Most WordPress sites don’t get hacked because of sophisticated attacks. They get hacked because someone left the front door open. Outdated plugins, weak passwords, default settings – the boring stuff.
I’ve seen sites go down because the admin password was “password123.” Not joking. So before you spend money on fancy security solutions, let’s cover the basics that stop 90% of attacks.
Keep Everything Updated
This is the single most important thing you can do. And the most ignored.
WordPress core, themes, plugins – all of them release security patches regularly. When you ignore that little red notification badge for three months, you’re basically advertising vulnerabilities to automated bots scanning the internet.
Here’s the thing: most hacks aren’t targeted. Bots crawl millions of sites looking for known vulnerabilities in specific plugin versions. If you’re running Contact Form 7 version 5.3.2 and there’s a known exploit for it, you’re on a list somewhere.
What to do:
- Enable auto-updates for minor WordPress releases (Settings → General in newer versions)
- Check plugins weekly at minimum
- Delete plugins and themes you’re not using – they can still be exploited even when deactivated
- If a plugin hasn’t been updated in over a year, find an alternative
One caveat: major WordPress updates can break things. I’d wait 2-3 days after a major release before updating, let others find the bugs first.
Fix Your Login Security
The default WordPress login page sits at yourdomain.com/wp-admin. Every bot knows this. They’ll hammer it with username/password combinations until something works.
Change the default username
If your admin account is literally called “admin,” change it today. Create a new administrator account with a different username, log in with that, delete the old “admin” account. Takes five minutes.
Use actual strong passwords
Not “YourBusinessName2024!” – that’s not strong, that’s predictable. Use a password manager and generate something random. 20+ characters, mix of everything.
Add two-factor authentication
This alone stops most account compromises. Even if someone gets your password, they can’t get in without the second factor.
Plugins that work well:
- Wordfence Login Security (free, lightweight)
- WP 2FA
- Google Authenticator
I prefer app-based 2FA over SMS. SIM swapping attacks are real, and SMS codes can be intercepted.
Limit login attempts
After 5 failed attempts, lock that IP out for an hour. After 20, lock it out for 24 hours. This kills brute force attacks dead.
Limit Login Attempts Reloaded is free and does exactly this. Wordfence includes this too if you’re already using it.
Get Decent Hosting
Cheap shared hosting is cheap for a reason. You’re sharing server space with hundreds of other sites, and if one of them gets compromised, yours might too.
You don’t need enterprise hosting, but avoid the £2/month deals. Look for:
- Server-level firewalls
- Malware scanning
- Automatic backups
- PHP version updates
- SSL certificates included
SiteGround, Cloudways, and Kinsta all have solid security at the mid-tier level. Even something like managed WordPress hosting from a reputable provider beats generic shared hosting.
Install a Security Plugin (Just One)
You don’t need three security plugins fighting each other. Pick one.
Wordfence – Most popular, does everything. The free version is genuinely useful. Firewall, malware scanner, login security. Can slow down cheaper hosting though, it’s resource-heavy.
Solid Security (formerly iThemes Security) – Lighter weight, good for smaller sites. Covers the basics without the bloat.
Sucuri – Better known for their CDN/firewall service, but the free plugin does malware scanning.
Whichever you pick, actually configure it. Don’t just install and forget. Go through the settings, enable the firewall, set up alerts.
Force SSL Everywhere
Your site should load with https://, not http://. This encrypts data between visitors and your server.
Most hosts provide free SSL certificates now through Let’s Encrypt. If yours doesn’t, switch hosts.
Once SSL is installed:
- Update WordPress Address and Site Address in Settings → General to use https://
- Install Really Simple SSL plugin to catch any mixed content issues
- Set up a redirect from http to https (most hosts have a toggle for this)
Check your site at whynopadlock.com to find any insecure elements still loading over http.
Backups That Actually Work
Security isn’t just about prevention. It’s about recovery when something goes wrong.
I’ve seen people think they have backups because their host “does daily backups.” Then something happens and they discover restoring costs extra, or the backup is corrupted, or it only goes back 7 days and the hack happened 10 days ago.
Set up your own backups:
UpdraftPlus (free version) backs up to Google Drive, Dropbox, or other cloud storage. Schedule it weekly at minimum. For active sites, daily.
Test your backups. Seriously. Download one, spin up a local WordPress install, restore it. Make sure it actually works before you need it.
Keep backups for at least 30 days. Some hacks sit dormant for weeks before activating.
File Permissions Matter
Wrong file permissions let attackers write to files they shouldn’t touch.
Standard WordPress permissions:
- Folders: 755
- Files: 644
- wp-config.php: 600 or 640
Your hosting control panel usually has a file manager where you can check this. If you’re on SSH:
find /path/to/wordpress/ -type d -exec chmod 755 {} \;
find /path/to/wordpress/ -type f -exec chmod 644 {} \;
chmod 600 wp-config.php
Disable File Editing
WordPress has a built-in code editor that lets admins modify plugin and theme files directly from the dashboard. Convenient, but if someone gets admin access, they can inject malicious code instantly.
Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
Now even admins can’t edit files through WordPress. You’ll need FTP or file manager access for legitimate edits, which is how it should be.
Hide Your WordPress Version
By default, WordPress broadcasts its version number in the page source. This tells attackers exactly which vulnerabilities to try.
Add to your theme’s functions.php:
remove_action('wp_head', 'wp_generator');
It’s not foolproof – there are other ways to detect WordPress versions – but it stops the laziest scanners.
What About Security Headers?
If you want to go further, add security headers to your .htaccess or through your host’s configuration:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Cloudflare adds these automatically if you’re using their free tier, which is worth setting up anyway for the CDN and basic DDoS protection.
The Realistic Priority List
If you’re overwhelmed, do these in order:
- Update WordPress, all plugins, all themes – today
- Change any weak passwords, add 2FA to admin accounts
- Install Wordfence or Solid Security, configure the firewall
- Set up UpdraftPlus backing up to cloud storage
- Delete unused plugins and themes
- Check file permissions
That covers 90% of what matters. Everything else is incremental improvement.
When You’ve Already Been Hacked
If you’re reading this because your site is already compromised:
- Don’t panic, but act fast
- Change all passwords immediately (WordPress, hosting, FTP, database)
- Restore from a clean backup if you have one
- If no backup, run Wordfence scan and manually remove infected files
- Check for new admin users you didn’t create
- Look for modified core files (Wordfence shows this)
- After cleaning, update everything and harden security
For serious infections, Sucuri and Wordfence both offer paid cleanup services. Sometimes it’s worth the £150-200 to have professionals handle it.
WordPress security isn’t complicated. It’s just consistent maintenance that most people skip. Update regularly, use strong credentials, keep backups, and you’re ahead of most sites on the internet.
