How to Secure a WordPress Site [WordPress Security Guide 2026]

WordPress sites get attacked every 39 seconds. With 42.5% of the web running on WordPress, the platform is the most-targeted CMS on the internet, and bots will find your site whether you have 10 visitors a month or 10 million.

The good news is that most WordPress security risks can be prevented with a handful of straightforward practices, and the highest-impact ones don’t require a single line of code.

In this guide, we walk you through 19 WordPress security practices we use across our 500+ client sites to keep WordPress secure and prevent breaches.

Table of Contents

• How Secure Is WordPress?
• How to Secure a WordPress Site [19 WordPress Security Best Practices]
• Best WordPress Security Plugins for 2026
• What to do if my WordPress website is hacked or attacked?
• Conclusion
• FAQs on How to Secure a WordPress Site

How Secure Is WordPress?

WordPress is secure at its core. The WordPress core team releases security patches for the CMS every few weeks, and we rarely see hacks that exploit core code itself. The real risk sits in the plugins and themes you add on top, which is where almost every attack we clean up at WPC originates. Wordfence tracked a 68% jump in plugin and theme vulnerability disclosures in 2024, and the trend has continued into 2026 (Wordfence 2024 Annual WordPress Security Report).

Common WordPress Attacks

Before we get into how to defend your site, it helps to understand what you’re up against. Five attack types make up the vast majority of what we see across our client base.

• Brute force attacks and credential stuffing. Automated bots hit /wp-login.php, testing thousands of password combinations per minute. Credential stuffing reuses passwords leaked from other breaches, which is a major risk if you reuse passwords.
• Cross-site scripting (XSS). Attackers inject malicious JavaScript through a vulnerable plugin or form. Visitors load the script unknowingly, exposing cookies, sessions, or personal data.
• SQL injection (SQLi). Malicious SQL submitted through a vulnerable form can read, modify, or delete entire database tables. WooCommerce sites and contact forms are the common entry points.
• Cross-site request forgery (CSRF). An authenticated user is tricked into submitting a request they didn’t intend, changing their password, adding an admin user, or transferring funds.
• Distributed denial of service (DDoS). Mass traffic floods designed to take your site offline. Often a smokescreen for a secondary attack while your team is distracted.

How to Secure a WordPress Site [19 WordPress Security Best Practices]

WordPress security works best when you treat it as a layered defence, not a single fix. No single practice will protect your site, but layered defences stacked together will stop almost every attack we see at WPC. The five categories below cover those defences in order of impact, so start at the top and work your way down.

A. Choose Secure Foundations

The decisions you make when you first set up your WordPress site will shape how easy or hard it is to secure later. Get these right at the start, and you’ll save yourself the cost and stress of fixing them after a breach.

1. Choose secure WordPress hosting:

Your hosting provider is your first line of defence. Look for server-level malware scanning, automatic daily backups, isolated container hosting, and a built-in web application firewall. We recommend WP Engine, Kinsta, or Pressable for managed WordPress hosting, or VentraIP, Crucial, and Digital Pacific if you want an Australian provider.

2. Install an SSL/TLS certificate:

SSL encrypts the data flowing between your site and your visitors, protects against man-in-the-middle attacks, and is a confirmed Google ranking factor. Free certificates from Let’s Encrypt come included with every reputable host, so running an unsecured site in 2026 has no real justification.

3. Change the default login URL:

WordPress ships with /wp-login.php as the default login URL, and every brute force bot on the internet starts there. Renaming it through WPS Hide Login or your security plugin removes your site from the standard target list overnight. Read our guide on how to change your WordPress login URL for a full walkthrough.

4. Move wp-config.php above the web root:

Your wp-config.php file holds your database credentials and security keys in plain text. Moving it one directory above your web root keeps it out of reach of anyone browsing your site, without breaking any WordPress functionality. Most managed hosts will do this for you on request.

B. Lock Down Login and Access Control

Most WordPress hacks we clean up start with a stolen, guessed, or recycled login. Locking down the front door is the highest-leverage thing you can do after getting your hosting and SSL sorted.

5. Use strong passwords and enable two-factor authentication (2FA)

A strong password is long (16+ characters) and uses a mix of uppercase, lowercase, numbers, and symbols. Stop trying to memorise passwords yourself, because a password manager like 1Password or Bitwarden will generate and store unique ones for every account. Pair this with two-factor authentication through Wordfence Login Security, WP 2FA, or miniOrange, which blocks roughly 99% of automated account takeover attempts.

6. Limit failed login attempts and add CAPTCHA

WordPress allows unlimited login attempts by default, which means a brute force bot can keep guessing forever. A limiter like Limit Login Attempts Reloaded or the built-in feature in Wordfence, locks out attackers after a handful of failed tries. Adding CAPTCHA on top stops automated bots before they even reach the login screen.

7. Remove the default “admin” username:

If your admin account is named “admin”, attackers already have half your credentials and only need to guess the password. Create a new admin user with a unique username, reassign all content to it, then delete the original. We find sites still running the default admin account every week, so check yours now.

8. Assign minimum-necessary user roles:

WordPress has five built-in roles, from Subscriber up to Administrator, and most of your team doesn’t need admin access. Your content writer doesn’t need to install plugins. Your accountant doesn’t need to edit themes. Default every new user to Subscriber or Editor, and only elevate when there’s a clear reason.

9. Disable file editing inside the dashboard:

WordPress lets administrators edit theme and plugin PHP files directly from the dashboard, which is a backdoor that an attacker can walk through the moment they get in. One line in your wp-config.php file shuts it down:

define('DISALLOW_FILE_EDIT', true);

C. Keep WordPress Clean and Updated

Outdated software is the single largest cause of WordPress hacks we deal with at WPC. This category is the most boring practice in the guide and also the most important, so don’t skip it.

10. Update core, plugins, themes, and PHP regularly

Turn on auto-updates for minor WordPress core software releases, and review major releases on a staging site before pushing them live. Check your plugins every week and update anything that’s pending. While you’re at it, make sure your hosting is running PHP 8.2 or later, because anything older no longer receives security patches.

Read our guide on how to update your PHP version for the full process.

11. Delete unused plugins and themes

Every inactive WordPress theme and plugin on your server is still code that an attacker can exploit, especially if nobody is maintaining it. We routinely find sites with 8 to 12 dormant plugins still installed, and at least one of them is usually the entry point that got the site hacked. If you’re not actively using it, delete it. Don’t just deactivate.

12. Install from trusted sources only

Stick to plugins from WordPress.org or reputable commercial vendors with active support and frequent updates. Nulled or pirated “premium” themes downloaded from sketchy sites are routinely bundled with malware, and installing one is the fastest way to hand an attacker full access to your site. The savings are never worth the cleanup bill.

D. Add Proactive Defences

The first three categories make you a harder target. This one stops the attacks that still get past your basics by blocking them at the edge of your site before they reach WordPress.

13. Install a web application firewall (WAF)

A website firewall inspects every incoming request to your site and blocks malicious traffic like SQL injection, XSS, and known attack patterns before it touches WordPress. Cloudflare’s free tier handles this for most small sites, and Sucuri Firewall or Wordfence Premium are stronger paid options if you need deeper protection. We deploy Cloudflare on the majority of our client sites because the price-to-protection ratio is hard to beat.

14. Install a WordPress security plugin

A good security plugin combines malware scanning, file integrity monitoring, and login hardening in one package, and most include automated checks for malicious code injected into your theme or plugin files. We typically recommend Wordfence as a strong all-rounder, Solid Security for sites that need hardening focus, or Sucuri Security if you’re already using their cloud WAF. Pick one, configure it properly, and don’t run multiple security plugins at the same time because they’ll conflict.

15. Disable XML-RPC if you don’t use it

XML-RPC is a legacy WordPress feature that attackers love because it lets them test thousands of passwords in a single request through the system.multicall method. Unless you’re using the WordPress mobile app, Jetpack, or remote publishing tools, you should disable it. Add this to your .htaccess file:

<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>

16. Hide your WordPress version

Version numbers in your page source code tell attackers exactly which CVEs to test against your site. Remove the generator meta tag and version query strings through a small filter in your theme’s functions.php file, and delete the readme.html file from your WordPress root directory. None of this stops a determined attacker, but it does remove your site from the easy-target lists that bots scan automatically.

E. Monitor and Recover

No defence is perfect, and the best security strategies assume something will eventually get through. This last category is about catching problems early and being ready to recover when they happen.

17. Run automated security and malware scans

Daily scans through Wordfence, Sucuri, or MalCare catch malware and suspicious file changes early, often before they cause real damage. File integrity monitoring is the single most useful feature in this category because it alerts you the moment a core WordPress file changes unexpectedly. Both Wordfence and the free Sucuri plugin include it.

18. Log all user activity on your site

An activity log records who logged in, what they changed, and when they did it. We use WP Activity Log on our managed client sites because it gives us a forensic trail when something looks off, and it’s often the first signal that an account has been compromised. Simple History is a solid free alternative if you want something lighter.

19. Run automated off-site backups

Follow the 3-2-1 rule: three copies of your data, on two different storage types, with one copy stored off-site. We recommend UpdraftPlus paired with cloud storage, BlogVault, or Solid Backups. Never store your backups on the same server as your live site, because if the server gets compromised, both copies are gone. Test a restore every quarter so you know it actually works when you need it.

Best WordPress Security Plugins for 2026

We’ve spent over a decade testing security plugins across our 500+ client sites, and these five are the ones we keep coming back to. Each solves a different problem, so the right pick depends on what your site actually needs.

Plugin	Best for	Free version	Key features
Wordfence	All-round security	Yes	WAF, malware scan, login security, 2FA
Solid Security (formerly iThemes)	Site hardening	Yes	Login lockdown, file change detection, 2FA
Sucuri Security	Malware monitoring + cloud WAF	Yes (paid for WAF)	Server-side scan, post-hack support
All-In-One WP Security & Firewall	Free comprehensive option	Yes (free only)	Firewall, user account security, blacklist
MalCare	Set-and-forget malware cleanup	Limited	One-click malware removal, server scan
Cloudflare	Network-layer security + CDN	Yes	DDoS protection, WAF rules, bot management

What to do if my WordPress website is hacked or attacked?

If your WordPress site has been hacked, don’t panic. We’ve recovered hundreds of compromised sites at WPC, and the process is more methodical than it feels in the moment. The key is to stop the damage first, then investigate, then rebuild.

Follow these steps to recover your website:

1. Put your site into maintenance mode: Take your site offline to stop the malware from spreading to your visitors and to prevent further damage. Most security plugins have a one-click maintenance mode, or you can do it through .htaccess.
2. Change every password connected to your site: WordPress admin, hosting account, FTP/SFTP, database, and any email accounts on the domain. If the attacker has one set of credentials, assume they have all of them.
3. Run a full malware scan: Use Sucuri SiteCheck, Wordfence, or MalCare to identify the scope of the infection and find any backdoors the attacker may have planted.
4. Restore from a clean backup if you have one: A backup from before the compromise is the fastest path to recovery. If you don’t have one, your host might. Read our WordPress recovery guide for the manual cleanup process.
5. Update everything after restore: WordPress core, every plugin, every theme, and your PHP version. Outdated software is likely how the attacker got in, so don’t bring the same vulnerabilities back online.
6. Audit your user accounts: Delete any admin users you don’t recognise and recover WordPress passwords for legitimate accounts. Check your activity logs to trace what the attacker did while they had access.
7. Remove unused WordPress plugins and themes: Delete anything inactive, especially anything you haven’t updated recently. Inactive code is still code that an attacker can use.
8. Submit a reconsideration request to Google: If your site was blacklisted, you’ll need to request a review through Google Search Console once the site is clean. Without this, the “Deceptive site” warning stays even after you’ve fixed the problem.

Conclusion

WordPress security comes down to one thing: doing the boring work consistently, before something goes wrong. Every site we’ve ever cleaned up could have been protected by the practices in this guide. The owners weren’t careless. They just didn’t have someone watching.

If you’re handling this yourself, don’t try to do everything at once. Spend an hour this week on the four things that matter most: turn on 2FA for every admin account, put a firewall in front of your site, update everything in your WordPress dashboard, and confirm your backups are actually working. Those four practices alone will keep your WordPress site secure against 90% of the security threats targeting WordPress sites today.

Come back next month and tackle the next layer. Then the next. Security isn’t a project you finish; it’s a habit you build.

And if building that habit isn’t realistic alongside running your business, you have another option.

Let WP Creative Handle Your WordPress Security

For the past 12 years, we’ve built, maintained, and secured WordPress sites for Australian businesses across every industry. Our website security plans are designed to take this entire guide off your plate, from hardening your site against attacks to monitoring it around the clock and cleaning it up if something goes wrong.

Get a Free WordPress Security Audit

FAQs on How to Secure a WordPress Site

How often should I update my WordPress website?

Check for plugin and theme updates at least once a week, and apply WordPress core updates as soon as they’re available. We recommend turning on auto-updates for minor core releases and small plugin updates, and reviewing major releases on a staging site before pushing them live. Sites that go more than a month without updates are the ones we see compromised most often.

Can I secure my WordPress website without technical expertise?

Yes, most of the practices in this guide can be done without coding knowledge. Setting up 2FA, choosing strong passwords, installing a security plugin, configuring backups, and keeping your software updated are all manageable on your own. The more technical items, like editing .htaccess files or adjusting wp-config.php, are best handed to your developer or your hosting provider’s support team.

Are free themes and plugins safe to use?

Free isn’t the problem. Untrusted sources are. Free plugins and themes from the official WordPress repository are generally safe because they go through a code review process and receive regular updates, which keep your WordPress site safe from known vulnerabilities. Avoid downloading “premium” themes from torrent sites or sketchy marketplaces, because these are routinely bundled with malware. When in doubt, check the developer’s reputation, the last updated date, and the active install count before installing anything.

What is the best free WordPress security plugin?

The best free WordPress security plugins are Wordfence, Solid Security (formerly iThemes Security), and the free Sucuri plugin. Wordfence is our top pick because it combines a firewall, malware scanner, login security, and 2FA in a single plugin. Solid Security is a strong alternative if your priority is site hardening rather than monitoring. The Sucuri plugin is the lightest of the three and pairs well with their cloud firewall if you decide to upgrade later.

All three have free tiers that cover most small business sites comfortably.

How do I know if my WordPress site is vulnerable?

A WordPress site is most vulnerable when it has outdated software, weak passwords, no 2FA, no firewall, or no recent backups. Run a free scan through Sucuri SiteCheck or your security plugin to find specific security issues, and check your WordPress dashboard for pending updates, inactive plugins, and unrecognised user accounts. The more security vulnerabilities you leave open, the more likely your site is to be compromised.

How do I secure my WordPress site without plugins?

You don’t need a single WordPress plugin to improve your website security. Most of the practices in our WordPress security checklist below can be handled through your hosting provider, your WordPress settings, or a few small changes to your site’s files.

• Update your website plugins, themes, and core files regularly
• Prevent access to your public folder and files
• Disable file editing for the .htaccess file
• Use strong passwords and 2-factor authentication
• Regularly back up or export all of your site’s content
• Change the default WordPress login URL
• Remove unused WordPress plugins and themes
• Disallow access to your WordPress files and directory
• Only use trusted plugins, tools, and themes

What are the most common WordPress vulnerabilities?

With the increasing use of WordPress platforms comes the risk of attacks. These are the most common ones to watch out for in 2026.

• Weak passwords and not using 2-factor authentication
• Cross-Site Scripting (XSS)
• Outdated plugins, extensions, core WordPress & PHP files.
• Unsecured hosting partner
• Malware and Phishing
• Not setting up proper user permissions
• Not backing up the site regularly

How do I know if my WordPress site has been hacked?

You won’t always get an obvious warning, but a hacked WordPress site usually shows a handful of telltale signs. If you spot any of these, run a scan with Sucuri SiteCheck or Wordfence straight away to confirm what you’re dealing with.

• Google Search Console flags your site with a “Site may be hacked” or “Deceptive site ahead” warning
• Your browser shows a security warning when you visit your own URL
• Unfamiliar admin accounts appear in your WordPress dashboard
• Strange links or content show up in your footer, header, or blog posts
• Your organic traffic drops suddenly, or you start ranking for spam keywords
• Your hosting provider notifies you of malware on the server
• You’re locked out of your own WordPress dashboard
• Unusual outbound emails or spam start bouncing back to your domain

Is it good to use multiple security tools on your WordPress website?

Yes, as long as they don’t overlap or conflict with each other. A comprehensive security strategy typically pairs a cloud-based WAF like Cloudflare with a plugin-based security tool like Wordfence because each handles a different layer. Running two firewall plugins at the same time, on the other hand, is asking for trouble because they’ll fight each other and break your site. Stick to tools from reputable vendors and test any new addition on a staging site first.