WordPress is the most targeted CMS in the world, not because it's inherently insecure, but because it's the most popular. Attackers automate tools that scan the entire internet for outdated WordPress installations, vulnerable plugins, and weak passwords. If your site matches their criteria, it will be found and exploited — usually automatically, with no human ever manually targeting you.
The good news: the vast majority of successful attacks on WordPress sites exploit preventable problems. Here are the eight things that actually matter.
1. KEEP WORDPRESS CORE UPDATED
WordPress releases security updates regularly, and the vulnerabilities they patch are published publicly. That means every unpatched site on an old version is essentially broadcasting a known security hole to every automated scanner on the internet. Enable auto-updates for minor security releases, and update major versions promptly — after testing in a staging environment if you have one.
2. KEEP EVERY PLUGIN AND THEME UPDATED
Plugins are the most common attack vector on WordPress sites. A vulnerability in a popular plugin can affect millions of sites simultaneously. Many of the worst WordPress breaches in recent years came through outdated plugins — not the core WordPress software itself.
Enable auto-updates for plugins where available. Deactivate and delete any plugins you're not actively using — inactive plugins are still attack surfaces.
3. USE STRONG PASSWORDS AND TWO-FACTOR AUTHENTICATION
Brute force attacks — bots trying thousands of common password combinations — are among the most common ways WordPress sites get compromised. A strong password combined with two-factor authentication makes this attack vector effectively useless.
Use a password manager. Enable 2FA for every admin account using a plugin like WP 2FA. Don't use "admin" as a username — it's the first one every brute force bot tries.
4. INSTALL A QUALITY SECURITY PLUGIN
A good security plugin adds multiple layers of protection: a web application firewall that blocks malicious requests before they reach your site, brute force protection, malware scanning, login attempt monitoring, and email alerts when something suspicious happens.
Wordfence is the most widely used and provides strong free-tier protection. Sucuri is the preferred choice for sites that need enterprise-grade security. Either one is dramatically better than running with no security plugin at all.
5. RUN DAILY AUTOMATED BACKUPS AND TEST THEM
Backups aren't a security measure — they're a recovery measure. When (not if) something goes wrong, your ability to restore your site to a clean version is the difference between a bad afternoon and a catastrophic business interruption.
Your backups must be: automated (running daily without you thinking about it), stored off-site (not just on the same server as your site), and tested regularly. A backup you've never restored is a backup you don't actually have.
6. CHANGE THE DEFAULT LOGIN URL
By default, the WordPress admin login page lives at yourdomain.com/wp-admin. Every automated scanner on the internet knows this. Moving the login page to a custom URL eliminates the vast majority of automated login attempts and reduces your site's attack surface significantly.
Plugins like WPS Hide Login make this a two-minute configuration change. Combined with 2FA and strong passwords, it makes brute force attacks on your admin area effectively impossible.
7. ENFORCE HTTPS EVERYWHERE
HTTPS encrypts the connection between your site and its visitors. Without it, login credentials and form submissions can be intercepted. SSL certificates are free. Your web host should be able to install one in minutes. After installation, make sure all traffic is redirected from HTTP to HTTPS — not just some pages.
8. LIMIT USER ACCESS AND PERMISSIONS
Every user account on your WordPress site is a potential attack vector. Audit your users regularly and remove any accounts that are no longer needed. Assign the minimum necessary permissions to each account — an editor doesn't need administrator access. If a contributor account is compromised, limiting its permissions limits the damage an attacker can do.
WARNING SIGNS YOUR SITE MAY ALREADY BE COMPROMISED
- Google is showing a warning when visitors try to access your site
- Your hosting provider has suspended your account for malware
- You see pages on your site you didn't create
- Your site is redirecting visitors to unrelated websites
- Your Google Search Console shows unusual spikes in indexed pages
- Your site is significantly slower than usual without explanation
If you're seeing any of these signs, don't wait. The longer malware remains on a compromised site, the more damage it can do to your search rankings, your reputation, and your hosting account.
NOT SURE IF YOUR WORDPRESS SITE IS SECURE?
Our WordPress care plans include security monitoring, automated backups, and regular updates — so you never have to think about this again.
See Care Plans →