Most WordPress sites are not hacked by sophisticated attackers. They are hacked by automated bots that scan the entire internet for known weaknesses — outdated plugins, weak logins, and default settings. Close those gaps and your site stops being easy prey.

1. Keep WordPress, themes, and plugins updated

The single biggest cause of compromised WordPress sites is outdated software. Enable automatic updates for minor core releases, and review plugin and theme updates weekly. Remove any plugin or theme you no longer use — inactive code can still be exploited.

2. Protect the login page

  • Use strong, unique passwords for every administrator.
  • Enable two-factor authentication (2FA) for all admin accounts.
  • Limit login attempts to block brute-force bots.
  • Never use the username admin; rename it.

3. Reduce your attack surface

Install only plugins you actually need, from reputable sources with recent updates and good support. Every plugin is extra code that can contain vulnerabilities. Fewer, well-maintained plugins are far safer than dozens of abandoned ones.

4. Use reliable hosting and HTTPS

Choose hosting that isolates accounts and provides regular server patching. Make sure your site runs over HTTPS with a valid TLS certificate — most hosts offer free certificates through Let's Encrypt. Redirect all traffic from HTTP to HTTPS.

5. Add security headers

Security headers tell browsers how to behave and block common attacks. At a minimum, configure Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and a Content-Security-Policy. These can be set in your server config or through a security plugin.

6. Back up — and test the restore

Schedule automatic backups of both files and the database, and store at least one copy off the server. Then actually test restoring a backup. A site you can rebuild in an hour turns a hack from a disaster into an inconvenience.

7. Lock down file permissions and editing

Disable the built-in theme and plugin file editor (DISALLOW_FILE_EDIT) so a compromised admin account cannot inject code directly. Set correct file permissions so the web server cannot write where it should not.

Quick win checklist: updates on, 2FA enabled, unused plugins removed, HTTPS enforced, automatic backups tested, and login attempts limited. That covers the overwhelming majority of WordPress compromises.

Want a professional review?

Our Web Application Security service reviews your WordPress site against the OWASP Top 10, checks your configuration and headers, and gives your team clear remediation notes.

See Web App Security Back to blog