WordPress security lock shield protecting website from attacks

Photo: Unsplash — to use

WordPress Is the Most Attacked Platform on the Internet

WordPress's 43% market share makes it the primary target for hackers globally. 90,000 WordPress sites are attacked every minute. Of successfully hacked sites, 56% were compromised through vulnerable plugins, 11% through themes, and 8% through weak passwords. The good news: following this guide makes your site attack-resistant against 95%+ of automated threats.

Pre-Security Audit: Know Your Baseline

Before hardening, run a security audit:

  • Install Wordfence Security () and run a full site scan
  • Check for known vulnerable plugins: WPScan.com has a vulnerability database
  • Review your hosting panel for any unknown files or scheduled tasks
  • Check Google Search Console for security issues or manual actions

Layer 1: Hosting and Server Security

Your hosting provider is your first line of defence:

  • Use managed WordPress hosting: WP Engine, Kinsta, or SiteGround provide server-level security, automatic updates, and WAF
  • Avoid shared hosting with thousands of sites: A compromise on any site can spread to others via shared filesystem access
  • Enable PHP 8.1+: Older PHP versions have known security vulnerabilities. Check your hosting panel.
  • Force HTTPS: SSL/TLS encrypts data in transit. Install a Let's Encrypt certificate if not already done.
  • Disable PHP execution in uploads: Prevent attackers from uploading and running malicious PHP files:
# Add to /wp-content/uploads/.htaccess
<Files *.php>
  deny from all
</Files>

Layer 2: WordPress Core and Plugin Management

Keep Everything Updated

56% of WordPress hacks exploit known vulnerabilities in outdated plugins. Enable automatic security updates:

// In wp-config.php
define('WP_AUTO_UPDATE_CORE', 'minor');  // Auto-update minor WordPress releases

For plugins, enable auto-updates from Dashboard → Plugins → enable auto-updates for each plugin. Review update emails weekly.

Plugin Security Hygiene

  • Delete plugins you don't use — deactivated plugins are still a vulnerability if present
  • Only install plugins from wordpress.org or reputable commercial sources
  • Check plugin last update date — plugins not updated in 2+ years are high-risk
  • Check active installs and reviews before installing
  • Remove default "Hello Dolly" and sample plugins

Layer 3: Authentication Security

Strong Admin Credentials

  • Delete the default "admin" username — create a new admin account with a unique username
  • Use a 24+ character randomly generated password (1Password or Bitwarden)
  • Never reuse the WordPress admin password on any other service

Two-Factor Authentication (2FA)

2FA is the single most effective security measure you can add. With 2FA, even if your password is stolen, attackers cannot log in. Install:

  • WP 2FA (plugin): Supports TOTP apps (Google Authenticator, Authy)
  • Wordfence: Includes 2FA + login security in version

Login URL Hardening

// WPS Hide Login plugin: change /wp-admin to custom URL
// OR add to .htaccess:
RewriteRule ^login$ /wp-login.php [NC,L]

// Limit login attempts (functions.php or plugin)
// Use Limit Login Attempts Reloaded plugin

Layer 4: Web Application Firewall (WAF)

A WAF filters malicious requests before they reach WordPress. Options:

  • Cloudflare WAF: Route your DNS through Cloudflare, enable WAF rules. Best option — blocks known attack patterns, provides DDoS protection
  • Wordfence: WordPress-level WAF. Excellent version, premium adds real-time threat intelligence
  • Sucuri: Professional WAF + CDN at $199/year — best for eCommerce or high-value sites

Layer 5: wp-config.php Hardening

// Security keys (regenerate at wordpress.org/secret-key)
define('AUTH_KEY', 'unique-random-string');
define('SECURE_AUTH_KEY', 'unique-random-string');

// Disable file editing from WordPress admin
define('DISALLOW_FILE_EDIT', true);

// Disable plugin installation from admin (optional, strict sites)
define('DISALLOW_FILE_MODS', true);

// Limit login error messages
// Add to functions.php:
add_filter('login_errors', function() { return null; });

Layer 6: Database Security

  • Change the default wp_ table prefix to a random string (set during installation, or with a plugin)
  • Use a unique database user with only SELECT, INSERT, UPDATE, DELETE privileges — not CREATE or DROP
  • Disable direct database access from external IPs in hosting firewall
  • Regular automated database backups to offsite location (UpdraftPlus to Google Drive)

Layer 7: File Permissions

# Set correct file permissions via SSH
find /var/www/html/wordpress -type f -exec chmod 644 {} \;
find /var/www/html/wordpress -type d -exec chmod 755 {} \;
chmod 600 wp-config.php  # Restrict wp-config access

Layer 8: Backup Strategy

Security without backups is incomplete. A hacked site can be restored in minutes if you have clean backups:

  • UpdraftPlus: plugin, automated daily backups to Google Drive/Dropbox/S3
  • Keep 30 days of backups: Malware sometimes isn't detected for weeks
  • Test restoration quarterly: A backup you can't restore is worthless

Layer 9: Security Monitoring

  • Wordfence email alerts for failed logins, file changes, plugin vulnerabilities
  • Google Search Console monitoring for security issues and malware warnings
  • Uptime monitoring (UptimeRobot plan) — if your site goes down, know immediately
  • Monthly security scan with Sucuri SiteCheck (online tool)

Security Hardening Checklist Summary

  1. Managed WordPress hosting with server-level firewall
  2. Force HTTPS / SSL
  3. WordPress + plugins + themes all updated
  4. Delete unused plugins and themes
  5. Change admin username from "admin"
  6. Strong 24+ character admin password
  7. Enable 2FA on all admin accounts
  8. Cloudflare or WAF plugin enabled
  9. wp-config.php hardened (DISALLOW_FILE_EDIT)
  10. PHP execution disabled in uploads directory
  11. Automated daily backups to offsite storage
  12. Security monitoring alerts configured

Frequently Asked Questions

How do I know if my WordPress site has been hacked?

Signs of a hacked WordPress site: Google search results showing spammy content for your domain, visitors redirected to malicious sites, Google Chrome showing security warnings, Hosting provider suspending your account, unknown admin users appearing, or Wordfence scan detecting malware.

What is the most common way WordPress sites get hacked?

56% of WordPress hacks exploit vulnerable plugins. Outdated plugins with known security vulnerabilities are the primary entry point. Weak passwords and brute force attacks are second. Keeping plugins updated and using strong passwords prevents the majority of attacks.

Is Wordfence enough to secure WordPress?

Wordfence provides excellent security: malware scanner, login protection, brute force prevention, and a WAF. For most sites, the version is sufficient. Wordfence Premium adds real-time firewall rule updates and faster malware signature updates.

How do I clean a hacked WordPress site?

Restore from a clean backup (before the hack) if available — this is fastest. If no backup: scan with Wordfence or Sucuri, remove identified malware files, change all passwords (WordPress admin, FTP, database), check for unknown admin users, update all plugins/themes, and contact your host.

Should I use a security plugin like Wordfence or Sucuri?

Yes — install Wordfence () as a minimum. It provides a WAF, malware scanner, login protection, and file integrity monitoring. For eCommerce or high-value sites, Sucuri's professional plan ($199/year) offers a more robust WAF + CDN + incident response.

Secure Your WordPress Site

Get a complete WordPress security audit and hardening implementation. We'll review your site, fix vulnerabilities, and set up monitoring to keep your site secure. Starts at ₹8,000.