WordPress Security Guide 2026: 20+ Steps to Protect Your Site

TL;DR: Quick WordPress Security Checklist

If you’re short on time, here’s what matters most:

☐ Keep WordPress core, themes, and plugins updated (manually, after testing)
☐ Use strong passwords and enable two-factor authentication
☐ Choose quality hosting with server-level security
☐ Limit login attempts and change the default login URL
☐ Remove unused plugins and themes
☐ Set up automated backups (stored off-site)
☐ Install a reputable security plugin (Wordfence, Sucuri, or Solid Security)

That covers 80% of WordPress security. The rest of this guide explains the details.

---

 

Why WordPress Security Matters in 2026

If you’re looking for how to secure a WordPress site, you’re asking the right question. WordPress powers 43% of all websites on the internet (W3Techs). That market dominance makes it an attractive target.

Here’s what the numbers tell us:

• 7,966 new vulnerabilities were discovered in the WordPress ecosystem in 2024
• 96% of vulnerabilities come from plugins (Wordfence 2024 Security Report)
• 55 billion password attacks were blocked by Wordfence alone in a single year

But here’s the thing that often gets lost in these scary statistics: WordPress core itself is remarkably secure. The vast majority of breaches happen because of outdated plugins, weak passwords, or poor hosting choices—all things you can control.

In our experience auditing WordPress sites, security issues rarely come from sophisticated attacks. They come from neglect. Sites that haven’t been updated in months. Admin passwords that are "company123". Plugins installed three years ago and forgotten.

The good news? Basic security hygiene stops most attacks. Let’s walk through it.

 

Priority 1: Foundation Security (Do These First)

These four steps prevent the majority of WordPress security issues. If you do nothing else, do these.

 

Keep WordPress Core Updated

WordPress releases security patches regularly. When a vulnerability is discovered, the core team typically patches it within days. But that patch only helps if you install it.

How to update safely:

1. Back up your site first (always)
2. Update in a staging environment if you have one
3. Update plugins and themes before core
4. Update WordPress core
5. Test critical functionality after updating

A note on auto-updates: WordPress supports automatic updates, but we typically disable them for client sites. Why? Auto-updates can break things—plugin conflicts, theme incompatibilities, or functionality changes you weren’t expecting. For business-critical sites, we prefer controlled updates: test in staging first, then push to production. If you do enable auto-updates, limit them to minor security releases only and monitor closely.

 

Use Strong Passwords and Two-Factor Authentication

This sounds obvious, but weak passwords remain the #1 way sites get compromised.

Password requirements:

• Minimum 16 characters
• Mix of uppercase, lowercase, numbers, symbols
• Never reuse passwords across sites
• Use a password manager (1Password, Bitwarden)

Two-factor authentication (2FA) adds a second verification step—usually a code from your phone. Even if someone steals your password, they can’t log in without that second factor.

Plugins for 2FA:

• WP 2FA – Simple and free
• Google Authenticator – Works with authenticator apps
• Wordfence – Includes 2FA in the free version

In our WordPress maintenance work, we’ve seen sites compromised within hours of password leaks. 2FA would have stopped every single one.

 

Use HTTPS (SSL Certificate)

This is table stakes in 2026. Every site needs HTTPS—browsers mark non-HTTPS sites as "Not Secure" and users won’t trust them.

Most quality hosts provide free SSL via Let’s Encrypt. Just make sure it’s active and your WordPress URLs are set to https://. If your site still shows as "Not Secure", something’s misconfigured.

 

Choose Secure Hosting

Your hosting provider is your first line of defense. Cheap shared hosting often means shared security problems—if another site on your server gets compromised, you might too.

What to look for in secure hosting:

Hosting we use for client sites:

• Kinsta – Our go-to for premium managed WordPress hosting
• Pressable – Solid managed hosting with good security features
• Rocket.net – Fast and secure, good value

Don’t cheap out on hosting. A $5/month shared hosting plan will cost you far more when your site gets hacked.

---

Not sure if your site’s foundation is secure? Our WordPress security audit identifies vulnerabilities in your current setup—before attackers do.

---

 

Priority 2: Login & Access Hardening

Once the foundation is solid, focus on protecting your login system—it’s where most attacks target.

 

Change the Default Login URL

Every WordPress site has the same login URL: yourdomain.com/wp-admin or yourdomain.com/wp-login.php. Attackers know this and run automated attacks against these URLs constantly.

Changing your login URL doesn’t make your site secure on its own, but it does eliminate a huge amount of automated attack traffic.

Plugins for this:

• WPS Hide Login – Simple and lightweight
• Solid Security (formerly iThemes Security) – Includes this plus more

A word of caution: If you change your login URL, bookmark it. We’ve seen site owners lock themselves out by forgetting their custom URL.

 

Limit Login Attempts

By default, WordPress allows unlimited login attempts. This makes brute force attacks trivial—attackers can try thousands of password combinations.

Limiting login attempts blocks IP addresses after a certain number of failed attempts.

Recommended settings:

• Lock out after 5 failed attempts
• Lockout duration: 20-30 minutes
• Increase lockout duration for repeat offenders

Most security plugins include this feature:

• Wordfence
• Limit Login Attempts Reloaded (standalone plugin)
• Solid Security

 

Disable File Editing from Dashboard

WordPress includes a built-in theme and plugin editor (Appearance → Theme File Editor). This is convenient, but it also means anyone who gains admin access can inject malicious code directly.

Disable it by adding this to wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

You can still edit files via FTP or your hosting file manager—just not through WordPress itself.

 

Priority 3: Plugin & Theme Security

Plugins and themes are the source of most WordPress vulnerabilities. Managing them properly is critical.

 

Only Install Vetted Plugins

Before installing any plugin, check:

1. When was it last updated? Avoid plugins not updated in over a year
2. How many active installations? More users = more eyes on the code
3. What do reviews say? Look for mentions of security issues
4. Who is the developer? Established developers or companies are safer bets
5. Is it actually necessary? Every plugin is a potential vulnerability

Red flags to avoid:

• Nulled (pirated) premium plugins – often contain malware
• Plugins from random websites instead of WordPress.org
• Plugins that request excessive permissions
• Plugins that haven’t been updated for WordPress compatibility

 

Remove Unused Plugins

Unused plugins are a security liability. Even deactivated plugins can be exploited if they have vulnerabilities.

Our recommendation: Delete anything you’re not actively using.

This includes:

• Plugins you installed to "try out"
• Default plugins that came with hosting (Hello Dolly, we’re looking at you)
• Old plugins replaced by better alternatives

The same applies to themes. Keep your active theme and one default theme (like Twenty Twenty-Four) as a fallback. Delete the rest.

 

Keep All Plugins Updated

Plugin updates often include security patches. Delaying updates leaves known vulnerabilities unpatched.

Update strategy:

1. Check for updates weekly at minimum
2. Read changelogs—they often mention security fixes
3. Test updates on staging for mission-critical sites
4. Update promptly, but deliberately—don’t let updates pile up

We manage WordPress maintenance for dozens of sites, and plugin updates are the single most important regular task. We do them manually after testing, not automatically.

 

Best Security Plugins to Consider

A good security plugin adds multiple layers of protection. Here are the ones we recommend:

Wordfence Security (Free + Premium)

• Firewall with real-time threat defense
• Malware scanner
• Login security with 2FA
• Live traffic monitoring
• Best for: Sites that want comprehensive protection

Sucuri Security (Free + Premium)

• Security activity auditing
• File integrity monitoring
• Remote malware scanning
• Security hardening features
• Best for: Sites that want cloud-based WAF (premium)

Solid Security (formerly iThemes Security)

• 30+ security hardening features
• Brute force protection
• File change detection
• Database backups
• Best for: Sites that want many options in one plugin

Which one? Wordfence is our default recommendation. It’s comprehensive, regularly updated, and the free version is genuinely useful. Don’t install multiple security plugins—they’ll conflict with each other.

 

Priority 4: Advanced Hardening

These steps go beyond basics. They’re not strictly necessary for every site, but they add additional layers of protection.

 

Change Database Table Prefix

WordPress uses wp_ as the default database table prefix. Attackers know this and can craft SQL injection attacks targeting those table names.

Changing the prefix doesn’t prevent SQL injection, but it makes automated attacks less effective.

For new installations: Change the prefix during setup in wp-config.php:

$table_prefix = 'xk7m_'; // Use random characters

For existing sites: This is trickier and involves database modifications. Unless you’re comfortable with database work, leave this alone or get professional help.

 

Hide WordPress Version

WordPress adds version information to your site’s source code. This tells attackers exactly which vulnerabilities might work against you.

A note on security by obscurity: Hiding your WordPress version isn’t true security—determined attackers have other ways to fingerprint your site. Think of it as reducing noise from automated scanners, not as a primary defense. Keeping everything updated matters far more than hiding version numbers.

Remove version info by adding to your theme’s functions.php:

// Remove WordPress version from head
remove_action( 'wp_head', 'wp_generator' );

// Remove version from scripts and styles
function remove_version_strings( $src ) {
    if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) !== false ) {
        $src = remove_query_arg( 'ver', $src );
    }
    return $src;
}
add_filter( 'script_loader_src', 'remove_version_strings' );
add_filter( 'style_loader_src', 'remove_version_strings' );

 

Restrict REST API

The WordPress REST API is powerful for developers but exposes information like usernames to anyone who knows where to look.

To restrict REST API access to logged-in users only:

// Restrict REST API to authenticated users
add_filter( 'rest_authentication_errors', function( $result ) {
    // Already authenticated or already an error? Return as-is
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;
    }

    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            'You must be logged in to access the REST API.',
            array( 'status' => 401 )
        );
    }
    return $result;
});

Note: This breaks some functionality that relies on the REST API (certain contact forms, some plugins). Test thoroughly before implementing.

 

Block PHP Execution in Uploads

The uploads folder (wp-content/uploads/) should only contain media files. If an attacker manages to upload a PHP file, you don’t want it to execute.

Create an .htaccess file in your uploads directory:

<Files "*.php">
    Require all denied
</Files>

For Nginx servers, add to your configuration:

location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

 

Set Correct File Permissions

Incorrect file permissions can allow attackers to modify files they shouldn’t have access to.

You can set these via FTP or SSH:

# Set folder permissions
find /path/to/wordpress/ -type d -exec chmod 755 {} \;

# Set file permissions
find /path/to/wordpress/ -type f -exec chmod 644 {} \;

# Secure wp-config.php
chmod 600 wp-config.php

 

Implement Security Headers

HTTP security headers tell browsers how to handle your site’s content, preventing many common attacks. This is an often-overlooked layer of protection.

Essential security headers:

Adding headers via .htaccess (Apache):

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

Adding headers via Nginx:

add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Testing your headers: Use Mozilla Observatory to scan your site and get a security grade. It identifies missing headers and provides specific recommendations.

Content-Security-Policy requires more careful configuration—a misconfigured CSP can break your site. Start with report-only mode to identify issues before enforcing.

 

Priority 5: Backup & Recovery

Security isn’t just about prevention—it’s about recovery when things go wrong.

 

Regular Backup Strategy

A good backup is your last line of defense. If everything else fails, you can restore from backup.

Backup requirements:

• Frequency: Daily for active sites, weekly for static sites
• What to backup: Files AND database
• Storage: Off-site (not just on your server)
• Retention: Keep multiple backups (at least 30 days)
• Testing: Regularly verify backups actually work

Backup plugins we recommend:

• UpdraftPlus – Free version works great, stores to cloud services
• BlogVault – Premium but includes staging and migration
• Jetpack Backup – Real-time backups for active sites

Where to store backups:

• Google Drive
• Dropbox
• Amazon S3
• Separate hosting account

Never rely solely on your host’s backups. Have your own backup system.

 

What to Do If Your Site Gets Hacked

If you discover your site has been compromised:

Immediate steps:

1. Don’t panic – Rushed decisions make things worse
2. Take the site offline – Prevents further damage and protects visitors
3. Change all passwords – WordPress admin, FTP, database, hosting account
4. Contact your host – They may have additional information or help

Recovery process:

1. Identify the infection – Check file modification dates, look for unfamiliar files
2. Restore from clean backup – If you have one from before the infection
3. If no clean backup: Manually clean infected files or hire professionals
4. Update everything – The vulnerability that let attackers in may be in outdated software
5. Scan and verify – Use multiple scanning tools to confirm the site is clean

Tools for malware scanning:

• Wordfence scan
• Sucuri SiteCheck (free online scanner)
• Your hosting provider’s scanner

When to get professional help:

• You can’t identify all infected files
• Malware keeps returning after cleaning
• Your site is blacklisted by Google
• You’re losing business every hour the site is down

If you need help recovering from a hack, contact us for emergency support.

---

 

WordPress Security Checklist

Use this checklist to audit your site’s security:

 

Foundation

☐ WordPress core is up to date
☐ Strong admin password (16+ characters)
☐ Two-factor authentication enabled
☐ Quality hosting with security features
☐ HTTPS working (no "Not Secure" warning)

 

Login Security

☐ Default login URL changed
☐ Login attempts limited
☐ File editing disabled in dashboard

 

Plugins & Themes

☐ All plugins updated
☐ All themes updated
☐ Unused plugins deleted
☐ Unused themes deleted
☐ Security plugin installed

 

Advanced

☐ Database prefix changed from wp_
☐ WordPress version hidden
☐ REST API access restricted
☐ PHP execution blocked in uploads
☐ File permissions set correctly
☐ Security headers configured (test with Mozilla Observatory)

 

Backup & Monitoring

☐ Automated backups configured
☐ Backups stored off-site
☐ Backup restoration tested
☐ Security monitoring active

---

 

When to Hire a Professional

DIY security works for many sites. But sometimes you need expert help.

Consider professional security help if:

• Your site handles sensitive data (payments, personal information)—especially WooCommerce stores
• You’ve been hacked before
• Security isn’t your expertise and you’d rather focus on your business
• You’re responsible for multiple WordPress sites
• Compliance requirements demand documented security measures
• Your current agency isn’t keeping things updated (we frequently take over WordPress projects in exactly this situation)

What a WordPress security audit covers:

• Vulnerability assessment
• Malware scanning
• Configuration review
• Plugin and theme analysis
• Server security check
• Recommendations prioritized by risk
• Implementation support

Ongoing security maintenance:
Regular WordPress maintenance includes security updates, monitoring, and rapid response when issues arise. For business-critical sites, this often makes more sense than handling security in-house.

 

Frequently Asked Questions

 

Is WordPress secure?

Yes, WordPress core is secure when properly maintained. The majority of WordPress security issues come from outdated plugins, weak passwords, or poor hosting—not from WordPress itself. With basic security hygiene, WordPress is as secure as any other platform.

 

How often should I update WordPress?

Update as soon as updates are available, especially security updates. For minor releases (6.7.1 to 6.7.2), automatic updates are safe for most sites. For major releases (6.6 to 6.7), test on staging first if your site is business-critical.

 

What are the most common WordPress vulnerabilities?

In order of frequency: vulnerable plugins (96% of all WordPress vulnerabilities), vulnerable themes, and weak passwords. WordPress core vulnerabilities are rare and quickly patched. Focus your security efforts on plugin management and access control.

 

How do I know if my WordPress site was hacked?

Common signs include: unexpected admin users, strange redirects, spam content appearing on your site, Google warnings when visiting your site, significantly slower performance, and unusual files in your directories. Security plugins can help detect these automatically.

 

How much does WordPress security cost?

Basic security (security plugin, good hosting, proper configuration) can be free or low-cost. Professional security audits vary based on site complexity—contact us for a quote. For ongoing WordPress maintenance including security monitoring, updates, and rapid response, see our current pricing.

 

Conclusion

WordPress security isn’t complicated, but it does require attention. The good news: following the basics—updates, strong passwords, quality hosting, and regular backups—prevents the vast majority of attacks.

Start with the foundation security steps in this guide. They take an hour to implement and protect against 90% of threats. Then work through the additional hardening measures as time allows.

If you’d rather focus on your business and leave security to experts, we offer WordPress maintenance plans that include security monitoring, updates, and rapid response when issues arise. We also provide thorough security audits for sites that need a comprehensive review.

Either way, don’t ignore security until something goes wrong. A little prevention is worth a lot of recovery.

 

Free Resource

Want a printable checklist for your security review?

📥 Download: 20-Point WordPress Security Audit Checklist (PDF)

A comprehensive checklist you can print, share with your team, or use during your next site review.

 

Last updated: January 2026