WordPress powers everything from small business sites to busy ecommerce stores, membership portals, course platforms, publisher websites, and lead-generation systems. That flexibility is why WordPress is popular. It is also why WordPress security needs to be treated seriously.
A secure WordPress website is not created by installing one plugin and hoping for the best. Security is a set of layers: good hosting, clean software, strong access control, safe configuration, backups, monitoring, and a clear recovery process.
The goal is not to make a website impossible to attack. No real system can promise that. The goal is to reduce easy entry points, detect problems early, limit damage, and recover quickly if something goes wrong.
This guide walks through the practical security work every WordPress owner should understand.
Start with the right mindset: WordPress security is operations
Many WordPress incidents happen because a site was launched and then forgotten.
The homepage still loads, so nobody checks deeper. Plugins fall behind. Admin accounts accumulate. Backups stop running. A contact form plugin becomes vulnerable. A theme bundled with old code remains active. A former contractor still has access. A weak password survives for years. Eventually, an automated bot finds the opening.
Most WordPress attacks are not cinematic. They are repetitive, automated, and opportunistic.
Attackers usually look for:
- Outdated plugins and themes
- Weak or reused passwords
- Unprotected login pages
- Abandoned admin accounts
- Writable files and unsafe permissions
- Nulled themes or pirated plugins
- Exposed backups and config files
- Vulnerable upload handlers
- Poor hosting isolation
- Missing monitoring
Good WordPress security is the opposite of neglect. It is a maintenance habit.
1. Keep WordPress core, plugins, and themes updated
Updates are one of the most important security controls for WordPress.
WordPress core receives security releases, and minor security updates can run automatically on many installations. But core is only one part of the system. Plugins and themes are often the bigger risk because they add code, routes, upload handlers, admin screens, shortcodes, blocks, API endpoints, and frontend scripts.
A practical update process should include:
- Update WordPress core promptly, especially security releases
- Keep plugins and themes current
- Remove plugins and themes you do not use
- Avoid abandoned plugins that have not been maintained
- Test major updates on staging before production
- Take a backup before significant updates
- Check key pages and forms after updates
- Watch logs after deployment
Do not confuse “installed but inactive” with harmless. Inactive themes and plugins can still leave files on disk. If you do not need them, remove them.
Automatic updates: useful, but not a complete plan
Automatic updates are helpful for many small sites, especially for security releases. But automatic updates are not a substitute for monitoring.
An update can fail. A plugin update can break checkout. A theme update can change layout. A compatibility issue can trigger PHP errors. If updates run automatically, you still need alerts, uptime checks, backups, and a way to roll back.
For business websites, a good pattern is:
- Enable automatic security updates where appropriate
- Use staging for high-risk sites
- Maintain a tested backup and rollback process
- Review update logs
- Monitor forms, checkout, and key conversion paths after updates
The risk is not only “will we update?” It is also “will we notice if the update breaks something?“
2. Use reputable hosting with current server software
WordPress security starts below WordPress.
Your host controls important parts of the security environment: PHP version, web server configuration, database isolation, backups, malware scanning, firewall rules, file permissions, SSH/SFTP access, logging, and account separation.
Choose hosting that provides:
- Supported PHP versions
- Regular server patching
- Isolated accounts
- HTTPS support
- SFTP or SSH instead of plain FTP
- Web application firewall options
- Reliable backups
- Malware scanning or incident support
- Good logging access
- Resource limits that prevent one site from affecting another
Avoid bargain hosting that puts many unrelated sites under weak isolation. If one site in the account is compromised, attackers may be able to move laterally to other sites.
For serious business websites, managed WordPress hosting can be worth it because the host handles more of the platform layer: caching, updates, security rules, backups, staging, and recovery support.
3. Use HTTPS everywhere
Every WordPress site should use HTTPS across the whole website, not only checkout or login pages.
HTTPS protects credentials, session cookies, form submissions, admin activity, and visitor trust. It also prevents browsers from showing “Not secure” warnings.
Make sure:
- SSL/TLS certificate is valid
- HTTP redirects to HTTPS
- WordPress Address and Site Address use
https:// - Mixed content warnings are fixed
- Cookies are sent securely where possible
- Certificate expiry is monitored
An expired certificate can take a website down in the eyes of visitors even if the server is technically online. Monitor it.
4. Protect the WordPress admin area
The WordPress admin area is one of the most attacked parts of a site. Bots constantly try login attempts against wp-login.php and /wp-admin/.
You do not need to hide the admin area for security to exist, but you should reduce easy abuse.
Use strong, unique passwords
Every administrator should use a long, unique password stored in a password manager. Reused passwords are dangerous because credential leaks from unrelated services can be used against WordPress.
Avoid:
- Shared admin passwords
- Passwords sent by email or chat
- Reusing passwords across sites
- Generic usernames like
admin - Keeping old accounts active
Enable two-factor authentication
Two-factor authentication is one of the strongest improvements you can make to WordPress admin security.
Even if a password is stolen, 2FA makes it much harder for an attacker to log in. Require it for administrators, editors, shop managers, and any user with sensitive access.
Limit login abuse
Use rate limiting or login protection to reduce brute-force attempts and credential stuffing.
Good controls include:
- Login attempt limiting
- Bot filtering
- CAPTCHA only when needed
- WAF rules for abusive traffic
- Alerts for repeated failed logins
- IP allowlisting for admin access on high-security sites
Be careful with plugins that simply rename the login URL and call it security. Changing the login URL can reduce noise, but it is not a replacement for strong passwords, 2FA, and monitoring.
Review user accounts regularly
Old user accounts are a common weakness.
At least monthly, review:
- Administrators
- Editors
- Shop managers
- Agency or developer accounts
- Former staff accounts
- API or integration accounts
- Users with application passwords
Remove accounts that are no longer needed. Downgrade permissions where possible.
5. Apply least privilege
Not every user needs admin access.
WordPress roles exist for a reason. Use the lowest role that allows a person to do their job.
Typical role discipline:
- Administrators: only trusted technical owners
- Editors: content managers who need publishing control
- Authors: writers managing their own posts
- Contributors: draft writers
- Subscribers/customers: normal user access
- Shop managers: ecommerce operations without full site administration
If a marketing contractor only needs to edit blog posts, do not make them an administrator. If a developer needs temporary admin access, remove it when the work is done.
Least privilege limits the blast radius when an account is compromised.
6. Choose plugins carefully
Plugins are one of WordPress’s greatest strengths and one of its biggest risks.
Before installing a plugin, ask:
- Do we really need this?
- Is it actively maintained?
- Does it have a good security history?
- Is it compatible with our WordPress and PHP versions?
- Does it come from a reputable source?
- Does it handle uploads, payments, forms, users, or admin access?
- Can the feature be done with existing tools instead?
Avoid nulled plugins and pirated themes completely. They often contain backdoors, hidden ads, malware, or code that gives attackers access later.
Keep plugin count under control
There is no magic number of “safe” plugins. A site with 30 well-maintained plugins may be safer than a site with 8 abandoned plugins.
Still, every plugin adds code and maintenance work. Remove what you do not use.
Pay special attention to plugins that handle:
- File uploads
- Forms
- Memberships
- Ecommerce
- Payments
- Page builders
- SEO redirects
- Sliders and galleries
- Backups
- Security
- REST API endpoints
These plugins often touch sensitive data or expose additional attack surface.
7. Use a reputable theme and avoid editing core files
Themes can contain PHP, JavaScript, templates, upload logic, AJAX handlers, bundled libraries, and custom admin settings. Treat themes as code, not just design.
Use themes from reputable developers. Keep them updated. Remove old themes except for a current default fallback theme if needed.
Never modify WordPress core files directly. Core changes will be overwritten during updates and can make security maintenance harder. Use child themes, custom plugins, hooks, or proper development workflows instead.
8. Set safe file permissions
File permissions control who can read, write, and execute files on the server. Bad permissions can turn a small vulnerability into a full compromise.
General principles:
- Files should not be globally writable
- Directories should not be more writable than needed
wp-config.phpshould be protected- Upload directories should not execute PHP
- Use SFTP or SSH instead of FTP
- Avoid editing files directly through the browser
Exact permission values depend on hosting setup, user ownership, and deployment process. The important idea is to give WordPress only the access it needs.
Block PHP execution in uploads
The wp-content/uploads directory is meant for media files, not executable PHP.
If an attacker finds a vulnerable upload path, blocking PHP execution in uploads can prevent a malicious file from becoming a web shell.
This control belongs at the web server level when possible. Security plugins may help, but server configuration is stronger.
9. Protect wp-config.php
wp-config.php contains database credentials, security keys, salts, and configuration details. It should be treated as a sensitive file.
Good practices include:
- Restrict file permissions
- Prevent public access
- Keep database credentials unique per site
- Use strong authentication keys and salts
- Avoid committing secrets to public repositories
- Limit who can access production files
If you suspect wp-config.php was exposed, rotate database credentials and salts.
10. Disable file editing in the WordPress dashboard
WordPress can allow administrators to edit theme and plugin files from the dashboard. That may sound convenient, but it increases risk.
If an admin account is compromised, the attacker can use the file editor to insert malicious code.
Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);For managed or high-security environments, consider disabling file modifications entirely and deploying code through a controlled workflow.
11. Secure the database
The WordPress database contains posts, pages, users, settings, form entries, orders, sessions, plugin data, and sometimes sensitive customer information.
Database security basics:
- Use a strong, unique database password
- Do not reuse database users across unrelated sites
- Give the database user only needed privileges
- Keep database access private
- Back up the database regularly
- Protect database backups
- Monitor unusual database errors
Changing the database table prefix is sometimes recommended, but do not overvalue it. A custom prefix may reduce some automated noise, but it does not replace updates, permissions, passwords, and monitoring.
12. Add a Web Application Firewall
A Web Application Firewall, or WAF, can block common exploit attempts before they reach WordPress.
A WAF can help with:
- Known plugin exploit patterns
- SQL injection attempts
- Cross-site scripting payloads
- Bad bots
- Brute-force login traffic
- XML-RPC abuse
- Malicious file upload attempts
- Suspicious request patterns
WAFs are not magic. They cannot fix vulnerable code by themselves, but they are a valuable layer. A good WAF buys time, reduces noise, and can protect against known attacks while you patch.
For high-value sites, use WAF alerts as part of monitoring. A blocked attack may still tell you what attackers are trying to exploit.
13. Decide what to do with XML-RPC
WordPress XML-RPC can be useful for some integrations, mobile apps, and remote publishing workflows. It can also be abused for brute-force amplification and unwanted traffic.
If your site does not need XML-RPC, disable or restrict it. If you do need it, monitor it and apply rate limiting.
Do not disable features blindly without checking dependencies. Some plugins or apps may still rely on XML-RPC.
14. Secure forms and uploads
Forms and uploads are common attack surfaces because they accept input from visitors.
For forms:
- Use maintained form plugins
- Enable spam protection
- Sanitize and validate input
- Avoid storing unnecessary sensitive data
- Protect notification emails from leaking private details
- Monitor failed submissions and abuse patterns
For uploads:
- Restrict allowed file types
- Limit file size
- Store uploads safely
- Block executable files
- Scan uploads where appropriate
- Do not trust file extensions alone
If your website accepts resumes, documents, images, support attachments, or user-generated content, upload security matters.
15. Use security headers
Security headers help browsers enforce safer behavior.
Useful headers may include:
Strict-Transport-SecurityContent-Security-PolicyX-Content-Type-OptionsReferrer-PolicyPermissions-PolicyX-Frame-Optionsor CSP frame rules
Be careful with Content Security Policy. It is powerful but can break scripts, analytics, embeds, payment widgets, and page builders if configured too aggressively.
Start in report-only mode when possible, test carefully, and tighten over time.
16. Back up the site properly
Backups are a security control because they give you a recovery path.
A proper WordPress backup plan includes:
- Database backups
- File backups
- Media uploads
- Theme and plugin files
- Configuration files
- Offsite storage
- Encryption where appropriate
- Retention history
- Restore testing
Backups stored only on the same server are fragile. If the server is compromised, backups may be deleted, encrypted, or modified.
Use offsite backup storage. Keep enough history to recover from issues discovered late. A malware infection may sit unnoticed for days or weeks, so yesterday’s backup may not be clean.
Test restores
A backup you have never restored is not a guarantee. It is a hope.
Test restores periodically on staging. Confirm that:
- Database imports cleanly
- Media files are present
- Login works
- Important pages render
- Forms work
- Ecommerce orders and products are intact
- URLs and serialized data are handled correctly
The middle of an incident is the worst time to discover that your backup process never worked.
17. Monitor the website
Monitoring turns security from guesswork into operations.
Monitor:
- Uptime
- SSL certificate expiry
- Admin login failures
- New admin users
- File changes
- Malware signatures
- Plugin and theme vulnerabilities
- Backup completion
- Form delivery
- Checkout flow
- Server errors
- PHP fatal errors
- WAF events
- Search engine security warnings
The faster you detect a problem, the smaller the damage usually is.
18. Use file integrity monitoring
File integrity monitoring watches for unexpected changes in WordPress files.
This helps detect:
- Modified core files
- Backdoors
- Web shells
- Injected scripts
- Suspicious PHP files in uploads
- Unknown admin tools
- Malware reinfection
Not every file change is malicious. Updates change files too. But file integrity monitoring gives you a timeline and makes hidden changes harder to miss.
19. Watch for signs of compromise
WordPress compromises do not always show up as a defaced homepage.
Common signs include:
- Unknown admin users
- Redirects to strange websites
- Browser security warnings
- Google Search Console warnings
- Suspicious files in
wp-content/uploads - New PHP files with random names
- Spam pages indexed in Google
- Outbound emails you did not send
- Unusual CPU or bandwidth usage
- Payment page changes
- JavaScript injected into theme files
- Login attempts from unusual countries
- Unknown scheduled tasks
If you see one sign, assume there may be more. Attackers often leave multiple backdoors.
20. Have an incident response plan
When a WordPress site is hacked, panic makes things worse.
Before anything happens, know:
- Who is responsible for response
- Where backups are stored
- How to put the site in maintenance mode
- How to preserve logs
- How to rotate passwords
- How to restore to staging
- How to contact hosting support
- How to request Google or browser warning review
- How to communicate with customers if needed
During an incident:
- Do not blindly restore the newest backup
- Preserve evidence where possible
- Change credentials
- Identify the entry point
- Remove malware and backdoors
- Patch the weakness
- Scan the full site
- Review admin users and integrations
- Restore clean files if needed
- Monitor closely after recovery
The real finish line is not “the homepage loads again.” The finish line is clean files, patched weaknesses, verified backups, and monitoring that can catch reinfection.
21. Secure ecommerce and membership sites more aggressively
WooCommerce, LearnDash, membership plugins, booking plugins, and payment integrations increase the stakes.
These sites may handle:
- Customer accounts
- Orders
- Addresses
- Payment metadata
- Subscriptions
- Course access
- Private downloads
- Membership records
- Form submissions
For these sites, add stronger controls:
- Enforce 2FA for staff
- Monitor checkout
- Review payment plugin updates quickly
- Protect admin and shop manager roles
- Limit access to order exports
- Use secure payment gateways
- Monitor suspicious order behavior
- Back up more frequently
- Test restore procedures
- Review privacy and data retention policies
The more sensitive the data and revenue flow, the more disciplined the security process needs to be.
22. Do not rely on security through obscurity
Some advice focuses on hiding WordPress version numbers, changing the login URL, renaming database prefixes, or hiding that the site uses WordPress.
These steps may reduce noise, but they are not primary defenses.
Attackers can often fingerprint WordPress in many ways. More importantly, hidden vulnerable code is still vulnerable.
Prioritize:
- Updates
- Strong authentication
- Least privilege
- Safe permissions
- WAF rules
- Backups
- Monitoring
- Incident response
Obscurity can be a small extra layer. It should never be the foundation.
23. Build a monthly WordPress security checklist
Security becomes easier when it is scheduled.
Every month, review:
- WordPress core version
- Plugin and theme updates
- Inactive plugins and themes
- Admin users
- Failed login patterns
- Backup reports
- Restore test status
- SSL certificate status
- Malware scan results
- File integrity alerts
- WAF events
- Form delivery
- Website performance
- Search Console security issues
For high-value websites, do some checks weekly or daily.
24. What a secure WordPress setup looks like
A well-secured WordPress website usually has:
- Reputable hosting
- Current PHP and server software
- WordPress core updated
- Plugins and themes maintained
- Unused plugins removed
- Strong passwords
- Two-factor authentication
- Limited admin accounts
- Least-privilege roles
- Dashboard file editing disabled
- Safe file permissions
- PHP execution blocked in uploads
- HTTPS enforced
- WAF protection
- Backups stored offsite
- Restore tests
- Malware scanning
- File integrity monitoring
- Uptime and SSL monitoring
- A clear recovery plan
No single item is enough. Together, they create resilience.
Final thought: secure WordPress by making it boring
The best WordPress security program is not dramatic. It is boring in the best way.
Updates happen on schedule. Backups run and are tested. Admin access is reviewed. Alerts go to the right people. Forms are checked. Files are monitored. Vulnerabilities are triaged. Recovery steps are known before they are needed.
That kind of discipline prevents most avoidable incidents and makes unavoidable incidents easier to handle.
If your WordPress website supports real business activity, treat it like a business system. Keep it updated. Limit access. Back it up. Monitor it. Test recovery. Do the boring work before the emergency.