WordPress powers over 40% of all websites on the internet, making it the most popular CMS by a wide margin. That popularity also makes it the most targeted. If you want to secure your WordPress site properly, you need more than just a security plugin — you need a layered approach that addresses the most common attack vectors.
This guide walks you through every essential security step, from the basics to advanced hardening techniques.
Why WordPress Sites Get Hacked
Before fixing anything, understand why WordPress sites get compromised:
- Outdated software — Old WordPress core, plugins, or themes with known vulnerabilities
- Weak passwords — "admin/password123" is still shockingly common
- Cheap shared hosting — Overcrowded servers with poor isolation between accounts
- Nulled themes/plugins — Pirated premium plugins that contain backdoors
- No firewall — Direct exposure to brute force attacks and bots
The good news? Most attacks are automated and unsophisticated. The security steps below stop 99% of them.
Step 1: Keep Everything Updated
This is the single most important thing you can do to secure your WordPress site. Most successful attacks exploit known vulnerabilities in outdated software.
# Using WP-CLI to update everything
wp core update
wp plugin update --all
wp theme update --all
Enable automatic security updates in wp-config.php:
define('WP_AUTO_UPDATE_CORE', 'minor');
For plugins, add auto-updates through the WordPress admin under Plugins → Enable auto-updates for each plugin.
Check your PHP version too. If you're running PHP 7.x, upgrade to PHP 8.2 or 8.3. Older PHP versions no longer receive security patches.
Step 2: Secure Your Login
WordPress login pages are the primary target for brute force attacks. Lock them down:
Change the Admin Username
If your admin account is literally called "admin," change it immediately. Create a new administrator account with a unique username, log in with it, then delete the old "admin" account.
Use Strong Passwords
Every WordPress user should have a password that is:
- At least 16 characters long
- A mix of uppercase, lowercase, numbers, and symbols
- Unique (not reused from other sites)
- Stored in a password manager like Bitwarden or 1Password
Enable Two-Factor Authentication
Install a 2FA plugin (WP 2FA or Two Factor). Use an authenticator app — never SMS, which can be intercepted.
Limit Login Attempts
Install Limit Login Attempts Reloaded or use your security plugin's built-in feature. Block IPs after 3-5 failed attempts for at least 30 minutes.
Change the Login URL
The default /wp-admin and /wp-login.php URLs are targeted by every bot on the internet. Use a plugin like WPS Hide Login to change them to something unique like /my-secret-login.
Step 3: Harden wp-config.php
Your wp-config.php file contains database credentials and security keys. Protect it:
// Disable file editing from WordPress admin
define('DISALLOW_FILE_EDIT', true);
// Force SSL for admin area
define('FORCE_SSL_ADMIN', true);
// Limit post revisions to save database space
define('WP_POST_REVISIONS', 5);
// Disable debug mode in production
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);
Block direct access to wp-config.php via your web server. For Nginx:
location = /wp-config.php {
deny all;
}
For Apache (.htaccess):
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
Step 4: Set Correct File Permissions
Wrong file permissions are one of the most common security mistakes:
# Correct permissions for WordPress
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
# Extra protection for sensitive files
chmod 600 wp-config.php
chmod 644 .htaccess
Never use 777 permissions. If a plugin "requires" 777, fix the file ownership instead:
sudo chown -R www-data:www-data /var/www/html
Step 5: Install a Web Application Firewall
A WAF blocks malicious traffic before it reaches your WordPress installation:
Option 1: Cloudflare (Free tier)
Cloudflare sits between visitors and your server, filtering malicious requests. The free plan includes basic DDoS protection and a web application firewall. If you're choosing between scaling strategies, Cloudflare also acts as a CDN.
Option 2: Wordfence (Free WordPress plugin)
Provides an application-level firewall, malware scanner, and login security. The free version covers most needs.
Option 3: Server-level with Nginx rate limiting
# Rate limit login page
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /wp-login.php {
limit_req zone=login burst=3 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
Step 6: Disable XML-RPC
XML-RPC is an older WordPress API that most sites don't need. It's commonly exploited for brute force attacks and DDoS amplification:
# Nginx
location = /xmlrpc.php {
deny all;
return 403;
}
# Apache .htaccess
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
Only keep XML-RPC enabled if you specifically use Jetpack or the WordPress mobile app.
Step 7: Security Headers
Add security headers at the server level:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Hide WordPress version
server_tokens off;
Test your headers at securityheaders.com.
Step 8: Automated Backups
Security includes recovery. When everything else fails, a recent backup saves you:
#!/bin/bash
DATE=$(date +%Y-%m-%d)
BACKUP_DIR="/home/deploy/backups"
# Database backup
mysqldump -u wp_user -p'password' wp_database | gzip > "$BACKUP_DIR/db_$DATE.sql.gz"
# Files backup
tar -czf "$BACKUP_DIR/files_$DATE.tar.gz" /var/www/html/
# Keep only last 7 days
find $BACKUP_DIR -type f -mtime +7 -delete
Always test restoration — a backup you've never restored is a backup you can't trust. Before deploying major changes, use a staging environment to test safely.
Step 9: Monitor for Intrusions
Set up monitoring to catch issues early:
# Find recently modified PHP files (potential hack indicator)
find /var/www/html -name "*.php" -mtime -3 -ls
# Check for suspicious files in uploads directory
find /var/www/html/wp-content/uploads -name "*.php" -ls
PHP files in the uploads directory are almost always malicious. WordPress uploads should only contain images, documents, and media files.
WordPress Security Checklist
Run through this after every installation:
- WordPress core, plugins, and themes updated
- Admin username is not "admin"
- Strong passwords on all accounts
- Two-factor authentication enabled
- Login attempts limited
- Login URL changed
- File editing disabled in wp-config.php
- File permissions set correctly (644/755)
- WAF installed (Cloudflare or Wordfence)
- XML-RPC disabled
- Security headers configured
- Automated daily backups running
- SSL/HTTPS forced everywhere
- Unused themes and plugins deleted (not just deactivated)
FAQ
How often should I update WordPress?
Update immediately when security patches are released. Enable auto-updates for minor releases and check for major updates weekly. Most hacks exploit vulnerabilities that were patched weeks or months ago.
Is a security plugin enough to protect WordPress?
No. Security plugins add a layer of protection but cannot compensate for weak passwords, outdated software, or poor hosting. A layered approach combining server-level hardening, proper configuration, and a security plugin provides the best protection.
What should I do if my WordPress site gets hacked?
Take the site offline, restore from your most recent clean backup, change all passwords (WordPress, database, FTP, hosting panel), update everything, scan for remaining malware with Wordfence, and check your server access logs to identify how the attacker got in.
Do I need a paid security plugin?
The free versions of Wordfence or Sucuri cover most needs for small to medium sites. Paid versions add features like real-time firewall rules, country blocking, and priority scanning. They are worth considering for e-commerce or high-traffic sites.
Secure WordPress Hosting with DeployBase
To properly secure your WordPress site, you need hosting that supports your security measures — not fights against them. At DeployBase, our VPS plans give you full root access to configure firewalls, security headers, and server-level protections exactly as described in this guide. Starting at $5/month with NVMe SSD storage, free SSL, automated backups, and 24/7 support.
Get secure WordPress hosting at DeployBase → — your site's security starts with the right foundation.
