Your WordPress website gets attacked. Not “might get” or “could get”—it already is.

Automated bots scan millions of websites daily, looking for vulnerabilities. A study by Sucuri found that WordPress sites experience an average of 90+ attack attempts per day. Most fail. Some succeed.

When hackers succeed, the damage ranges from annoying to catastrophic:

• Malware infections that Google blacklists your site
• Stolen customer data leading to GDPR fines up to €20 million
• Ransomware demanding payment to restore access
• Complete data loss if no backups exist
• Brand reputation damage that takes years to rebuild

This isn’t theoretical. In 2024, over 13,000 WordPress sites were compromised daily according to security researchers. Many were small business websites with “nothing worth stealing”—wrong assumption.

Hackers want server resources for cryptocurrency mining, email spam distribution, or building botnets. Your customer data is bonus payload.

This guide shows you exactly how to secure your WordPress website against the attacks happening right now.

Why WordPress Sites Get Hacked

WordPress itself is secure. The core software undergoes rigorous security audits and receives regular updates.

The vulnerabilities come from:

Outdated software (39% of hacks) WordPress, themes, or plugins running old versions with known security holes. Hackers maintain databases of these vulnerabilities and scan for sites running outdated software.

Weak passwords (16% of hacks) “password123” or “admin” as login credentials. Brute force attacks try thousands of common passwords until one works.

Nulled themes/plugins (11% of hacks) “Free” premium themes downloaded from shady websites often contain backdoors and malware.

Insecure hosting (29% of hacks) Shared hosting where one compromised site infects hundreds of others on the same server.

Other vulnerabilities (5%) SQL injection, cross-site scripting, and other technical exploits.

The good news: all of these are preventable with proper security measures.

Update Everything Immediately

Every WordPress update fixes security vulnerabilities. Delaying updates is like leaving your front door unlocked because you’re “too busy” to close it.

Enable Automatic Updates

WordPress supports automatic updates for core, themes, and plugins.

Core WordPress: Already enabled by default for minor updates (5.9.1 → 5.9.2).

For major updates (5.9 → 6.0), add to wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );

Plugins and themes: Go to Dashboard → Updates → Enable automatic updates for each plugin and theme.

Or use “Easy Updates Manager” plugin for granular control over what updates automatically.

Check Updates Weekly

Even with automatic updates enabled, manually verify weekly:

1. Go to Dashboard → Updates
2. Check for any pending updates
3. Review changelog to understand what’s being fixed
4. Update immediately

Set a recurring calendar reminder every Monday morning for update checks.

The Update Hesitation Problem

“But updates might break my site!”

Yes, occasionally updates cause compatibility issues. The solution isn’t avoiding updates—it’s proper testing:

1. Backup before updating (automated with UpdraftPlus)
2. Test on staging site first if you have critical customizations
3. Update during low-traffic hours (3 AM local time)
4. Have rollback plan ready

The risk of hacking from outdated software far exceeds the risk of temporary compatibility issues.

Use Strong Passwords and Two-Factor Authentication

Password “admin” with username “admin” is hacker Christmas. Yet 23% of WordPress sites still use variations of this.

Password Requirements

Minimum standards:

• 16+ characters
• Mix of uppercase, lowercase, numbers, symbols
• No dictionary words
• No personal information (names, birthdays)
• Unique for each account (never reuse)

Example of weak password: JohnSmith2024!

Example of strong password: mK9$nP2@vL4%xR8&qW3#tY6

Use a password manager (1Password, Bitwarden, LastPass) to generate and store complex passwords.

Two-Factor Authentication (2FA)

Passwords alone aren’t enough. 2FA requires two forms of verification:

1. Something you know (password)
2. Something you have (phone, authentication app)

Even if hackers steal your password, they can’t login without your phone.

Implementing 2FA with Wordfence

1. Install Wordfence Security plugin
2. Go to Wordfence → Login Security
3. Enable two-factor authentication
4. Scan QR code with authentication app (Google Authenticator, Authy)
5. Require 2FA for all administrator accounts

Alternative: “Two-Factor” plugin (free, simpler interface)

Critical: Save backup codes in case you lose phone access.

Password Policy for Team Members

If multiple people access your WordPress site:

1. Enforce strong passwords: Use “Force Strong Passwords” plugin
2. Limit login attempts: Prevent brute force attacks (covered next section)
3. Regular password changes: Every 90 days minimum
4. Immediately revoke access when team members leave

Limit Login Attempts

Default WordPress allows unlimited login attempts. Hackers exploit this with brute force attacks—trying thousands of username/password combinations until one works.

Install Limit Login Attempts Reloaded

1. Install “Limit Login Attempts Reloaded” plugin
2. Configure settings:
   • 4 allowed retries
   • 20 minutes lockout after failed attempts
   • 24 hours lockout after 4 lockouts
3. Enable IP whitelist for known safe locations

After 4 failed login attempts, that IP address is blocked for 20 minutes. Persistent attackers get blocked for 24 hours.

Wordfence Alternative

Wordfence includes brute force protection:

1. Go to Wordfence → Firewall
2. Enable “Brute Force Protection”
3. Set lockout threshold to 4 attempts
4. Enable instant IP blocking for known attackers

Monitor Failed Login Attempts

Check failed login logs weekly:

1. Wordfence → Tools → Live Traffic
2. Filter by “Failed logins”
3. Block IPs with multiple attempts

Seeing dozens of failed attempts from various IPs? That’s normal bot activity. Your security is working.

Change Default Login URL

WordPress login is always at yoursite.com/wp-admin or yoursite.com/wp-login.php

Hackers know this. They target these URLs with automated attacks.

Changing your login URL doesn’t improve security dramatically, but it eliminates 99% of automated bot attacks, reducing server load and log noise.

Use WPS Hide Login Plugin

1. Install “WPS Hide Login” plugin
2. Go to Settings → WPS Hide Login
3. Change login URL to something unique: yoursite.com/secure-access-2024
4. Save changes
5. Bookmark new URL (don’t forget it!)

Now accessing yoursite.com/wp-admin redirects to your homepage. Only yoursite.com/secure-access-2024 shows the login page.

Important: Save your new login URL somewhere safe. If you forget it, you’ll need FTP access to disable the plugin.

Install a WordPress Security Plugin

Security plugins provide comprehensive protection in one package.

Wordfence Security (Free)

What it does:

• Firewall blocks malicious traffic
• Malware scanner checks all files
• Login security with 2FA
• Real-time threat defense
• Security notifications

Setup:

1. Install Wordfence Security
2. Complete setup wizard
3. Run initial scan
4. Review and fix flagged issues
5. Enable automatic scans (daily)

Wordfence free version provides excellent protection. Premium ($119/year) adds real-time threat intelligence and country blocking.

Sucuri Security (Free)

Alternative to Wordfence with similar features:

• Security activity monitoring
• File integrity monitoring
• Blacklist monitoring
• Security hardening

Sucuri’s strength is post-hack cleanup. Their premium service ($199/year) includes malware removal guarantee.

All In One WP Security & Firewall (Free)

Most user-friendly option:

• Security strength meter
• Visual interface for settings
• No premium upsells

Good for beginners who find Wordfence overwhelming.

Choose one security plugin. Don’t install multiple—they conflict and create vulnerabilities.

Keep Regular Backups

Security isn’t just prevention—it’s also recovery planning. If your site gets hacked despite precautions, backups let you restore everything quickly.

Backup Requirements

What to backup:

• WordPress files (themes, plugins, uploads)
• Database (posts, pages, settings, users)
• Configuration files (wp-config.php, .htaccess)

Backup frequency:

• Daily for e-commerce sites
• Weekly for regularly updated blogs
• Monthly for static business sites

Backup storage:

• Off-site location (not same server as website)
• Multiple locations for critical sites
• Cloud storage (Google Drive, Dropbox, AWS S3)

UpdraftPlus Backup Setup

UpdraftPlus is the most popular backup plugin with 3+ million active installations.

1. Install UpdraftPlus Backup/Restore
2. Go to Settings → UpdraftPlus Backups
3. Click “Settings” tab
4. Configure schedule:
   • Files backup: Weekly
   • Database backup: Daily
5. Choose remote storage: Google Drive (free 15GB)
6. Save changes
7. Click “Backup Now” to test

Critical: Test your backups monthly by actually restoring to a test environment.

Many people discover their backups are corrupted only when they desperately need them.

Alternative: BlogVault or VaultPress

Paid services ($99-299/year) offering:

• Real-time backups
• One-click restore
• Staging environments
• Malware scanning
• Migration assistance

Worth it for business-critical websites.

Secure wp-config.php File

The wp-config.php file contains your database credentials and security keys. If hackers access this file, they control your entire site.

Move wp-config.php Up One Directory

WordPress allows wp-config.php to sit one directory above your WordPress installation:

1. Connect via FTP or hosting file manager
2. Move wp-config.php from /public_html/ to /home/username/
3. WordPress will automatically find it there

Hackers scanning standard locations won’t find it.

Change Security Keys

WordPress uses security keys to encrypt login cookies. Default keys are public knowledge.

1. Visit https://api.wordpress.org/secret-key/1.1/salt/
2. Copy generated keys
3. Edit wp-config.php
4. Replace existing key definitions with new ones
5. Save file

This logs out all users (including you) but secures sessions.

Disable File Editing

WordPress admin panel allows editing theme and plugin files. Convenient for quick fixes, dangerous if hackers gain admin access.

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This disables the theme/plugin editor in admin panel.

Use Secure Hosting

Your hosting provider is your first line of defense. Cheap hosting cutting corners on security puts your site at risk.

Security Features to Require

Server-level security:

• Malware scanning
• DDoS protection
• Automatic WordPress updates
• Isolated accounts (your site separate from others)
• Firewall protection

Backup and monitoring:

• Automatic daily backups
• 24/7 monitoring
• Instant hack recovery

SSL certificate:

• Free SSL (Let’s Encrypt)
• Automatic renewal
• HTTPS enforcement

Recommended Secure Hosts

SiteGround (from €14.99/month)

• Proactive security monitoring
• Free SSL certificate
• Daily backups
• Hack fix guarantee

Kinsta (from €30/month)

• Premium managed WordPress hosting
• Enterprise security features
• DDoS detection
• Automatic malware removal

Cloudways (from €11/month)

• Cloud hosting with security add-ons
• Automated backups
• Two-factor authentication
• Free SSL

Avoid budget hosting advertising “unlimited” everything for €3/month. Security infrastructure costs money.

Install SSL Certificate (HTTPS)

SSL certificates encrypt data between your website and visitors. Without SSL:

• Login credentials sent in plain text
• Google marks site as “Not Secure”
• SEO rankings penalized
• Payment processors reject site

Obtaining SSL Certificate

Most quality hosting providers include free SSL certificates (Let’s Encrypt).

Through hosting control panel:

1. Login to cPanel or hosting dashboard
2. Find “SSL/TLS” or “SSL Manager”
3. Click “Install Free SSL”
4. Select your domain
5. Certificate activates within minutes

Through Cloudflare:

1. Add site to Cloudflare (free account)
2. Change nameservers at domain registrar
3. SSL certificate automatically provisions
4. Benefit: Cloudflare CDN + security included

Force HTTPS Across Entire Site

After installing SSL, force all traffic to HTTPS:

Method 1: Using plugin Install “Really Simple SSL” plugin—automatically handles redirects and mixed content issues.

Method 2: Via .htaccess Add to .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Verify by visiting http://yoursite.com—should redirect to https://yoursite.com

Disable XML-RPC

XML-RPC is a WordPress feature enabling remote connections (mobile apps, third-party tools). It’s also a common attack vector.

Unless you specifically use XML-RPC (most don’t), disable it.

Disable via Plugin

Install “Disable XML-RPC” plugin. That’s it—one click, problem solved.

Disable via .htaccess

Add to .htaccess:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

Check if XML-RPC is Disabled

Visit yoursite.com/xmlrpc.php

• If disabled: You see error message
• If enabled: You see “XML-RPC server accepts POST requests only”

Hide WordPress Version

WordPress version information helps hackers identify which exploits might work on your site.

Remove Version from Source Code

Add to functions.php:

remove_action('wp_head', 'wp_generator');

This removes the meta tag showing WordPress version.

Remove Version from RSS Feeds

Add to functions.php:

add_filter('the_generator', '__return_empty_string');

Remove Version from Scripts/Styles

WordPress appends version numbers to CSS and JavaScript files. Remove with plugin “Remove Query Strings From Static Resources” or use the code from the speed optimization guide.

Disable Directory Browsing

If directory indexing is enabled, anyone can see files in your uploads, themes, and plugins directories by visiting the folder URL.

Disable via .htaccess

Add to .htaccess:

Options -Indexes

Verify It Works

Visit yoursite.com/wp-content/uploads/

• If disabled: Error 403 or redirects to homepage
• If enabled: You see list of all uploaded files

Protect Against SQL Injection

SQL injection attacks insert malicious code into database queries.

Protection via Security Plugin

Wordfence and Sucuri automatically protect against SQL injection.

Protection via .htaccess

Add comprehensive protection:

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule ^(.*)$ - [F,L]

This blocks common SQL injection patterns.

Scan for Malware Regularly

Even with preventive measures, regularly verify your site isn’t compromised.

Using Wordfence Scanner

1. Go to Wordfence → Scan
2. Click “Start New Scan”
3. Wait for completion (5-30 minutes depending on site size)
4. Review issues found
5. Fix critical issues immediately

Run scans weekly, or daily for high-value sites.

Using Sucuri SiteCheck (External Scanner)

1. Visit sitecheck.sucuri.net
2. Enter your website URL
3. Review security report
4. Check blacklist status
5. Scan for malware

External scanners catch issues internal scanners might miss.

What to Look For

Warning signs of compromise:

• Unknown admin users
• Unfamiliar files in wp-content
• Modified core WordPress files
• Outbound spam emails
• Sudden traffic spikes
• Google blacklist warnings
• Unexplained redirects

Set Proper File Permissions

Incorrect file permissions allow hackers to modify files they shouldn’t access.

Correct WordPress Permissions

Directories: 755 or 750 Files: 644 or 640 wp-config.php: 440 or 400 (most restrictive)

Setting Permissions via FTP

1. Connect via FTP (FileZilla)
2. Right-click folder/file → File Permissions
3. Set numeric value (755, 644, etc.)
4. For folders, check “Recurse into subdirectories”
5. Apply changes

Setting Permissions via SSH

find /path/to/wordpress/ -type d -exec chmod 755 {} \;
find /path/to/wordpress/ -type f -exec chmod 644 {} \;
chmod 440 /path/to/wordpress/wp-config.php

Never set permissions to 777. This gives everyone full access—essentially handing your site to hackers.

Limit User Access and Roles

Not everyone needs administrator access. WordPress provides multiple user roles with different permission levels.

WordPress User Roles

Administrator: Full access—use sparingly Editor: Create/edit/publish content Author: Create/edit/publish own posts Contributor: Create/edit own posts (cannot publish) Subscriber: Profile management only

User Access Best Practices

1. Give minimum necessary permissions Content writers need Author role, not Administrator
2. Limit administrator accounts Only 1-2 people should have admin access
3. Audit users quarterly Remove inactive accounts Downgrade permissions no longer needed
4. Use temporary admin access If developers need admin access for projects, create temporary admin accounts and delete when project completes
5. Monitor user activity Use “Simple History” plugin to log all user actions

Remove Unused Accounts

Go to Users → All Users → Delete accounts for:

• Former employees
• Completed contractor projects
• Test accounts
• Inactive users (no login in 6+ months)

Monitor Your Website Security

Proactive monitoring catches issues before they become disasters.

What to Monitor

Security events:

• Failed login attempts
• File modifications
• New user registrations
• Plugin activations/deactivations
• Theme changes

Performance indicators:

• Sudden traffic spikes (possible DDoS)
• Increased server load
• Unusual outbound traffic

Blacklist status:

• Google Safe Browsing
• Norton Safe Web
• PhishTank

Monitoring Tools

Wordfence Security Alerts Sends email notifications for:

• Failed admin logins
• New administrator accounts
• File changes
• Malware detected

Configure: Wordfence → All Options → Email Alert Preferences

UptimeRobot Monitors site uptime and speed

• Checks every 5 minutes
• Alerts via email/SMS when site goes down
• Free for 50 monitors

Google Search Console Alerts to:

• Security issues
• Manual actions (penalties)
• Crawl errors

Set up at search.google.com/search-console

WordPress Security Checklist

Use this checklist monthly to verify your security posture:

Core Security

• [ ] WordPress core updated to latest version
• [ ] All plugins updated
• [ ] All themes updated
• [ ] Automatic updates enabled
• [ ] Strong passwords on all accounts
• [ ] Two-factor authentication active
• [ ] Security plugin installed and configured

Login Protection

• [ ] Limited login attempts enabled
• [ ] Login URL changed (optional)
• [ ] Failed login monitoring active
• [ ] Admin username is not “admin”
• [ ] No password reuse across accounts

File Security

• [ ] wp-config.php secured and moved
• [ ] Security keys changed
• [ ] File editing disabled in admin
• [ ] Proper file permissions set
• [ ] Directory browsing disabled

Server & Hosting

• [ ] SSL certificate active and auto-renewing
• [ ] HTTPS enforced site-wide
• [ ] Secure hosting provider
• [ ] XML-RPC disabled (if not needed)
• [ ] WordPress version hidden

Monitoring & Backups

• [ ] Daily automated backups
• [ ] Backups stored off-site
• [ ] Backup restoration tested
• [ ] Weekly malware scans
• [ ] Security monitoring alerts configured

User Management

• [ ] User access audit completed
• [ ] Minimum necessary permissions assigned
• [ ] Inactive accounts removed
• [ ] User activity monitored

Advanced

• [ ] SQL injection protection active
• [ ] Firewall configured
• [ ] DDoS protection enabled
• [ ] Regular security scans scheduled

What to Do If You Get Hacked

Despite best precautions, hacks happen. Quick response minimizes damage.

Immediate Steps

1. Don’t panic (panic causes mistakes)

2. Take site offline temporarily

• Add maintenance mode plugin, OR
• Change database password to prevent site loading

3. Change all passwords immediately

• WordPress admin accounts
• Hosting account
• FTP/SSH access
• Database
• Email accounts

4. Assess the damage

• What files were modified?
• Was data stolen?
• Are there backdoors installed?
• Is malware present?

5. Scan thoroughly

• Run Wordfence or Sucuri scan
• Use external scanner (Sucuri SiteCheck)
• Check for unknown admin users
• Review recently modified files

6. Clean the infection

• Delete malicious files
• Restore clean files from backup
• Remove backdoors
• Clean database of malicious code

7. Restore from backup (if cleaning fails)

• Use most recent clean backup
• Restore files and database
• Verify restoration worked

8. Harden security

• Implement all security measures in this guide
• Change security keys
• Update everything
• Add IP whitelisting if possible

9. Monitor closely

• Check daily for one week
• Review logs for suspicious activity
• Run scans every 2-3 days

10. Submit for blacklist removal

• Google Safe Browsing: google.com/safebrowsing/report_badware/
• Norton SafeWeb: safeweb.norton.com/help/site_owners
• After site is confirmed clean

When to Hire Professional Help

Consider professional malware removal services if:

• You can’t identify the infection source
• Cleaning attempts fail repeatedly
• Site contains sensitive customer data
• You lack technical expertise
• Business revenue depends on site uptime

Services like Sucuri ($199+), MalCare ($99+), or Wordfence Response Team ($490+) guarantee complete malware removal.

Security Is an Ongoing Process

WordPress security isn’t a one-time setup. Threats evolve, new vulnerabilities emerge, and attackers develop new techniques.

Commit to monthly security maintenance:

• Update everything
• Run security scans
• Review user accounts
• Check backups
• Monitor logs
• Test restoration

These 30 minutes monthly prevent the devastating hours (or days) recovering from a successful hack.

Your website represents your business online. Protect it accordingly.

---

Need comprehensive WordPress security implementation? CS Technologies provides professional WordPress security audits and hardening services. We’ll secure your site against current threats and implement monitoring to catch new ones. Contact us for a free security assessment.