WordPress powers 43% of the web — and gets attacked accordingly. Sucuri's 2025 hacked-website report: 96.4% of all hacked CMS sites were WordPress. That's not because WordPress is uniquely insecure — it's because it's everywhere AND most owners never harden it. Here are the 15 hardening steps we apply to every site we ship, in priority order.
- Strong, unique admin password + 2FA
- Change the default admin username
- Limit login attempts
- Hide /wp-admin/ with custom URL
- Enable HTTPS everywhere
- Disable XML-RPC
- Disable file editing in admin
- Lock down file permissions
- Keep PHP version current (8.x)
- Install a security plugin
- Daily automated backups
- Audit + delete unused plugins/themes
- Schedule update windows
- Install Cloudflare WAF
- Monitor with Wordfence or similar
- FAQ
1. Strong, unique admin password + 2FA
This is non-negotiable. Brute-force attacks against /wp-login.php happen 24/7. A weak password is the single most common breach vector.
- Use a password manager (1Password, Bitwarden) — never reuse passwords
- Minimum 16 characters, mixed case, numbers, symbols
- Enable 2FA via Wordfence, Two-Factor, or miniOrange (Google Authenticator-based)
2. Change the default "admin" username
Default usernames make brute-force attacks 50% easier. If your admin user is literally named "admin", change it.
Method: Create a new user with administrator role + unique username. Log in as the new user. Delete the "admin" account, attributing all posts to your new user.
3. Limit login attempts
By default WordPress allows unlimited login attempts. Attackers use this for brute force.
Plugin: Limit Login Attempts Reloaded (free) or Wordfence's built-in feature. Configure to lock IPs after 3–5 failed attempts for 60 minutes.
4. Hide /wp-admin/ with a custom URL
Bots automatically scan /wp-admin/ and /wp-login.php. Renaming these obscures your login from automated scans.
Plugin: WPS Hide Login. Change /wp-login.php to something like /my-secret-portal/. Keep the new URL in your password manager.
Hiding the login URL is "security through obscurity" — it's not a real defense, but it dramatically reduces noise from automated bots. Combined with limited login attempts + 2FA, your login becomes nearly impossible to brute-force.
5. Enable HTTPS everywhere
Every modern host offers free SSL via Let's Encrypt. There's no excuse to run HTTP in 2026.
After SSL is installed: force HTTPS via WordPress settings → General → update Site URL and Home URL to https://. Use Really Simple SSL plugin to force redirects from any remaining HTTP requests.
6. Disable XML-RPC
XML-RPC is a legacy WordPress feature that bots exploit for amplification attacks. Most modern sites don't need it.
Easy method: install the "Disable XML-RPC-API" plugin. Or add to your .htaccess:
<Files xmlrpc.php> order deny,allow deny from all </Files>
7. Disable file editing in admin
WordPress admins can edit theme/plugin files directly through the dashboard. If your account gets compromised, attackers use this to inject malicious code.
Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
8. Lock down file permissions
Correct WordPress file permissions:
- Folders: 755
- Files: 644
wp-config.php: 600 (or 640 if your host requires)
Most hosts have a "Reset Permissions" button in cPanel. Use it after any major change.
9. Keep PHP version current (8.x)
PHP 7.4 reached end-of-life in November 2022. PHP 8.0/8.1 are also EOL. Run PHP 8.2 or higher.
Old PHP versions = unpatched security vulnerabilities. Upgrade in your host's control panel — usually one click.
10. Install a security plugin
Either Wordfence (most popular, free + paid) or Sucuri. Both provide:
- Malware scanning
- Login security (2FA, limit attempts, captchas)
- Firewall rules
- Audit logs of admin actions
- File change detection
11. Daily automated backups
If you get hacked or your site breaks, you need a recent restore point. Daily backups stored OFF-server.
UpdraftPlus (free) + Google Drive / S3 / Dropbox = bulletproof. Schedule daily for database, weekly for files. Keep 30+ days of history.
12. Audit + delete unused plugins/themes
Every plugin/theme is a potential vulnerability. Outdated plugins cause 60%+ of WordPress hacks per Wordfence's 2025 attack data.
- Quarterly: review all installed plugins
- Delete (not just deactivate) anything you're not actively using
- Replace abandoned plugins (no updates in 12+ months) with maintained alternatives
- Keep only ONE theme installed (besides Twenty Twenty-Four as fallback)
13. Schedule update windows
Updates fix vulnerabilities. Delaying updates = open attack window.
Best practice: update plugins/themes weekly on a low-traffic day (Sunday morning works for most). Always backup first. Test on staging if you have it.
14. Install Cloudflare WAF
Cloudflare's free tier includes a basic Web Application Firewall that blocks common attack patterns (SQL injection, XSS, DDoS) before they reach your server.
Setup: free Cloudflare account → point your nameservers → enable proxying. Done in 30 minutes. Bonus: faster site, better TTFB, and free DDoS protection.
15. Monitor with Wordfence or similar
Set up email alerts for: failed login attempts, file changes, new admin user creation, plugin/theme deactivations, security scans.
You won't catch everything proactively, but you'll learn about a breach within hours instead of weeks.
From our incident-response work: 80% of hacked sites had skipped (1) plugin updates and (2) two-factor authentication. If you only do TWO things from this list, do those.
"Security isn't paranoia — it's basic hygiene. The 30 minutes to harden your site is cheaper than the $4,000 average cost of recovering from a hack."
Frequently asked questions
For a serious business site: yes, eventually. The first 6 (steps 1–6) handle 80% of risk. Steps 7–15 close the remaining 20%. We deploy all 15 on every client site we ship.
Don't panic. Don't restore the site as-is. Steps: (1) take site offline, (2) restore from a clean backup PRIOR to the hack, (3) update everything, (4) change all passwords, (5) scan with Wordfence/Sucuri, (6) submit reconsideration request to Google if you got blacklisted. Or hire someone — recovery service is ~$300–500.
Yes — WP Engine, Kinsta, Pressable handle server-level security, automated backups, and firewall rules for you. Reduces your exposure substantially. Costs $30+/mo vs $5/mo shared hosting.
Outdated plugin vulnerabilities. Specifically, abandoned plugins still installed on millions of sites. Update or remove anything that hasn't been updated in 12+ months.
For sites doing $50K+/month revenue: yes. Sucuri or WP Buffs handle monitoring, hardening, malware removal for $30–100/month. Below that, the 15 steps above + Wordfence free tier is enough.