WordPress Security Basics: 10 Steps to Protect Your Site
Protect your WordPress site with these 10 practical security steps: updates, strong passwords, 2FA, security plugins, backups, HTTPS, and more.
WordPress is the most widely used content management system on the internet — which also makes it the most widely targeted. Automated bots constantly scan the web for WordPress sites running known vulnerabilities, probing login pages, and testing common weak passwords. This is not a reason to panic; it is a reason to be methodical.
The majority of WordPress site compromises are not sophisticated attacks. They exploit outdated software, weak credentials, or basic configuration gaps that could have been addressed in an afternoon. The ten steps in this guide address exactly those gaps. You do not need to be a developer to implement any of them.
1. Keep WordPress Core, Themes, and Plugins Updated
Outdated software is the leading cause of WordPress site compromises. When a vulnerability is discovered in WordPress core, a theme, or a plugin, a patch is typically released quickly. But the patch only helps you if you apply it — sites running old versions remain exposed.
What to do:
- Enable automatic updates for minor WordPress core releases (
Dashboard > Updatesor via your host’s settings) - Update plugins and themes regularly; check
Dashboard > Updatesat least weekly - Remove themes and plugins you are not actively using — deactivated plugins can still be exploited if they contain vulnerabilities
The WordPress security team publishes details on patched vulnerabilities in core releases. Security researchers at Wordfence and Sucuri publish detailed vulnerability disclosures that are worth following if you want to stay informed.
2. Use Strong, Unique Passwords and a Password Manager
“Admin123” or your site’s domain name as your password is not a password — it is an open door. Brute-force and credential-stuffing attacks run through millions of common password combinations automatically.
Every account with access to your WordPress site — your admin user, your hosting panel, your database — should have:
- A password that is long (16+ characters) and random
- A password used nowhere else
- Storage in a password manager (1Password, Bitwarden, or similar) rather than in your head or a sticky note
WordPress generates strong passwords automatically when creating users. Use them.
3. Enable Two-Factor Authentication (2FA)
Even a strong password can be compromised through phishing or a data breach elsewhere. Two-factor authentication adds a second layer — typically a time-based code from an authenticator app — that an attacker cannot use even if they have your password.
For WordPress, 2FA is not built in by default, but several plugins add it cleanly:
- Wordfence Login Security — adds TOTP-based 2FA and login rate limiting
- Two Factor (from the WordPress security team) — simple, well-maintained free plugin
- miniOrange 2 Factor — supports multiple 2FA methods
Enable 2FA for all admin-level users, at minimum. If your host also supports 2FA on the hosting control panel, enable it there too.
4. Limit Login Attempts
The default WordPress login page at /wp-login.php accepts unlimited login attempts. This means brute-force bots can try thousands of password combinations without any automatic lockout.
A login attempt limiter blocks an IP address after a defined number of failed tries. Most security plugins (Wordfence, Sucuri, iThemes Security) include this feature. Standalone plugins like Limit Login Attempts Reloaded also handle it with minimal configuration.
Set a threshold of 3–5 failed attempts before a temporary lockout. This stops automated brute-force attacks while still allowing real users who mistyped their password to recover.
5. Install a Security Plugin
A dedicated security plugin is the closest thing to a security system for your WordPress site. Two are consistently trusted by security professionals:
Wordfence Security (wordfence.com) — includes a web application firewall, malware scanner, real-time threat intelligence, and login security. The free tier is genuinely useful; the paid version adds real-time rule updates.
Sucuri Security (sucuri.net) — includes activity auditing, file integrity monitoring, and a remote malware scanner. Sucuri’s paid plan also routes your traffic through their firewall as a CDN, which provides both performance and security benefits.
You do not need both — pick one and configure it properly. These plugins are not a substitute for the other steps in this guide, but they provide important visibility and active protection.
6. Force HTTPS and Keep Your SSL Certificate Current
An SSL certificate enables HTTPS, encrypting data in transit between your site and its visitors. Beyond the security benefit, Google has used HTTPS as a ranking signal for years, and modern browsers flag HTTP sites as “Not Secure.”
Most hosts now include free SSL certificates via Let’s Encrypt. If your site is not already on HTTPS:
- Install the SSL certificate through your host’s control panel
- Install the Really Simple SSL plugin or configure your
.htaccessto redirect all HTTP traffic to HTTPS - Update your WordPress Address and Site Address URLs to use
https://inSettings > General
Once HTTPS is live, confirm there are no mixed content warnings (HTTP resources loading on an HTTPS page) by checking browser developer tools or running the site through an SSL checker.
7. Back Up Your Site Regularly
Backups are not strictly a “prevention” security measure, but they are your ultimate recovery option if something goes wrong. A compromised site is far less catastrophic when you have a clean backup from yesterday.
Key backup principles:
- Automate it — manual backups get forgotten
- Store off-site — backups on the same server as your site can be lost if the server is compromised; use remote storage (Dropbox, Google Drive, S3, or a dedicated backup service)
- Retain multiple versions — being able to roll back to a point before an attack occurred requires keeping backups from multiple dates
- Test restores — a backup you have never tested restoring from is an unknown quantity
UpdraftPlus (updraftplus.com) is one of the most widely-used free backup plugins, with support for remote storage destinations. For a full walkthrough of backup options and scheduling, our guide on how to back up a WordPress site covers the practical details.
8. Manage User Roles Carefully
WordPress has a defined set of user roles — Administrator, Editor, Author, Contributor, Subscriber — each with different permission levels. Only grant users the minimum access they need to do their job.
Common mistakes:
- Giving all users Administrator access “to keep things simple”
- Leaving old user accounts active after someone stops working on the site
- Using the default
adminusername, which is the first thing brute-force bots try
Audit your user list periodically. Remove accounts that are no longer needed. If you have an account with the username admin, create a new administrator account with a different username, transfer ownership of any content, and delete the admin account.
9. Change or Protect the Default Login URL
WordPress installs with the admin login at /wp-login.php and /wp-admin/ — the same URL on every WordPress site on the internet. This makes it trivially easy for bots to target your login page without knowing anything specific about your site.
Two approaches:
- Change the login URL — plugins like WPS Hide Login let you set a custom path (for example,
/site-access/). Bots scanning for/wp-login.phpwill hit a 404 and move on. - Add HTTP authentication — password-protect the
/wp-admin/directory at the server level so it requires a username and password before the WordPress login form even loads.
Neither approach is a substitute for strong passwords and 2FA, but they reduce the attack surface and cut down bot traffic noise in your logs.
10. Scan for Malware Regularly
Even with all the above measures in place, periodic malware scanning is good practice. Infections occasionally arrive through supply-chain vulnerabilities in themes or plugins before patches are available.
Both Wordfence and Sucuri include file integrity scanning that compares your WordPress installation against known-good file hashes, flagging unexpected changes. Run a manual scan monthly, and configure automated scanning if your plugin supports it.
If your site is flagged by Google Safe Browsing or shows signs of infection (unexpected redirects, new admin users you did not create, spam pages appearing in search results), check out our guide on common WordPress errors and fixes for diagnostic starting points, and consult Sucuri’s free SiteCheck scanner for a remote assessment.
A Security Checklist
| Step | Free to Implement? | Effort |
|---|---|---|
| Keep software updated | Yes | Low (automate it) |
| Strong, unique passwords | Yes | Low |
| Two-factor authentication | Yes (free plugins) | Low |
| Limit login attempts | Yes (free plugins) | Low |
| Security plugin | Yes (free tiers) | Medium |
| HTTPS / SSL | Yes (Let’s Encrypt) | Medium |
| Regular backups | Yes (free plugins) | Low (automate it) |
| User role audit | Yes | Low |
| Change login URL | Yes (free plugins) | Low |
| Malware scanning | Yes (free plugins) | Low (automate it) |
The pattern here is clear: most of these measures cost nothing and require only an initial investment of time to set up. Security is not a one-time event — it requires maintenance — but the maintenance burden once these systems are running is minimal.
Security researchers at Wordfence publish an annual WordPress threat report and regularly document attack patterns. It is useful reading if you want to understand the threat landscape. The Sucuri blog similarly publishes incident investigations and hardening guides.
WordPress is secure software when properly maintained. The sites that get compromised are overwhelmingly those running outdated code or weak credentials — problems you now know how to avoid. Work through this checklist, automate what you can, and revisit it whenever you make significant changes to your site. Your future self will be grateful.
If you are also looking to improve your site’s overall performance and technical foundation, our free WordPress themes are built to be lightweight and up-to-date — a solid starting point for a site that is both fast and secure. Stay up to date with practical tips by joining our newsletter.
