloaded to automatically block IP addresses that fail to log in multiple times.
7. Move or Rename the Login Page
The default WordPress login URL (yourdomain.com/wp-admin) is known to every automated attack tool. Plugins like WPS Hide Login let you change it to a custom URL, significantly reducing attack traffic.
8. Install an SSL Certificate
SSL certificates (HTTPS) encrypt data transmitted between your server and visitors. They are mandatory for AdSense, required by Google for ranking, and expected by modern internet users. Most hosting providers offer free SSL through Let’s Encrypt.
9. Use a Trusted Hosting Provider
Server-level security is your first line of defence. Invest in a quality host that provides server-level firewalls, malware scanning, and isolated hosting environments.
10. Set Up Automated Backups
No security system is 100% foolproof. Set up UpdraftPlus to automatically back up your entire site — files and database — daily, storing copies in at least two locations.
11. Scan for Malware Regularly
Run a malware scan at least once a month using Wordfence. Sucuri’s free scanner can also check your site externally for known malware signatures.
12. Monitor File Changes
Wordfence’s file integrity monitoring compares your files against the original WordPress repository versions and alerts you to any unexpected changes. Hackers often insert malicious code quietly — early detection is critical.
Conclusion
WordPress security is about making your site a harder target than the next one. Implement these twelve steps and you will block the vast majority of attacks that compromise unprotected WordPress sites every day. A secure site is also faster — see our speed guide to complete your site’s health checklist.