The Ultimate WordPress Security Guide (2026)
The single most effective way to secure a WordPress site is to keep all plugins, themes, and WordPress core updated to their latest versions, use strong unique passwords with two-factor authentication on every admin account, and install a web application firewall. These three measures alone block the vast majority of WordPress attacks.
WordPress powers over 40% of all websites on the internet, making it the most targeted content management system by a significant margin. Automated bots scan millions of WordPress installations daily, probing for known plugin vulnerabilities, weak passwords, and misconfigured settings. The majority of successful WordPress hacks exploit vulnerabilities in outdated plugins that have available security patches — patches that were simply never applied.
This guide covers every layer of WordPress security, from fundamental practices that every site owner should implement to advanced hardening techniques for high-value sites. The measures are presented in order of priority — start at the top and work your way down. Each step you complete significantly reduces your attack surface.
Step 1: Keep Everything Updated
Outdated software is the number one cause of WordPress security breaches. When a plugin developer discovers a vulnerability, they release a patch. When you do not apply that patch, your site remains vulnerable to an exploit that is now publicly known — and often already being actively exploited by automated attack tools.
WordPress core should always be running the latest stable version. Major updates (6.x to 7.x) may require testing for compatibility, but security patches within a major version should be applied immediately.
Plugins are the most common attack vector. Update all active plugins as soon as updates are available. If a plugin has not been updated by its developer in over a year, consider replacing it — abandoned plugins do not receive security patches. Remove any plugins you have deactivated but not deleted — deactivated plugin files can still contain exploitable vulnerabilities.
Themes should be updated similarly. Delete any themes you are not actively using (keep only your active theme and a default WordPress theme as a fallback).
If managing updates yourself feels risky or time-consuming, our WordPress update service handles this daily — with pre-update backups and visual validation to catch issues before they affect your visitors. Read our detailed guide on safely updating WordPress.
Step 2: Use Strong Passwords and Two-Factor Authentication
Brute force attacks — automated bots trying thousands of username/password combinations against your login page — are the most common form of WordPress attack. If any administrator account on your site uses a weak password, a common password, or a password that has been exposed in a data breach on another service, it is only a matter of time before an attacker gains access.
Password Requirements
Every WordPress administrator and editor account should use a password that is at least 16 characters long, randomly generated (not based on dictionary words, names, or dates), unique to this WordPress site (never reused from another service), and stored in a password manager (1Password, Bitwarden, LastPass) rather than memorised or written down.
The default “admin” username should never be used. If your site has an administrator account with the username “admin,” create a new administrator account with a different username, transfer ownership of all content, and delete the old “admin” account.
Two-Factor Authentication (2FA)
Two-factor authentication adds a second verification step after the password. Even if an attacker obtains a valid password — through a data breach, a phishing attack, or brute force — they cannot access your WordPress admin without the second factor (typically a time-based one-time code from an authenticator app).
Enable 2FA on every account with editor-level access or above. The best WordPress 2FA plugins include WP 2FA (free, supports TOTP authenticator apps), Two Factor Authentication by Shield Security, and Wordfence Login Security (free standalone 2FA without requiring the full Wordfence plugin). Read our step-by-step guide to setting up WordPress 2FA.
Step 3: Install a Web Application Firewall
A web application firewall (WAF) filters malicious traffic before it reaches your WordPress installation. It blocks common attack patterns including SQL injection, cross-site scripting (XSS), remote file inclusion, directory traversal, and known exploit payloads targeting specific plugins.
There are two types of WordPress firewalls. Application-level firewalls run as WordPress plugins — they analyse requests after WordPress has loaded. Wordfence and Sucuri Security are the most popular options. DNS-level firewalls (like Cloudflare and Sucuri’s cloud-based WAF) filter traffic before it reaches your server, which is more efficient and provides additional DDoS protection.
For most sites, we recommend a DNS-level firewall (Cloudflare’s free plan provides solid basic protection) combined with an application-level security plugin for WordPress-specific monitoring. See our comparison of WordPress firewall plugins for detailed recommendations.
Step 4: Harden Your Login Page
Your WordPress login page (wp-login.php) is the primary target for brute force attacks. Several measures can dramatically reduce your exposure.
Limit login attempts. By default, WordPress allows unlimited login attempts. This means a bot can try thousands of password combinations without being blocked. Install a plugin that limits failed login attempts per IP address — most security plugins include this feature. After 3–5 failed attempts, the IP should be temporarily blocked for at least 30 minutes.
Change your login URL. Moving your login page from the default /wp-login.php to a custom URL (like /my-secret-login) eliminates the vast majority of automated brute force attempts, because bots target the standard URL. Plugins like WPS Hide Login make this a one-click change. Read our guide on changing your WordPress login URL.
Add CAPTCHA to login. A CAPTCHA challenge on the login page blocks automated bots while allowing legitimate users through. Google reCAPTCHA v3 is unobtrusive — it works invisibly in the background and only challenges users whose behaviour patterns match automated bots.
Block known malicious IPs. Security plugins maintain databases of IP addresses known to be associated with attacks. Automatically blocking these IPs at the login page prevents a significant volume of brute force traffic. For more detail, read our guide on protecting WordPress from brute force attacks.
Step 5: Secure Your SSL and HTTPS Configuration
SSL certificates encrypt the connection between your visitors’ browsers and your server. Since 2018, Google Chrome marks all HTTP sites as “Not Secure,” and HTTPS is a confirmed Google ranking factor. There is no reason to run a WordPress site without SSL in 2026.
Install an SSL certificate if you do not already have one. Most hosting providers offer free Let’s Encrypt certificates with automatic renewal. Verify your certificate covers your primary domain and all subdomains you use (www and non-www).
Force HTTPS site-wide. Set both the WordPress Address (URL) and Site Address (URL) in Settings → General to use https://. Add an HTTP-to-HTTPS redirect in your .htaccess file (or server configuration) so any visitor accessing http:// is automatically redirected to https://.
Fix mixed content. Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. This triggers browser security warnings and can prevent your padlock icon from displaying. Use a plugin like Really Simple SSL or manually update internal links and resource URLs to use HTTPS. Read our guide on fixing WordPress mixed content warnings.
If your visitors are seeing a “Your Connection Is Not Private” error, your SSL certificate has likely expired or is misconfigured — this needs immediate attention.
Step 6: Configure File Permissions Correctly
WordPress file permissions control who can read, write, and execute files on your server. Incorrect permissions can allow attackers to modify core WordPress files, inject malicious code into your theme, or create new files in your uploads directory.
The correct permissions for most WordPress installations are directories set to 755 (owner can read, write, execute; group and others can read and execute), files set to 644 (owner can read and write; group and others can read only), and wp-config.php set to 600 or 640 (owner can read and write; nobody else can access it).
Never set any file or directory to 777 (full read/write/execute for everyone). This is a critical security risk that gives any process on the server the ability to modify your files. Read our complete guide to WordPress file permissions.
Step 7: Implement Security Headers
HTTP security headers are server-level directives that tell browsers how to handle your site’s content. Properly configured, they provide protection against cross-site scripting, clickjacking, MIME-type sniffing, and other browser-based attacks.
The most important security headers for WordPress sites are Content-Security-Policy (CSP) which restricts which scripts and resources can execute on your pages, X-Frame-Options or CSP frame-ancestors which prevents your site from being embedded in malicious iframes (clickjacking), Strict-Transport-Security (HSTS) which enforces HTTPS and prevents SSL stripping attacks, X-Content-Type-Options: nosniff which prevents MIME-type sniffing, and Referrer-Policy which controls what information is shared when visitors navigate away.
Read our implementation guide on setting up WordPress security headers.
Step 8: Disable Unnecessary Features
Disable file editing. WordPress includes a built-in file editor (Appearance → Theme File Editor and Plugins → Plugin File Editor) that allows administrators to modify PHP files from the dashboard. If an attacker gains admin access, this editor lets them inject malicious code without needing FTP access. Disable it by adding define('DISALLOW_FILE_EDIT', true); to your wp-config.php file.
Disable XML-RPC unless you specifically need it. XML-RPC is a legacy WordPress API that enables remote posting, pingbacks, and third-party app connectivity. It is also heavily exploited for brute force amplification attacks and DDoS. If you use the WordPress mobile app, Jetpack, or other tools that rely on XML-RPC, leave it enabled but protect it with firewall rules. Otherwise, disable it entirely.
Hide your WordPress version number. WordPress outputs its version number in the page source code and in RSS feeds by default. While obscurity is not security, there is no reason to advertise your exact WordPress version to attackers scanning for version-specific vulnerabilities.
Step 9: Set Up Malware Scanning
Even with all preventive measures in place, no system is 100% secure. Malware scanning provides a safety net — detecting infections early, before they cause significant damage.
Install a security plugin that provides regular malware scanning. The best options as of 2026 are Wordfence (comprehensive scanning, firewall, login security), Sucuri Security (server-side scanning, cloud-based WAF), and MalCare (automatic cleanup, cloud-based scanning that does not slow your site). Configure scanning to run at least daily for critical sites.
If your site is already infected, read our guide on removing malware from a hacked WordPress site, or contact our malware removal team for immediate professional cleanup.
Step 10: Maintain Regular Backups
Backups are your last line of defence. If your site is hacked and the damage is extensive, if a plugin update corrupts your database, or if your hosting provider has a catastrophic failure — a recent, reliable backup is the difference between a quick recovery and a devastating loss.
Your backup strategy should include daily automated backups of both files and database, off-site storage (backups stored on the same server as your site are not real backups), retention of at least 30 days (longer is better — some infections go undetected for weeks), and regular testing to verify backups can actually be restored.
Our backup service handles all of this as part of every care plan — daily backups with 30 to 120-day retention depending on your plan level, stored off-site on secure redundant infrastructure. Read our guide on scheduling automatic WordPress backups.
Step 11: Monitor and Audit Regularly
Security is not a set-and-forget configuration. New vulnerabilities are discovered weekly. Attack techniques evolve. Plugins you install tomorrow might introduce vulnerabilities that do not exist today.
Monitor your security plugin’s alerts. Review flagged events, blocked attacks, and file change notifications at least weekly. If you see patterns — repeated attacks from specific IP ranges, probes targeting a specific plugin — investigate and respond.
Audit user accounts regularly. Remove accounts for people who no longer need access. Verify that no unexpected administrator accounts have appeared. Ensure all admin accounts have 2FA enabled.
Check Google Search Console. Google will notify you through Search Console if they detect malware, phishing pages, or other security issues on your site. Monitor this regularly. If you see a security warning, act immediately — read our guide on how to check if your site has been hacked.
Run periodic security audits. At least quarterly, do a full review — check all plugin versions, verify file permissions, test your backup restoration process, review firewall rules, and scan for vulnerabilities. Our security audit guide provides a complete checklist.
Frequently Asked Questions
Is WordPress inherently insecure?
No. WordPress core is actively maintained by a dedicated security team and is generally well-secured. The overwhelming majority of WordPress security breaches result from outdated plugins with known vulnerabilities, weak passwords, and misconfigured hosting environments — not from WordPress core itself. A properly maintained WordPress site with updated plugins, strong authentication, and a firewall is as secure as any other CMS.
Do I need a paid security plugin?
Free security plugins (like Wordfence Free and Sucuri Security) provide substantial protection. Paid versions typically add real-time firewall rules (free versions may delay rule updates by 30 days), priority support, and additional scanning features. For business-critical sites and ecommerce stores, the paid tier is usually worth the investment. For personal blogs and low-risk sites, free tiers provide adequate protection when combined with the hardening steps in this guide.
How do I know if my site has been hacked?
Common signs include unexpected redirects to spam sites, Google showing security warnings in search results, unknown admin users in your dashboard, hosting suspension for malware or spam activity, dramatically slower performance without explanation, and unfamiliar files appearing in your WordPress directory. Read our detailed guide to detecting WordPress compromises.
What should I do if my site is hacked?
Do not panic. Do not attempt to clean it yourself unless you have experience with malware removal — you risk making the situation worse or missing hidden backdoors. Contact a professional malware removal service immediately. If you are on a WP Ministry care plan, malware removal is included at no additional cost — call (901) 249-0909 and we will begin cleanup immediately.
How often should I audit my site’s security?
At minimum, quarterly. After any major change — a new plugin installation, a theme switch, a hosting migration, or a staffing change that involves access credentials — do an immediate audit. If your site handles sensitive data (customer information, payment details, medical records), monthly audits are recommended.
Need Expert Help? Let WP Ministry Handle It
WordPress security requires constant vigilance — updating plugins before vulnerabilities are exploited, monitoring for malware, maintaining firewall rules, and responding to threats in real time. Most site owners do not have the time or expertise to manage all of this themselves.
WP Ministry’s security service is included in every care plan. Our 24/7 team handles firewall management, malware scanning, brute force protection, vulnerability monitoring, and incident response — around the clock, every day. Plans start at $35/month, and malware removal is included at no extra cost for all subscribers.
View our care plans → or request a free security audit to see where your site currently stands.
Related Articles
How to Remove Malware From a Hacked WordPress Site