DEV Community: Calin V.

43 WordPress Security Data Points That Should Change How You Build Sites in 2026

Calin V. — Fri, 17 Apr 2026 05:24:49 +0000

Every year, Patchstack publishes a whitepaper on the state of WordPress security. Every year, the numbers get worse. The 2026 edition dropped on February 25, and the headline numbers are hard to ignore.

This post pulls together 43 verified data points from 18 original research sources into the picture you need if you build, manage, or host WordPress sites. No speculation, no fear marketing, just numbers and what they mean for your workflow.

The full sourced version with inline citations lives on the WP Ghost research page. This is the developer-focused summary.

The Four Numbers That Define WordPress Security Right Now

Before getting into the breakdown, these four stats frame everything that follows:

11,334 new WordPress vulnerabilities recorded in 2025, a 42% increase year-on-year
~13,000 WordPress sites hacked per day, roughly 4.7 million annually
5 hours, the weighted median from vulnerability disclosure to mass exploitation
87.8% of WordPress-specific exploits bypass standard hosting firewalls

If you only remember four numbers from this post, those are the ones.

How Large Is the Attack Surface?

WordPress powers 43.5% of all websites on the internet (Hostinger, 2026). That's not a niche CMS. That's nearly half the web running on the same stack, with the same default paths, the same directory structure, and the same plugin ecosystem.

From an attacker's perspective, the economics are straightforward. Write one scanner, point it at the internet, and nearly every other site you hit is WordPress. The attacks don't need to be clever. They just need to be automated and fast.

Wordfence, the most widely deployed WordPress security plugin, blocks 55 million exploit attempts and over 6.4 billion brute force attacks every single month across its network (TDW Digital, 2025). That's the permanent baseline, not a spike.

Most of those attacks are not targeted. Bots scan millions of sites daily looking for the same fingerprints: a /wp-login.php path, an exposed version number in a meta tag, a plugin signature in the page source. They are not interested in your site specifically. They are interested in any site that looks like a standard WordPress installation.

11,334 Vulnerabilities: Where Are They Coming From?

Patchstack confirmed a record year. Not close to a record. Definitively the worst year on record, by a wide margin.

The growth over three years tells the story:

Year	Vulnerabilities	Change
2023	~5,900	baseline
2024	~7,966	+35%
2025	11,334	+42%

And Q1 2026 is not slowing down. In the first week of January 2026 alone, 333 new vulnerabilities were disclosed, with 120 of them having no patch when they went public (WebHostMost, Mar 2026). The weekly average heading into 2026 is 250+ plugin vulnerabilities per week, roughly 36 per day.

It's Not Core

The WordPress core team found exactly two vulnerabilities in all of 2025 (Patchstack 2026). Two.

The problem is the plugin ecosystem:

91% of vulnerabilities come from plugins
6% from themes
2% from core (those two)

Every plugin you install is a potential entry point. The average WordPress installation runs 20 to 30 plugins. The math is not complicated.

The Severity Jump

Highly exploitable vulnerabilities, the ones attackers weaponize at scale, increased by 113% year-on-year in 2025 (The Repository / Patchstack, Mar 2026). More high-severity CVEs were found in 2025 than in the previous two years combined.

AI-Generated Plugins Are Making It Worse

Patchstack's 2026 report specifically calls out "vibe coding," where developers use LLMs to generate plugin code and ship it without being able to audit what the model wrote. When the person shipping the code can't review it for security problems, vulnerabilities go live silently. This trend is accelerating, not stabilizing.

The 5-Hour Problem

Here is the number from Patchstack's 2026 report that fundamentally changes how you should think about WordPress security:

"The weighted median time to first mass exploitation was five hours."

Patchstack, State of WordPress Security in 2026

Five hours from public disclosure to active mass exploitation.

The traditional advice, "keep your plugins updated," assumes you have time to react. For heavily targeted vulnerabilities, you often don't.

The exploitation timeline breaks down like this:

Window	What happens
0-5 hours	Median first mass exploitation attempt. Automated scanners watch disclosure feeds and deploy exploit code within hours.
Within 6 hours	20% of top-targeted vulnerabilities are actively exploited.
Within 24 hours	45%. By the time most site owners read about it in a newsletter, attacks have been running for a full day.
Within 7 days	70%. Roughly when most people get around to clicking that update notification they've been ignoring.

And what makes the 5-hour window even more dangerous:

46% of vulnerabilities had no patch available at the time of public disclosure (WP Edition / Patchstack, Feb 2026). There is no update to apply. The vulnerability is public, documented, actively scanned for, and the plugin is still broken.

Why? Because 52% of plugin developers do not patch before disclosure (Patchstack via Xictron, 2026). The researcher found the bug, reported it responsibly, waited the standard disclosure window, published, and the developer still hadn't shipped a fix.

Patchstack says it plainly: "Regular plugin updates are the second line of defence, but as attackers weaponize new vulnerabilities within mere hours, this is not a viable defence."

Where Do Hackers Actually Get In?

The vulnerability type distribution for 2025-2026:

Attack Type	Share	Auth Required?
Cross-Site Scripting (XSS)	Dominant (~35-39%)	Often none
Cross-Site Request Forgery (CSRF)	~19%	Existing session
Local File Inclusion (LFI)	~12.6%	Often none
Broken Access Control	~10.9%	Low-privilege
SQL Injection	~7.2%	Often none

XSS dominates because it's easy to introduce in plugin code and notoriously difficult to patch completely.

The critical detail: 57% of vulnerabilities in H1 2025 required no authentication whatsoever (Patchstack Mid-Year 2025). No login needed. No password to steal. Just a vulnerable plugin, installed and active.

What Attackers Leave Behind

Sucuri's data on what's found on compromised WordPress sites (Sucuri via Hostinger, 2026):

72.7% contain active malware
69.6% have unauthorized backdoors, persistent access the attacker can use later
46.7% have SEO spam injected, hidden keyword-stuffed content that triggers Google penalties
8.1% have phishing pages embedded within the site

The 2026 Patchstack and Monarx report adds an important shift: attackers are now injecting code directly into legitimate WordPress core, plugin, and theme files rather than dropping standalone malicious files. The traditional "scan and delete" approach to malware removal misses this entirely (The Repository, Mar 2026).

The Login Page Problem

In 2023, Wordfence blocked over 100 billion credential stuffing attacks from 74 million unique IP addresses. The vast majority targeted the standard /wp-login.php and /wp-admin paths. 81% of hacked WordPress sites involved weak or stolen passwords as a contributing factor (Sucuri and Wordfence via HowToWP).

If your login page is at the default URL, you are absorbing every automated attack that knows where to look.

Why Hosting Firewalls Are Not Enough

Managed WordPress hosting is expensive and comes with security messaging all over the pricing page. Those server-level firewalls are doing something, just not nearly enough.

87.8% of WordPress-specific exploits bypass standard hosting defenses (Patchstack via Xictron, 2026). Standard hosting defenses block only about 26% of WordPress-targeted attacks.

The reason is structural. Network and server firewalls were designed to block broad categories of malicious traffic: DDoS floods, port scans, known malicious IPs. They were not designed to understand the application-specific semantics of a stored XSS vulnerability in version 3.4.1 of a specific WordPress plugin. That requires application-layer intelligence.

Patchstack's 2026 conclusion: "In 2026, everybody needs deep visibility into what their websites are made of and put automated security measures in place to mitigate new security vulnerabilities in less than five hours."

The EU Cyber Resilience Act

By September 2026, all plugin and theme developers distributing software to EU users must have vulnerability disclosure programs in place by law. Whether this will meaningfully reduce the 52% non-patch-before-disclosure rate remains to be seen (Patchstack 2025 Whitepaper).

What Does a WordPress Hack Actually Cost?

The headline figure: $14,500 average total recovery cost for a small business (Colorlib, Xictron 2026).

That includes malware removal, emergency developer time, downtime, lost revenue, and the months of SEO work required to undo injected spam links and Google manual penalties. Against approximately $8/month for active protection, the math is not close.

The Melapress 2025 Security Survey found that 59.2% of WordPress professionals say the biggest impact of getting hacked is the loss of time, not money. The late nights, the emergency calls, the stress of rebuilding something that was working fine yesterday.

A real scenario: A WooCommerce store gets flagged by Google on a Friday afternoon. Malware was redirecting the checkout page to a phishing site. By Monday morning, it's been three days. Google Search Console has a manual penalty notice. PayPal suspended the account. Finding the backdoor, cleaning injected files, restoring backups, requesting Google review: 11 days total. $4,200 in lost orders. $1,200 for emergency cleanup. $5,400 total. The security plugin subscription they had skipped: $96 per year.

Are WordPress Site Owners Actually Prepared?

The Melapress WordPress Security Survey 2025 maps preparation against concern, and the gap is uncomfortable. Site owners rate their concern at 7.8 out of 10 on average. Two-thirds scored it 8 or higher.

And yet:

Only 27% have a breach recovery plan. More than 73% have no documented response to "what do we do when this happens?"
Only 27% implement team security training
Among those who had experienced account compromises, 30% still hadn't implemented any user account security controls
Only 59% use a WordPress activity log to detect suspicious behavior
Web designers and developers, the professionals who build WordPress sites, are the least likely to use automatic updates, at 32% and 33% respectively

There's also an outsourcing gap: 31% of in-house managers have a recovery plan, but only 13% of those relying on third parties do (Melapress, Oct 2025).

If you've outsourced security, ask your provider directly: what is the plan if we get hacked?

What Does the Data Say Actually Works?

The genuinely good news: the overwhelming majority of WordPress hacks are preventable. OsomStudio's 2026 security analysis estimates that basic security hygiene stops more than 90% of attacks (OsomStudio, 2026).

Most attackers are opportunistic. When a site looks harder to target than average, they move on.

Based on the attack data above, effective WordPress hack prevention works in three layers:

Layer 1: Disappear from Scanners

Automated scanners identify WordPress installations by their fingerprints: version numbers in meta tags, the /wp-login.php path, the readme.html file in root, plugin signatures in source code.

Remove those signals and mass-scanning tools can't confirm you are running WordPress. They move on. This is attack surface reduction as a first defense, and it works against every automated scanner that hasn't already fingerprinted your site.

The data supports why this matters: 57% of vulnerabilities require zero authentication, meaning fingerprint detection is the first step in every automated attack chain.

Tools that do this: WP Ghost (full path security, 115+ features in the free version), WPS Hide Login (login path only), or manual rewrite rules if you prefer to roll your own.

Layer 2: Filter at the Application Layer

What hosting firewalls miss (87.8% of it), an application-layer firewall catches:

8G Firewall rules for SQL injection, XSS, file inclusion, directory traversal
Brute force protection + 2FA to address the 81% of hacks involving credential attacks
XML-RPC and REST API restrictions to close attack surfaces most sites don't need open
Geo-blocking to reduce automated attack volume from high-risk regions
Moving the login page off /wp-login.php, since most automated credential attacks target that path specifically

Tools: WP Ghost (built-in 7G/8G firewall, 2FA with passkeys), Wordfence (endpoint firewall + scanner), Sucuri (cloud WAF), or a combination.

Layer 3: Monitor and Detect

Activity logging, file integrity monitoring, and anomaly alerts are the difference between catching a compromise in hour one and discovering it three months later when Google sends a penalty notice. Given that 69.6% of hacked sites contain unauthorized backdoors, detection speed directly affects total recovery cost.

Tools: WP Ghost Security Threats Log (Premium), Wordfence live traffic, Sucuri audit log, or WP Activity Log.

Three Things You Can Do This Week

If this wall of stats is overwhelming, start here:

1. Audit your plugins

List every plugin on your site. For each one: is it actively maintained? When was the last update? Does your site actually need it? Remove anything unused. Every inactive plugin is an attack surface with zero upside.

2. Check your login URL

If your login page is still at /wp-login.php or /wp-admin, every automated brute-force campaign knows exactly where to hit. Changing the login path takes about two minutes and removes your site from most credential-stuffing campaigns immediately.

3. Write a one-page recovery plan

Answer: who do I call, what do I check first, where are my backups, how do I put the site in maintenance mode? The 73% without a plan make recovery take 3-4x longer, not because they are less capable, but because they are making decisions under stress without a framework.

Summary

According to data compiled from 18 original research sources:

11,334 new WordPress vulnerabilities in 2025, the highest ever, a 42% increase year-on-year (Patchstack, Feb 2026)
~13,000 WordPress sites hacked per day, totaling 4.7 million annually (WPMayor via Sophos)
5 hours median from disclosure to mass exploitation, with 46% of vulnerabilities having no patch at the time of disclosure (Patchstack 2026)
87.8% of WordPress-specific exploits bypass hosting firewalls (Patchstack via Xictron 2026)
$14,500 average recovery cost for a small business, versus approximately $8/month for proactive protection (Colorlib, Xictron 2026)
~90% of attacks are preventable through basic security hygiene (OsomStudio 2026)

The full version with all 43 data points and inline source citations: WordPress Security Statistics 2025-2026

Data sourced from Patchstack 2026 Whitepaper, Patchstack Mid-Year 2025, Wordfence, Sucuri, Melapress 2025 Security Survey, OsomStudio 2026, Hostinger, WPMayor/Sophos, Colorlib, Xictron 2026, TDW Digital 2025, WebHostMost 2026, WP Edition, The Repository/Patchstack, and HowToWP. All numbers verified as of April 2026.

The Real Cost of 1 Hour of WordPress Downtime (It's More Than You Think)

Calin V. — Thu, 09 Apr 2026 13:00:00 +0000

Most WordPress site owners think about downtime the wrong way.

They imagine the damage ending the moment the site comes back online. It doesn't.

The real cost keeps running, in lost sales, developer invoices, search rankings, and customer trust, long after the page loads again.

Here's what one hour of WordPress downtime actually costs, broken down into the four categories that matter.

💸 1. Lost Sales - The Clock Starts Immediately

The moment your site goes down, revenue stops. Every minute a visitor can't reach your store or service page is a potential customer who just went somewhere else.

Atlassian's incident management benchmarks put the cost-per-minute at $427 for small businesses, which adds up to roughly $25,000 over a single hour.

For mid-size businesses, it gets worse. According to a 2024 ITIC survey reported by Shopify, the average cost of one hour of downtime for 90% of midsize and large businesses exceeds $300,000.

Even if your site generates $10,000/month, that's roughly $14 in lost revenue every single minute your site is down, during business hours.

And here's the detail most people miss: if the downtime happens during a product launch, a sale event, or while a paid ad campaign is running, that number multiplies fast.

👨‍💻 2. Developer Fees - The Bill That Arrives After

When a WordPress site goes down due to a hack or security breach, you can't just refresh the page and move on. Someone has to diagnose the problem, clean it up, and close the vulnerability that caused it.

That someone charges by the hour.

According to WPNearMe's 2026 WordPress developer rate analysis, hack recovery and security hardening work sits at the higher end of the $15–$200+/hr range for US-based developers.

And cleanup costs? According to devverx.us, remediation after a security compromise typically runs $1,000–$5,000+ in developer time, plus whatever SEO damage occurred if Google flagged the site as malicious.

That's assuming you catch it quickly and hire someone who does it right the first time.

The reality is messier. As WhatArmy documents, developers often remove visible malicious code without addressing the root vulnerability, and the site gets hacked again a week later, restarting the entire cycle.

📉 3. SEO Hit - The Damage That Outlasts the Downtime

This is the cost most site owners don't see coming. And it's the one that stings longest.

When a site is hacked and starts serving malware, displaying spam pages, or silently redirecting visitors, Google notices. Fast.

What Google actually does

If your site is flagged, users may see a "Deceptive site ahead" warning directly in Chrome before they even reach your site. That's not a minor inconvenience; it's a hard stop for every visitor.

According to Google's own documentation on hacked sites, recovering from a manual penalty can take weeks to months, even after a full cleanup.

The traffic math

A study cited by Moz found that websites with roughly 8.76 hours of annual downtime, the equivalent of 99.9% uptime, can lose up to 20% of organic search traffic.

More severe hacks can result in 50–80% organic traffic loss during the recovery window, as documented by Snazzy Solutions.

The recovery timeline

Per Search Engine Land's penalty guide and multiple SEO sources: recovery from a Google penalty after a hack typically takes 3–6 months, if it recovers at all.

While your rankings are depressed, competitors are capturing the traffic that would have been yours. Some of that audience never comes back.

🤝 4. Loss of Trust - The Cost You Can't Put on an Invoice

Trust is the hardest thing to rebuild after a site goes down, especially when the cause was a hack.

77% of consumers abandon retailers after encountering site errors, according to data cited by Site Qwality's 2025 downtime analysis. Not 77% who complain. 77% who quietly leave and don't come back.

After a downtime or security incident:

Customer acquisition costs rise 15–25%, customers become more skeptical and require more convincing to convert
Conversion rates drop 10–20% in the weeks following the incident
Paid advertising spend often needs to increase 30–50% to compensate for reduced organic traffic and lower conversion rates

(Source: Lagnis downtime cost analysis, 2025)

For agencies managing client sites, the damage goes further: a hacked client site can cost you the relationship entirely, and every referral that client would have sent you. That doesn't show up in any report, but it's very real.

The Full Picture: 1 Hour of WordPress Downtime

Cost Category	Estimated Impact
Lost revenue (1 hour, SMB)	$1,500 – $25,000+
Developer cleanup fees	$1,000 – $5,000+
SEO traffic loss	20–80% organic drop (3–6 months recovery)
Customer trust & conversion loss	15–25% higher acquisition costs
Combined real-world impact	$5,000 – $50,000+

And that's assuming the breach is caught within the hour. Most aren't.

According to ITIC's 2024 Hourly Cost of Downtime Report (cited by EnComputers), 84% of firms cite security as their number one cause of unplanned downtime, and many infections sit undetected for days or weeks.

The Prevention Math Is Simple

Ongoing WordPress security and maintenance typically costs $30–$200/month depending on the level of service.

Compare that to the $5,000–$50,000+ total impact of a single security breach.

This is the core argument behind proactive hack prevention: don't wait for the break-in and then clean up, make the site hard enough to target that bots move on before the attack begins.

A plugin like WP Ghost (Hide My WP Ghost) is built specifically around this logic. Instead of scanning for damage after a breach, it prevents attacks from reaching your site in the first place by:

Hiding the default WordPress paths bots use to fingerprint your CMS (/wp-admin, /wp-login.php, plugin paths)
Blocking malicious traffic with an 8G firewall before it reaches PHP
Enforcing 2FA and brute force protection before an attacker gets near your login
Blocking AI crawlers and scrapers with firewall-level user-agent rules

The plugin's own track record, documented in their knowledge base: in more than 10 years, not a single reported breach on sites that had WP Ghost correctly configured with its core protections active.

The Quick Self-Assessment

Want to know your specific number? Run this calculation:

Monthly revenue ÷ 720 hours = hourly revenue at risk
Hourly revenue × realistic downtime hours = immediate revenue loss
Add: $1,000–$5,000 developer fees
Add: 3–6 months of depressed organic traffic
Add: 15–25% increase in customer acquisition costs

For most businesses, even small ones, the number is uncomfortable.

The question isn't whether you can afford to invest in security. It's whether you can afford not to.

Sources:

How to Stop AI Bots from Stealing Your WordPress Content

Calin V. — Tue, 07 Apr 2026 10:09:58 +0000

You published a 2,000-word guide last month. Took you a full day to research and write. It ranks on Google, drives leads to your business, and brings in real readers.

Now imagine an AI model reading that entire guide, absorbing every word, and serving up a polished summary the next time someone asks a related question. The user gets the answer. You get nothing — no click, no visit, no credit.

That's not a hypothetical. It's happening at scale, right now, on WordPress sites exactly like yours.

The good news? There are technically enforced ways to stop it. Here's what actually works — and what doesn't.

First, Understand Who's at the Door

AI companies deploy automated bots to crawl the public web and collect text for training their large language models. The mechanics work exactly like a search engine crawler — except the destination is different. Instead of building an index that sends people to your site, AI training bots harvest your content to build models that answer questions without sending anyone anywhere.

Many of these bots are transparent about what they are. OpenAI uses GPTBot for model training, OAI-SearchBot for search, and ChatGPT-User for direct user requests. Anthropic has ClaudeBot. Google has Google-Extended. Perplexity has PerplexityBot. ByteDance has Bytespider. The list keeps growing.

The reaction from website owners has been swift:

🚫 ~5.6 million websites now block GPTBot — up from 3.3 million in July 2025 (nearly +70%)
🚫 ClaudeBot is blocked on ~5.8 million websites, up from 3.2 million in the same period

(Source: The Register, December 2025)

The reason is straightforward: search crawlers send traffic back to your site in exchange for content. AI training crawlers use that same content to answer questions directly inside their own apps, with far less traffic returned to you.

Why Most Site Owners Start with the Wrong Tool

The first instinct is robots.txt — add a few Disallow lines and call it done. Every SEO plugin makes this easy, and yes, you should do it.

But here's the reality: robots.txt has never been a technical barrier. It's a convention.

The Robots Exclusion Protocol is purely advisory and relies on the web robot's own compliance — it cannot enforce anything. This was confirmed legally in Ziff Davis v. OpenAI (S.D.N.Y. 2025), where the court ruled that robots.txt doesn't qualify as a "technological measure that effectively controls access" to copyrighted works — it's more like a sign than a lock.

The compliance gap is measurable. According to a Tollbit industry report:

Q4 2024: 3.3% of AI bot requests ignored robots.txt
Q2 2025: 13.26% of AI bot requests ignored robots.txt

Even Cloudflare's own documentation is direct about it:

"Respecting robots.txt is voluntary... Some crawler operators may disregard your robots.txt preferences and crawl your content regardless."

robots.txt is worth doing. But it should be the floor, not the ceiling.

What Actually Enforces the Block

The only reliable protection is blocking AI bots at the technical level — before they reach your content. That means firewall-level enforcement based on the bot's user-agent string.

Here's the logic: most legitimate AI crawlers identify themselves openly in their user-agent header. GPTBot says it's GPTBot. ClaudeBot says it's ClaudeBot. A properly configured firewall can intercept those requests and deny them before WordPress even loads — no content served, no server resources wasted, no data harvested.

How WP Ghost Handles This

WP Ghost is primarily known as a WordPress hack-prevention plugin — it hides your /wp-admin path, runs an 8G firewall, and makes your site harder for automated scanners to fingerprint. But the same firewall infrastructure that blocks malicious bots also handles AI crawlers through its Block by User Agent feature.

Here's the path:

WP Ghost > Firewall > Blacklist > Block User Agents

When you add a bot's user-agent string there, two things happen simultaneously:

The request is blocked at the firewall level
A Disallow rule is automatically added to your robots.txt

Hard block + policy signal. One action.

What's in the Free vs. Premium Version?

Free version — includes Block by User Agent. You can paste in AI bot strings manually and get real enforcement immediately. No upgrade required.

The full 2026 AI bot list from WP Ghost's official documentation includes:

AI2Bot, Amazonbot, AnthropicBot, anthropic-ai, Applebot-Extended,
Bytespider, CCBot, ChatGPT-Operator, ChatGPT-User, Claude-Code,
ClaudeBot, cohere-ai, DeepSeekBot, DuckAssistBot, Google-Extended,
GPTBot, GrokBot, img2dataset, Meta-externalagent, MistralAI-User,
OAI-SearchBot, PerplexityBot, Perplexity-User, YouBot...

Free users can paste this list in manually and get the full block.

Premium version — adds a dedicated AI Copyright Protection feature that loads and applies the complete, maintained list automatically. New crawlers are added with each plugin release. If you don't want to track a moving target yourself, this is where the value is.

⚠️ Important: When WP Ghost's firewall is active, legitimate search engine bots (Googlebot, Bingbot, Yandex) are automatically whitelisted. Your SEO stays completely intact.

Other Options Worth Knowing

Your SEO Plugin (Yoast, Rank Math, etc.)

Every major SEO plugin lets you edit your robots.txt. Do this first — it's free and takes five minutes. OpenAI's own documentation tells publishers to disallow GPTBot from sites they want excluded from AI training. At minimum, add rules for:

User-agent: GPTBot
Disallow: /
User-agent: ClaudeBot
Disallow: /
User-agent: CCBot
Disallow: /
User-agent: Google-Extended
Disallow: /
User-agent: PerplexityBot
Disallow: /
User-agent: Bytespider
Disallow: /

Understand what this is and isn't: a policy signal for compliant bots, not a technical barrier for non-compliant ones.

Cloudflare Bot Management

Cloudflare sits in front of your server at the infrastructure level and can block bots before traffic ever hits your hosting. In 2025, they launched a managed robots.txt service and a Pay per Crawl feature for publishers. Powerful — but requires technical familiarity and sits behind paid tiers. Overkill for most individual WordPress site owners starting from scratch.

Content Gating (MemberPress, Paid Memberships Pro)

The most technically airtight method: content behind a login wall can't be scraped by bots that can't authenticate. The obvious trade-off — it removes that content from public search indexing entirely. Not the right fit for blogs or content marketing sites that depend on organic traffic.

The Realistic Comparison

Approach	Technically Enforced	Bot List Maintained	SEO Impact	Effort
WP Ghost Free (manual)	✅ Yes	❌ Manual	None	Low
WP Ghost Premium (auto)	✅ Yes	✅ Auto-updated	None	Minimal
robots.txt only	❌ Advisory	❌ Manual	None	Very low
Cloudflare Bot Management	✅ Yes	✅ Managed	None	High
Content gating	✅ Yes	N/A	Removes from search	Medium

What to Do Right Now — In Order

Step 1 (5 minutes, free)
Open your SEO plugin and add Disallow rules for the major AI bots in your robots.txt. Handles the compliant ones immediately.

Step 2 (10 minutes, free)
If you have WP Ghost installed (free version is enough), go to:

WP Ghost > Firewall > Blacklist > Block User Agents

Paste in the AI bot user-agent list from WP Ghost's documentation. You now have firewall-level enforcement + automatic robots.txt coverage. No upgrade needed.

Step 3 — Check your logs
Search your server access logs for strings like GPTBot or ClaudeBot. Most site owners are surprised by how frequently these appear — and how long they've been visiting.

Step 4 (optional)
If maintaining the AI bot list yourself feels like a recurring task — and it will grow as new AI companies launch crawlers — WP Ghost Premium's AI Copyright Protection feature keeps the list current automatically with every plugin release.

One Thing No Tool Can Fully Solve

Newer AI browsers and developer tools are increasingly indistinguishable from regular human traffic in server logs. That's an evolving challenge no plugin has a complete answer for today.

Legal frameworks around AI scraping and copyright are still developing, with multiple lawsuits active in 2025–2026 involving OpenAI, Anthropic, Perplexity, and others.

What you can control today is making your site a harder target than the next one. robots.txt is the "no trespassing" sign. A firewall-level block is the locked door. Both matter — but only one of them actually keeps anyone out.

For WordPress site owners, that locked door is available right now, in the free version of a plugin that also handles the rest of your site's security at the same time.

Have you checked your server logs for AI crawler activity? Most site owners are surprised by what's already in there.

Resources mentioned:

How to Stop WordPress Brute Force Attacks: 5 Proven Methods

Calin V. — Thu, 19 Mar 2026 21:05:20 +0000

Quick Answer: To stop WordPress brute force attacks, implement login attempt limits, enable two-factor authentication, secure your login path, use strong passwords, and deploy firewall protection. These five methods work together to prevent 99% of automated login attacks.

After years of securing WordPress sites, I have seen brute force attacks evolve from simple password guessing to sophisticated bot networks. The good news? The defense strategies have evolved too.

WordPress powers ~43% of the web, making it a prime target for attackers. According to recent security reports, 90%+ of CMS-targeted attacks hit WordPress sites. But here is what most site owners miss: brute force attacks are completely preventable when you implement the right combination of security measures.

In this guide, I will show you exactly how to stop WordPress brute force attacks using five proven methods that I have tested on hundreds of client sites.

What Are WordPress Brute Force Attacks?

A brute force attack is an automated attempt to gain access to your WordPress admin area by systematically trying different username and password combinations.

These attacks typically target the default WordPress login page at /wp-admin or /wp-login.php. Attackers use specialized software to send thousands of login attempts per hour, hoping to crack weak credentials.

The most common brute force attack patterns I see include:

Dictionary attacks using common passwords like "password123" or "admin"
Credential stuffing with leaked username/password combinations
Targeted attacks against known admin usernames
Distributed attacks from multiple IP addresses

What makes these attacks particularly dangerous is their persistence. Bots will continue hammering your login page 24/7 until they either succeed or are blocked.

Why WordPress Sites Are Targeted for Brute Force Attacks

WordPress sites face unique vulnerabilities that make them attractive targets for brute force attacks.

The standardized login structure means attackers know exactly where to find your login page. Every WordPress site uses the same default paths: /wp-admin for the dashboard and /wp-login.php for authentication.

Common WordPress weaknesses include:

Predictable admin usernames (admin, administrator, site name)
Default login URLs that never change
No built-in login attempt limits
Weak password requirements
Exposed user enumeration through author pages and REST API

I have analyzed attack logs from hundreds of WordPress sites. The pattern is always the same: bots scan for WordPress installations, then immediately target the standard login endpoints.

Method 1: Implement Login Attempt Limits

Login attempt limiting is your first line of defense against brute force attacks. By restricting failed login attempts, you stop automated bots from continuously guessing passwords.

WordPress does not include built-in login limits, so you need to add this protection through a security plugin or custom code.

Here is how to set up effective login limits:

Configure Login Attempt Rules and set these baseline limits on every WordPress site:

Maximum 3-5 failed attempts per IP address
15-30 minute lockout duration for first offense
Progressive lockout times (1 hour, 24 hours) for repeat offenders
Permanent IP blocking after multiple lockout periods

Most security plugins offer login attempt limiting. Wordfence, for example, includes brute force protection that automatically blocks IP addresses after repeated failed login attempts.

Monitor and Adjust Settings

I recommend starting with conservative settings and adjusting based on your site's legitimate traffic patterns. E-commerce sites may need slightly higher limits to account for customers who forget passwords.

Track these metrics to optimize your login limits:

Number of blocked IP addresses per day
False positive rate (legitimate users getting blocked)
Geographic patterns in blocked attempts
Peak attack times and frequencies

Method 2: Enable Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step that makes brute force attacks nearly impossible to succeed, even with correct passwords.

Modern 2FA methods provide multiple options for user convenience while maintaining security. The most effective approaches include authenticator apps, email codes, and biometric authentication.

Choose the Right 2FA Method

Different 2FA methods offer varying levels of security and user experience:

Authenticator apps: Generate time-based codes (Google Authenticator, Authy)
Email codes: Send verification codes to registered email addresses
SMS codes: Text message verification (less secure, avoid if possible)
Biometric authentication: Face ID, Touch ID, Windows Hello
Hardware security keys: Physical FIDO2/WebAuthn devices

WP Ghost includes comprehensive 2FA support with all major methods, including cutting-edge passkey authentication using Face ID, Touch ID, and hardware security keys.

Implement 2FA Correctly

Follow these best practices when deploying 2FA:

Require 2FA for all administrator accounts
Allow users to choose their preferred 2FA method
Provide backup authentication options
Test the recovery process before going live
Generate backup codes for emergency access

The key is making 2FA mandatory for privileged accounts while keeping it user-friendly for regular users.

Method 3: Secure Your Login Path

Securing your WordPress login path is one of the most effective ways to stop brute force attacks before they start. This approach reduces your attack surface by making it harder for bots to find your login page.

This is not security through obscurity. It is attack surface reduction — the same principle behind disabling unused ports, removing default admin accounts, and network segmentation.

Change Default Login URLs

The default WordPress login URLs (/wp-admin and /wp-login.php) are known to every attacker. By securing these paths, you eliminate the majority of automated attacks.

WP Ghost excels at path security, allowing you to change and secure multiple WordPress endpoints:

Admin dashboard path
Login page URL
Lost password page
Registration page
Author pages
Admin-ajax endpoint

The plugin uses WordPress rewrite rules and filters to implement these changes without modifying core files, ensuring compatibility and security.

Implement Additional Path Protections

Beyond changing login URLs, you can secure other WordPress paths that reveal information to attackers:

Hide wp-content, wp-includes, and plugin directories
Secure theme and upload folders
Protect WordPress REST API endpoints
Block access to sensitive files like wp-config.php

These protections work together to create a comprehensive defense against reconnaissance and direct attacks.

Method 4: Use Strong Password Policies

Strong passwords remain a critical defense against brute force attacks. Even with other security measures in place, weak passwords can be cracked through dictionary attacks or credential stuffing.

WordPress includes a basic password strength meter, but it does not enforce minimum requirements. You need to implement proper password policies to ensure all users maintain secure credentials.

Establish Password Requirements

Set these minimum password standards:

At least 12-16 characters in length
Mix of uppercase and lowercase letters
Include numbers and special characters
Avoid dictionary words and personal information
No reuse of previous passwords
Regular password rotation for admin accounts

Consider using passphrases instead of complex passwords. A phrase like "Coffee$Morning&Sunshine2024" is both secure and memorable.

Encourage Password Managers

Password managers solve the usability problem of strong passwords. They generate unique, complex passwords for each account and store them securely.

Recommend these password managers to your users:

1Password
Bitwarden
LastPass
Dashlane

Many modern browsers also include built-in password generation and storage features.

Method 5: Deploy Firewall Protection

A web application firewall (WAF) provides real-time protection against brute force attacks and other malicious traffic. It analyzes incoming requests and blocks suspicious activity before it reaches your WordPress site.

Effective firewall protection operates at multiple levels: network, application, and WordPress-specific rules.

Choose the Right Firewall Solution

WordPress security plugins offer different firewall approaches:

Cloud-based WAF: Filters traffic before it hits your server (Cloudflare, Sucuri)
Server-level firewall: Protects at the hosting level
Plugin-based firewall: WordPress-specific protection

WP Ghost includes the 8G firewall rules, originally created by Jeff Starr. These rules block SQL injection, XSS, script injection, file inclusion, directory traversal, and automated vulnerability scans.

Configure Firewall Rules

Optimize your firewall settings for brute force protection:

Block requests from known malicious IP ranges
Rate limit login attempts per IP address
Filter requests with suspicious user agents
Block common attack patterns and payloads
Whitelist trusted IP addresses

The most effective approach combines multiple firewall layers. Use a cloud WAF for DDoS protection, server-level rules for basic filtering, and WordPress-specific protection for application-layer attacks.

Comprehensive Security: Combining All Methods

The most secure WordPress sites use all five methods together. Each layer provides protection against different attack vectors and failure modes.

Implementation Priority

If you can only implement some methods immediately, prioritize them in this order:

Enable login attempt limits (immediate impact)
Secure login paths (prevents most bot attacks)
Deploy firewall protection (blocks multiple attack types)
Implement 2FA for admin accounts (strongest authentication)
Enforce strong password policies (long-term security)

How WP Ghost Provides Complete Brute Force Protection

WP Ghost offers an integrated solution that addresses all five methods in a single plugin. Rather than managing multiple security tools, you get comprehensive brute force protection with simplified configuration.

The plugin's approach to brute force prevention includes:

Advanced Login Protection: Limits attempts on login, lost password, signup, and comment forms with math reCAPTCHA and Google reCAPTCHA v2/v3
Complete Path Security: Changes and secures all major WordPress endpoints including wp-admin, wp-login.php, wp-content, and API endpoints
Integrated 2FA: Supports authenticator apps, email codes, and cutting-edge passkey authentication with Face ID, Touch ID, and hardware security keys
8G Firewall Rules: Blocks SQL injection, XSS, and automated vulnerability scans
IP Management: Automatic blacklisting of repeat offenders with whitelist overrides

The verified results speak for themselves: sites with properly configured WP Ghost see a huge drop in attacks.

WP Ghost works alongside other security plugins like Wordfence, Sucuri, and Solid Security. It does not replace malware scanning or cleanup tools; it prevents attacks from succeeding in the first place.

Monitoring and Maintaining Your Defenses

Implementing brute force protection is not a set-and-forget solution. You need ongoing monitoring to ensure your defenses remain effective as attack methods evolve.

Key metrics to track include:

Number of blocked login attempts per day
Geographic sources of attacks
Most targeted usernames
Attack pattern changes over time
False positive rates on legitimate users
Regular Security Maintenance

Perform these maintenance tasks monthly:

Review blocked IP lists and remove outdated entries
Analyze attack logs for new patterns
Test 2FA backup methods and recovery procedures
Update firewall rules based on new threat intelligence
Audit user accounts and remove unused credentials

Security monitoring tools in WP Ghost Premium provide detailed attack logs and email alerts, making it easier to track and respond to threats.

Common Mistakes to Avoid

I have seen these mistakes compromise otherwise secure WordPress sites:

Relying on a single protection method: Layered security is essential
Setting login limits too high: Allows too many attack attempts
Using SMS for 2FA: Vulnerable to SIM swapping attacks
Ignoring user enumeration: Attackers can still discover usernames
Not monitoring security logs: Miss signs of successful attacks

The biggest mistake is assuming that WordPress security plugins conflict with each other. The best security setups combine multiple tools that complement each other's strengths.

Conclusion

Stopping WordPress brute force attacks requires a comprehensive approach that addresses multiple attack vectors. The five proven methods: login limits, 2FA, path security, strong passwords, and firewall protection, work together to create an impenetrable defense.

I have implemented these strategies on hundreds of WordPress sites over the past two decades. The sites that follow this complete approach simply do not get compromised by brute force attacks.

Start with the highest-impact protections: enable login attempt limits and secure your login paths. Then add 2FA for admin accounts and deploy comprehensive firewall rules. Finally, enforce strong password policies across all user accounts.

Remember that security is an ongoing process, not a one-time setup. Monitor your defenses, update your protections, and stay informed about new attack methods.

For the most comprehensive protection, consider WP Ghost as your primary prevention layer, working alongside scanning and cleanup tools like Wordfence or Sucuri. This combination provides both prevention and detection, ensuring your WordPress site remains secure against current and future threats.

Q1: How effective are login attempt limits against brute force attacks?
A1: Login attempt limits are highly effective, blocking 90%+ of automated brute force attempts. Combined with progressive lockout times, they stop persistent attacks while minimizing impact on legitimate users.

Q2: Is two-factor authentication necessary if I have strong passwords?
A2: Yes, 2FA is essential even with strong passwords. It protects against credential stuffing attacks using leaked passwords from other sites, and provides backup protection if passwords are compromised through other means.

Q3: Does changing login URLs really improve security?
A3: Absolutely. Securing login paths through attack surface reduction eliminates 99% of automated bot attacks that target default WordPress URLs. This is not security through obscurity — it is the same principle used in network segmentation and server hardening.

Q4: Can I use multiple WordPress security plugins together?
A4: Yes, the best security setups combine multiple plugins that complement each other. Use WP Ghost for prevention and path security, alongside Wordfence or Sucuri for malware scanning and cleanup. They work together, not against each other.

Q5: What is the most important brute force protection to implement first?
A5: Start with login attempt limits for immediate impact, then secure your login paths to prevent bots from finding your login page. These two methods together stop the vast majority of brute force attacks.

Q6: How do I know if my WordPress site is under brute force attack?
A6: Signs include unusual server load, multiple failed login notifications, blocked IP addresses in security logs, and slow admin performance. Security plugins with monitoring features will alert you to ongoing attacks."

How to Fix a Hacked WordPress Website: Complete Recovery Guide

Calin V. — Tue, 17 Mar 2026 16:17:33 +0000

Quick Answer: To fix a hacked WordPress website, immediately change all passwords, scan for malware, remove malicious files, restore from a clean backup if needed, update everything, and implement prevention measures like WP Ghost to hide vulnerable paths from future attackers.

I have cleaned hundreds of hacked WordPress sites over the past 20 years. The process is always urgent, often stressful, and sometimes devastating for business owners who lose weeks of content or customer data.

But here's what I've learned: most WordPress hacks follow predictable patterns, and the recovery process, while time-sensitive, is methodical and manageable if you know the right steps.

This guide will walk you through exactly how to fix a hacked WordPress website, from immediate damage control to long-term prevention strategies that actually work.

How to Tell if Your WordPress Site is Actually Hacked
Before you panic, confirm the hack. I've seen site owners waste days "cleaning" false positives while real malware sits undetected.

The most reliable signs include:

Google warnings: "This site may be hacked" or "Deceptive site ahead" messages
Unexpected redirects: Your site sends visitors to spam, adult, or pharmaceutical sites
Unknown admin users: New administrator accounts you didn't create
Suspicious files: PHP files with random names in uploads folders or root directories
Performance issues: Sudden slowdowns from cryptocurrency mining scripts
Hosting alerts: Your web host suspends your account for malware distribution

Check your site in an incognito browser window. Malware often shows different content to logged-in users versus visitors.

If you see any of these signs, proceed immediately to containment.

Step 1: Immediate Damage Control and Site Isolation

Time is critical. Every minute your hacked site stays online, it can infect visitors, damage your reputation, and spread malware to other sites on your server.

Put your site in maintenance mode:

Install a maintenance mode plugin if you can access wp-admin, or add this to your .htaccess file:

RewriteRule ^(.*)$ /maintenance.html [R=503,L]

Create a simple maintenance.html page explaining temporary downtime

Document everything:

Take screenshots of error messages and suspicious content
Note when you first noticed issues
List any recent changes (plugins, themes, passwords)
Check other sites on your hosting account: If you have multiple WordPress installations, scan them all. Hackers often use one compromised site to attack others on the same server.

Do not delete files randomly at this stage. You need to understand what happened before you start removing evidence.

Step 2: Secure Your Access Points

Change every password immediately. I mean every single one.

WordPress admin passwords: Change passwords for all user accounts, especially administrators. Use a password manager to generate unique 20+ character passwords.

Hosting account credentials: Update your cPanel, FTP, and database passwords. Hackers often steal these to maintain persistent access.

Database passwords: Change your MySQL database password and update wp-config.php accordingly.

FTP/SFTP credentials: Generate new passwords for all file transfer accounts.

Here's a critical mistake I see: people change their WordPress admin password but forget about FTP access. Hackers use FTP to re-upload malware even after you clean the site.

After changing passwords, log out of all devices and clear any "remember me" sessions.

Step 3: Scan for Malware and Backdoors

Now comes the detective work. You need to find every piece of malicious code before you can remove it.

Use multiple scanning tools:

Wordfence: Install the free version and run a deep scan. It catches most common malware signatures.
Sucuri SiteCheck: Free online scanner that checks your site from the outside
MalCare or Solid Security: Alternative scanners that might catch what others miss
Manual file inspection: Scanners miss sophisticated backdoors.

Check these locations manually:

wp-content/uploads/: Look for PHP files (they shouldn't be there)
Root directory: Check for files with random names or recent modification dates
wp-includes/ and wp-admin/: Compare file sizes to fresh WordPress downloads
Active theme folder: Look for suspicious PHP code injected into template files
Check your .htaccess file: Hackers often add redirect rules here. Compare it to a backup or fresh WordPress .htaccess.
Database inspection: Malware hides in the database too.

Check:

wp_posts table for spam content
wp_options table for malicious auto-loading scripts
wp_users table for unauthorized admin accounts

Document every malicious file and database entry you find. You'll need this list for the cleaning phase.

How to Remove Malware from WordPress Files

This is where most people make dangerous mistakes. Deleting the wrong files can break your site permanently.

Create a backup first: Even of your infected site. You might need to reference original content later.

Start with obvious malware:

Delete any PHP files in wp-content/uploads/
Remove files with suspicious names (common patterns: wp-config-tmp.php, wp-admin.php, index2.php)
Delete any files created after your last known-good backup date

Clean infected core files: Instead of trying to clean individual WordPress core files, replace the entire wp-admin and wp-includes directories.

Download fresh WordPress from wordpress.org
Delete your wp-admin and wp-includes folders
Upload the clean versions from the fresh download
Replace wp-config-sample.php (but keep your wp-config.php)

Theme and plugin cleaning: This is trickier because you need to preserve customizations.

Deactivate all plugins and switch to a default theme
Delete and reinstall plugins from the WordPress repository
For custom themes, compare infected files to clean backups line by line
Look for base64_decode, eval(), and gzinflate() functions — common in malware

Database cleaning: Use phpMyAdmin or a database tool to:

Delete unauthorized admin users
Remove spam posts and comments
Clean malicious entries from wp_options (especially auto-loading scripts)

Test your site after each major cleaning step. If something breaks, you'll know exactly what caused it.

When to Restore from Backup vs. Manual Cleanup

This decision can save you hours of work, or cost you weeks of content.

Restore from backup when:

You have a recent clean backup (within days of the hack)
The infection is widespread across multiple themes and plugins
You find database corruption or extensive spam content
Manual cleaning would take longer than recreating recent content

Manual cleanup when:

Your last clean backup is weeks or months old
The malware is limited to a few specific files
You've made significant content or configuration changes since your last backup
You need to preserve recent customer data or orders

If you choose to restore:

Verify the backup is actually clean by scanning it first
Document any content created since the backup date
Restore to a staging environment first to test
Manually recreate critical recent changes

I typically recommend the "hybrid approach": restore core WordPress and plugins from backup, but manually recreate recent posts and configuration changes. This gives you the security of a clean installation while preserving important content.

Update Everything After Cleaning

Hackers exploit outdated software. After cleaning, update immediately, before bringing your site back online.

WordPress core: Update to the latest version through the dashboard or by uploading fresh files.

All plugins: Update every single plugin. Delete any you're not actively using.

Active theme: Update your theme, but back up customizations first.

PHP version: Check with your host about updating to the latest supported PHP version. Old PHP versions have known security vulnerabilities.

Server software: If you manage your own server, update Apache/Nginx, MySQL, and all server components.

This is also the perfect time to audit your plugins. I see sites with 50+ plugins where half are inactive or redundant. Each plugin is a potential attack vector.

Keep only plugins you actually need and trust. Research any unfamiliar plugins, some are abandoned or have known security issues.

How WP Ghost Prevents Future Attacks

Cleaning a hacked site addresses the symptoms, but prevention addresses the cause. This is where WP Ghost becomes essential to your security strategy.

WP Ghost is a hack-prevention WordPress plugin that reduces your attack surface by changing and securing default WordPress paths. Instead of cleaning up after attacks, it prevents them from succeeding in the first place.

Path security: WP Ghost changes your wp-admin, wp-login.php, wp-content, and other default paths that hackers target. When automated attacks hit /wp-admin, they find nothing — because your admin area is now at a custom URL only you know.
8G Firewall integration: The plugin includes Jeff Starr's 8G firewall rules, blocking SQL injection, XSS, script injection, and other common attack vectors before they reach your WordPress code.
Brute force protection: WP Ghost protects login attempts with math reCAPTCHA, Google reCAPTCHA, or passkey authentication (Face ID, Touch ID, hardware security keys). It automatically blocks IPs after repeated malicious behavior.
Security headers: The plugin adds modern security headers like Content-Security-Policy and Strict-Transport-Security that protect against clickjacking, code injection, and man-in-the-middle attacks.

It works alongside scanning plugins like Wordfence, they handle detection and cleanup, while WP Ghost prevents most attacks from ever reaching your site.The free version includes all core protection features.

Essential Security Hardening Steps

After recovery, implement these hardening measures to prevent reinfection:

File permissions: Set correct permissions on all directories and files:

Directories: 755 or 750 Files: 644 or 640 wp-config.php: 600

Disable file editing: Add this to wp-config.php to prevent hackers from editing themes through the dashboard:

define('DISALLOW_FILE_EDIT', true);

Limit login attempts: Use WP Ghost's brute force protection or a dedicated plugin to block repeated failed logins.
Two-factor authentication: Implement 2FA for all admin accounts. WP Ghost includes free 2FA with authenticator apps, email codes, and passkeys.
Regular backups: Schedule automated backups to multiple locations. Test restore procedures monthly.
Security monitoring: Set up alerts for file changes, failed logins, and suspicious activity.
SSL certificate: Ensure your site uses HTTPS everywhere. This protects data in transit and improves search rankings.

These measures work together. No single security plugin or technique is bulletproof, but layered defenses make successful attacks much harder.

The key insight: these plugins serve different purposes. WP Ghost prevents attacks from reaching your site, Wordfence detects and blocks threats that get through, and Sucuri provides cleanup services when prevention fails.

The most secure WordPress sites use multiple layers: WP Ghost for prevention, a scanning plugin for detection, and regular backups for recovery.

How to Monitor for Future Attacks

Recovery is just the beginning. Ongoing monitoring catches new attacks before they cause major damage.

File integrity monitoring: Set up alerts when core WordPress files change. Legitimate updates are scheduled and expected; everything else is suspicious.
Login monitoring: Track all admin logins, especially from new IP addresses or unusual times. Failed login attempts often precede successful attacks.
Traffic analysis: Monitor for unusual traffic patterns, especially requests to non-existent files or suspicious user agents.
Google Search Console: Enable security alerts to catch Google's malware warnings before users see them.
Uptime monitoring: Services like Pingdom alert you immediately if your site goes down — often the first sign of a successful attack.
Regular security scans: Schedule weekly automated scans with multiple tools. What one scanner misses, another might catch.

I recommend setting up a simple monitoring dashboard that aggregates all these alerts. When something goes wrong, you want to know immediately — not when customers start complaining.

Common Mistakes That Lead to Reinfection

I've seen sites get hacked again within days of cleaning. Here are the mistakes that cause reinfection:

Incomplete malware removal: Leaving even one backdoor file allows hackers to regain access. This is why thorough scanning is critical.
Not changing all passwords: Hackers often steal FTP or hosting credentials. Changing only your WordPress password isn't enough.
Restoring infected backups: Always scan backups before restoring. Infected backups just reintroduce the malware.
Ignoring the attack vector: If you don't fix the vulnerability that allowed the initial hack, attackers will use it again.
Rushing back online: Take time to properly secure your site before removing maintenance mode. A few extra hours of downtime beats another hack.
Not updating immediately: Outdated software is the most common attack vector. Update everything before going live.
Skipping prevention measures: Cleaning without hardening is like mopping the floor while the roof still leaks.

The most expensive mistake is treating hacks as one-time events instead of ongoing security challenges. WordPress security requires consistent attention, not just crisis response.

When to Call Security Professionals

Some hacks are beyond DIY repair. Call professionals when:

Customer data is compromised: Credit card information, personal data, or login credentials require specialized forensic analysis and legal compliance.
Multiple sites are infected: Server-level compromises affect every site on your hosting account and require advanced cleanup techniques.
Business-critical downtime: If your site generates significant daily revenue, professional cleanup pays for itself in reduced downtime.
Sophisticated malware: Advanced persistent threats, custom malware, or rootkit infections need expert analysis.
Repeated reinfections: If your site keeps getting hacked despite your cleanup efforts, you're missing something important.
Legal or compliance requirements: Some industries require professional security incident response for regulatory compliance.

Professional cleanup typically costs $300-2000 depending on complexity, but includes forensic analysis, complete malware removal, security hardening, and guarantees against reinfection.

For most small business sites, DIY cleanup with proper tools and procedures works fine. But don't let pride cost you more money in extended downtime or customer trust.

Conclusion: From Crisis to Prevention

Fixing a hacked WordPress website follows a clear process: contain the damage, secure access, scan thoroughly, remove all malware, update everything, and implement prevention measures.

The key insight from 20 years of WordPress security work is this: cleanup is reactive, but security is proactive.

After recovery, focus on prevention. Use WP Ghost to hide vulnerable paths and reduce your attack surface. Implement proper backups, monitoring, and hardening. Keep everything updated.

Most importantly, treat security as an ongoing process, not a one-time fix. The best time to secure your WordPress site was before it got hacked. The second-best time is right now.

Your site will face constant attack attempts — that's the reality of running WordPress in 2026. But with proper prevention and monitoring, those attacks will fail harmlessly instead of turning into expensive cleanup projects.

FAQ

How long does it take to fix a hacked WordPress website?

Simple hacks with good backups can be fixed in 2-4 hours. Complex infections with extensive malware may take 1-2 days. The key is thorough scanning and testing before going back online.

Can I fix a hacked WordPress site without losing content?

Yes, if you have recent clean backups or if the malware is limited to specific files. Manual cleaning preserves content but takes longer. Always backup your infected site before starting cleanup in case you need to recover specific content.

Why does my WordPress site keep getting hacked?

Repeated hacks usually indicate incomplete malware removal, unchanged passwords, outdated software, or vulnerable plugins. The attack vector from the original hack remains open, allowing reinfection.

Should I pay hackers who demand ransom for my website?

Never pay ransoms. There's no guarantee hackers will restore your site, and payment encourages more attacks. Focus on proper backups and recovery procedures instead.

How do I know if my backup is clean or infected?

Scan backups with multiple security tools before restoring. Check the backup date against when you first noticed problems. If the backup predates the hack by several days, it's likely clean.

What's the difference between malware scanning and prevention plugins?

Scanning plugins like Wordfence detect and remove existing threats. Prevention plugins like WP Ghost stop attacks from succeeding in the first place by hiding vulnerable paths and blocking malicious requests. Use both for complete protection.

Hack Prevention Matters More Than Ever

Calin V. — Thu, 12 Feb 2026 12:22:41 +0000

Most website owners think security only matters after something goes wrong.

But after testing WP Ghost on a live WordPress site, one thing became obvious: attacks are happening constantly, whether you see them or not.

They’re not dramatic break-ins. They’re automated bots scanning thousands of websites every hour, looking for weak login pages, exposed WordPress paths, outdated plugins, or any easy entry point.

What impressed me most was not just that WP Ghost blocks these attacks, but that it reduces the chances of being targeted in the first place.

Why Hack Prevention Is More Important Than Cleanup

Cleaning a hacked website is stressful, expensive, and time-consuming. Prevention is different.

Instead of fixing damage after it happens, prevention focuses on:

Reducing visibility to automated scanners
Blocking suspicious traffic early
Securing login access
Monitoring threats in real time

The goal is simple: make your website a difficult and unattractive target.

What I Saw in the Security Threats Log

After enabling WP Ghost, the Security Threats Log immediately started filling with blocked requests.

These included:

Random attempts to access non-existent PHP files
Probes targeting common WordPress login URLs
Automated scans for known plugin vulnerabilities
Repeated requests from suspicious IP addresses

Without the log, I would never have known this was happening.

Seeing it makes you realize how exposed most websites are by default.

How WP Ghost Protects a Website (Layer by Layer)

What makes WP Ghost effective is that it doesn’t rely on a single protection method. It works in layers.

1. Path Security (Reducing Exposure)

WordPress has predictable technical paths that automated tools look for.

WP Ghost protects and rewrites vulnerable routes at the server level so bots cannot easily confirm that the site runs WordPress.

This means:

Common entry points become inaccessible
Automated exploit tools lose targeting signals
The site becomes harder to fingerprint

And importantly, this happens without slowing down the site.

2. Firewall Protection (Stopping Malicious Requests)

WP Ghost includes a built-in firewall that inspects incoming traffic.

During testing, it blocked:

Suspicious scanning behavior
Malformed or exploit-style requests
Attempts to reach hidden paths
Repeated malicious patterns

The attack is stopped before it reaches WordPress or the database.

This reduces server load and unnecessary processing.

3. Brute Force Protection (Securing the Login Page)

WP Ghost protects authentication by:

Securing and rewriting login endpoints
Limiting repeated failed login attempts
Automatically blocking abusive IP addresses

This prevents:

Password guessing
Credential stuffing
Login flooding that slows down your server

It makes automated login attacks extremely difficult.

4. Geo Blocking (Reducing Unnecessary Exposure)

One feature I found particularly practical was Geo Blocking.

If your website only serves a specific region, there’s often no reason to allow traffic from high-risk or irrelevant countries.

Geo Blocking allows you to:

Restrict access from specific countries
Reduce attack traffic from known high-risk regions
Minimize unnecessary exposure

This doesn’t replace other protections, it simply narrows the attack surface even further.

For many site owners, this alone can dramatically reduce unwanted traffic.

5. Security Threats Log (Staying Informed)

The Security Threats Log ties everything together.

It allows you to see:

What type of threat was detected
Which path was targeted
The IP and country of origin
Whether the request was blocked

You can also:

Blacklist persistent attackers
Whitelist legitimate requests
Monitor patterns over time

Without monitoring, security feels abstract. With monitoring, you can see the protection working.

The Big Takeaway

After testing WP Ghost, the biggest realization was this:

Security is not about reacting. It’s about reducing exposure and blocking early.

WP Ghost combines:

Instead of waiting for malware to appear, it focuses on preventing attackers from getting that far.

And in today’s automated threat landscape, that proactive mindset makes all the difference.

Is “Hiding” Your WordPress Login and Common Paths a Smart Security Move?

Calin V. — Tue, 06 Jan 2026 08:51:20 +0000

You will sometimes see security companies say that hiding parts of WordPress is pointless, or that “security through obscurity” is not real security. That statement can be true in one narrow sense, and misleading in the way people often interpret it.

Here is the practical truth:

Changing and protecting the login page and common WordPress entry points is a sensible hardening step, as long as it is not your only step. It reduces automated attacks, cuts noise, and removes the “default doors” that bots try first. It does not replace updates, strong authentication, and real server-side protections.

What “hiding” really means (and what it does not mean)

When people say “hide WordPress,” they often mix several ideas:

Safe and common hardening

Using a non-default login URL.
Blocking direct access to the default login file.
Limiting access to admin endpoints.
Returning a normal 404 for common probing requests.
Reducing predictable paths that bots target.

Not the goal

Pretending WordPress is “undetectable.”
Relying on hidden URLs as the only protection.
Breaking the site by physically renaming core folders on disk.

A serious security approach is not “make WordPress invisible.” It is “reduce exposure and enforce strong controls everywhere that matters.”

Why changing the login URL helps in the real world

Most attacks against small and mid-sized sites are not handcrafted. They are automated and scaled.

Bots do things like:

Try the same default login URL on millions of sites.
Run credential stuffing (reusing leaked passwords).
Hammer login endpoints to find weak passwords.
Flood the login page to waste resources.

If your login page is no longer at the default address, and the default login endpoint is blocked, a large portion of that automated traffic fails immediately.

This creates three practical benefits:

Fewer login attacks reach your site at all. Bots often do not adapt. They move on.
Less server strain and fewer security alerts. Your logs become quieter, and legitimate admin activity is easier to spot.
Your real protections get more effective. Rate limiting, lockouts, and 2FA work best when they are not being hammered nonstop by generic traffic.

This is not magic. It is risk reduction.

Why protecting common “vulnerable paths” can be smart

A big share of real compromises happens through:

Outdated plugins and themes
Exposed endpoints that attackers already know how to target
Automated scanners searching for known weak points

Reducing predictable access to common paths and endpoints helps because it:

Lowers automated discovery
Blocks many commodity scans that rely on default locations
Reduces the number of direct hits to places that attackers expect

Important nuance:
This does not “fix” a vulnerable plugin. It reduces how easily and how often automated attacks can reach it. You still need updates, patching, and good configuration.

Where the critics are correct

The criticism becomes valid when someone believes:

“If my login URL is hidden, I do not need 2FA.”
“If bots cannot find my plugin paths, I can ignore updates.”
“Hiding means I am secure.”

That is not security. That is wishful thinking.

A strong security setup is layered. It assumes some attackers will eventually find you, and it ensures they still cannot get in.

The right way to use this technique: as one layer in a complete setup

Think in layers, from outside to inside.

Layer 1: Reduce exposure (low effort, high payoff)

Use a non-default login URL.
Block direct access to the default login endpoint.
Restrict access to admin endpoints where possible.
Avoid unnecessary public endpoints and features you do not use.

Layer 2: Make authentication hard to break

Enable two-factor authentication for all admins.
Use strong, unique passwords (and a password manager).
Limit login attempts and add sensible lockouts.
Disable or tightly restrict XML-RPC if you do not need it.

Layer 3: Remove known weaknesses

Keep WordPress, plugins, and themes updated.
Remove unused plugins and themes.
Do not use abandoned plugins with no recent updates.
Use least privilege: only give admin access when truly needed.

Layer 4: Add server-side protection and visibility

Use a firewall or filtering layer to reduce hostile traffic.
Monitor suspicious login attempts and file changes.
Keep reliable backups and test restoring them.

Common questions:

“If someone really wants to hack me, will hiding stop them?”

A determined attacker can often discover more than a basic bot. So no, hiding alone will not stop a targeted attacker.

But most websites are not compromised by targeted attackers. They are compromised by automated attacks. Reducing automated exposure is still a meaningful win.

“Is this going to break my site?”

It can, if done carelessly or if the method is unsafe. The safer approach is URL routing and access control, not physically renaming core folders on disk.

“What is the biggest mistake people make with this?”

Believing it replaces updates and strong authentication. The best security setups are boring and consistent: updates, 2FA, limited access, monitoring, backups, and reduced exposure.

A simple, safe checklist you can follow

If you want the benefits without falling into the “obscurity trap,” aim for this minimum standard:

Non-default login URL
The default login endpoint is blocked or restricted
Two-factor authentication enabled for admins
Strong passwords and limited login attempts
Updates applied promptly
Unused plugins removed
Backups running and restore tested

Conclusion

The smartest security posture is not choosing between “hiding” and “real security”. It utilizes exposure reduction as a practical first layer, then backs it up with authentication hardening, patching discipline, traffic filtering, and recovery planning.

Used this way, hiding and protecting the login and common entry points is not silly. It is a sensible part of doing WordPress security properly.

Simple Guides to Stop Hacks, Bots, and Spam on WordPress (Beginner Friendly)

Calin V. — Wed, 31 Dec 2025 08:00:00 +0000

If you run a WordPress site, you have probably seen at least one of these:

Strange login attempts at all hours
Spam comments with random links
"User registration" spam (even if you did not ask for it)
Sudden traffic spikes that do not look like real visitors

The important thing to understand is this: most attacks are not personal. They are automated bots trying the same "easy doors" on thousands of sites per hour. Your goal is to stop looking like an easy target, without becoming a security expert.

The simple plan

Tighten WordPress comment rules (it catches a lot of junk cheaply).
Add one spam filter (Akismet or Antispam Bee are common choices).
Add brute force protection on forms (a security plugin can do this).
Hide the comment paths bots always hit (this removes the "easy doors").

1: Stop the "easy wins" bots look for (15 minutes)

Bots do not "think" like humans. They try the same predictable places over and over:

Common login addresses
Common admin addresses
Common WordPress paths that reveal what you run
Common form targets, especially comments

This is why many sites get hit even when the owner did nothing wrong. Bots are just scanning the internet for the same patterns.

A beginner-friendly strategy is "layered protection", meaning you use a few simple controls that work together. You do not need 10 plugins. You need the right 1–2 protections set up correctly.

2: Fix comment spam at the source (no tech skills required)

Before you install anything, use WordPress's built-in Discussion settings. They are basic, but surprisingly effective when configured.

Here are the best beginner settings to review:

1) Hold comments with too many links
Spam comments usually contain multiple links. WordPress lets you hold comments for moderation if they contain more than a set number of links.

2) Use the moderation and block lists
You can add words, domains, and patterns that should be held or blocked. WordPress documentation specifically recommends using the Discussion settings to reduce spam and make moderation easier.

3) Turn on moderation for first-time commenters
This keeps random bots from publishing instantly. It also reduces the chance that your site ends up showing spam links publicly.

If you are not sure where these options are, WordPress documents the Discussion settings screen and what each option does.

3: Add a spam filter plugin (simple, "set and forget")

WordPress settings help, but the biggest upgrade is adding an anti-spam plugin.

Two common approaches:

1): Akismet (popular, reliable)

Akismet automatically checks comments and filters spam. It is widely used, but it typically requires an API key, and paid plans apply for commercial use.

2): Antispam Bee (simple and privacy-friendly)

Antispam Bee focuses on blocking spam comments and trackbacks, and it is promoted as working without captchas and without sending personal data to third-party services.

Practical advice: If you already get heavy comment spam, start with one of these. You can always switch later, but doing nothing costs you time every week.

4: Stop brute force attempts (login plus forms)

Brute force is when bots try many password attempts until something works. A good security tool limits attempts and blocks abusive behavior.

For example, Wordfence documents brute force protection as limiting repeated login attempts. And its plugin listing describes brute force protection as part of login security.

This matters for two reasons:

It reduces the chance of a successful login attack.
It reduces server load from constant bot traffic.

If your site feels slow during attack bursts, brute force controls often help immediately.

5: Hide comment paths

Here is the problem with many anti-spam and security setups: they react after bots arrive.

Another approach is to remove the obvious targets bots are programmed to hit.

WP Ghost focuses heavily on changing and hiding common WordPress paths that bots typically hit, including options to change the comments URL.

Why this helps?

Think of bots like someone trying the same 10 doors in every building. If your doors are not where they expect, many automated scripts fail and move on.

This does not replace the normal comment behavior, but can stop many hacker bots' attacks and spam attempts, especially when combined with brute force protection.

How to protect the WordPress comments form with WP Ghost

WP Ghost's own guidance for comments includes steps like:

activating Safe Mode or Ghost Mode
changing the comments path
hiding the comments path
enabling brute force protection on the comments form

A simple setup flow looks like this:

Install and activate WP Ghost
Enable the mode designed for path protection (Safe Mode or Ghost Mode, depending on your setup)
Change the comments path, this helps reduce automated comment spam that targets the default comment posting address.
Hide the comments path, so bots hits on common WordPress paths do not see an obvious target.
Turn on brute force protection for the comments form, this blocks repeated attempts and reduces bot floods.
Test like a normal visitor, open a post and submit a test comment. Confirm real visitors can comment, while spam attempts get blocked or challenged.

I hope this documentation helps you stay out of spammers' reach and stay focused on growing your website and making money.

What is the best free WordPress security plugin?

Calin V. — Mon, 22 Dec 2025 07:22:00 +0000

If you search this question online, you will quickly notice a problem: “best” depends on what you are trying to prevent.

Some free security plugins are excellent at reducing attack surface. Others are better at scanning and alerting. Others focus on hardening and login controls.

So instead of forcing one “winner” for everyone, this guide gives you a practical answer:

If you want the strongest free prevention layer that reduces noisy bot probing and hides default WordPress paths, look at WP Ghost.

If you want the most capable free scanner + endpoint firewall combo, Wordfence remains the most common starting point.

If you want a solid free hardening baseline with clear controls, All-In-One Security (AIOS) is a strong pick.

Below is the full breakdown of the best free options, what each does well, what it does not, and how to combine them sensibly for 2026.

What “best” means in WordPress security (especially for free plugins)

A WordPress security plugin can only do three broad jobs:

Reduce attack surface (prevention): hide or change predictable entry points, block common exploit patterns early, and reduce automated probing.
Detect issues (monitoring): scan for malware, file changes, suspicious behavior, vulnerable plugins, and brute-force patterns.
Recover (response): cleaning malware, restoring integrity, incident response.

Free tiers usually do (1) and (2) far more often than (3). That is not a criticism, it is simply how most vendors price their services.

A reliable 2026 security posture typically combines:

Edge filtering (CDN/WAF) for volume and abusive patterns, and
Application-level prevention and controls inside WordPress, plus
Scanning/alerts for visibility and faster response.

The best free WordPress security plugins (reviewed)

These plugins are listed for comparison and fit, not ranked from best to worst, because the right choice depends on your site’s specific security needs and setup.

WP Ghost (Free; Premium $29.99/year/site)

What it is best at: prevention, attack-surface reduction, hacker bot attacks reduction.

WP Ghost positions itself as a “hack-prevention” security plugin and focuses heavily on making your site a less predictable target by changing and hiding common WordPress paths and applying lightweight firewall filtering.

Key strengths

Change, hide and protect the default WordPress paths (login, admin, plugins/themes, uploads, REST API wp-json, and more) to reduce fingerprinting and automated targeting

7G/8G firewall filters plus request filtering to block common exploit patterns before they meaningfully reach plugins and themes

2FA options including code, email, and passkeys, plus features like Magic Link login and Temporary Logins for safer access workflows

Brute-force protection for key entry points (login, lost password, signup, comments, WooCommerce login), with reCAPTCHA options (including Google Enterprise) and Math CAPTCHA

Security hardening tools like security headers and multiple block controls (IP, user agents, referrers), designed to work across many hosting environments

Where it fits best

WP Ghost is particularly useful if you already run a scanning suite (or hosting malware scanning) and want to:

reduce automated attacks of default WordPress endpoints with up to 99%,
protect login and other entry points without stacking multiple niche plugins,
cut down on alert fatigue (fewer probes reaching WordPress means fewer “events” to review).

Watch-outs

Prevention-oriented tools are not a replacement for a full malware cleanup service if a site is already compromised. In a mature setup, WP Ghost is often strongest as the “quiet layer” that reduces how many attacks reach WordPress in the first place, while a scanner handles detection and alerting.

Wordfence Security (Free; Premium $149/year/site)

What it is best at: scanning, alerts, endpoint firewall controls, visibility into attacks.

Wordfence is widely used because the free version provides meaningful security functionality, and the Premium tier mainly adds faster rule/signature updates and additional protections.

Wordfence’s own materials clearly differentiate Free vs Premium and list plan pricing.

Key strengths (especially in the free tier)

Endpoint firewall that runs on your server and filters malicious requests before WordPress fully loads

Malware scanning and file integrity checks to detect suspicious code, backdoors, and unexpected changes

Login security features like limiting attempts and supporting two-factor authentication

Live traffic and security event visibility so you can see attacks, blocks, and suspicious activity in real time

Where it fits best

Wordfence is a strong fit for most sites that want a single free plugin to handle scanning, basic firewall protection, and alerts, especially if you want clear visibility into what is happening on the site.

Watch-outs

On very small hosting plans, scans and real-time features can add resource load. Also, free users may get firewall/signature updates later than premium users, so it is best paired with good update hygiene and an edge layer (like a cloud WAF) if you are frequently targeted.

All-In-One Security (AIOS) (Free; Premium $84/year/site)

What it is best at: hardening, login protection, practical controls for small sites.

AIOS is a well-known security plugin offering a broad set of baseline protections, including firewall/hardening controls and login security features.

Key strengths

Login security and brute-force protection (login lockdown, failed login tracking, and lockout rules)

Basic firewall and request filtering to block common malicious patterns and reduce automated probing

Spam protection controls for comments and registrations, which helps reduce bot-driven form abuse

File integrity and change monitoring to surface suspicious changes in core files and key areas

Access controls like IP blocking and additional hardening options that help close common WordPress weaknesses

Where it fits best

AIOS is a strong fit for personal sites, blogs, and small businesses that want a free, all-purpose security plugin for hardening and login protection without needing advanced security knowledge.

Watch-outs

As with most “all-in-one” free plugins, advanced malware cleanup and deeper detection workflows may require other tools or premium add-ons. Also, overly aggressive rules can occasionally affect legitimate users, so it is best to start with default recommendations and tighten gradually.

Solid Security (Free; Premium $199/year/site)

What it is best at: beginner-friendly security posture improvements and login protections.

Solid Security (formerly iThemes Security) is built around the idea that most WordPress compromises start with predictable weaknesses: weak passwords, exposed login endpoints, brute-force attempts, and unmonitored changes

Key strengths

Brute-force protection and lockouts to slow down password guessing and automated login abuse

Two-factor authentication (2FA) options to reduce account takeover risk

Site hardening features that help close off common WordPress weaknesses (like risky settings and predictable behaviors)

File change detection and security checks to alert you when something important changes

User and security activity logs that help you understand what is happening over time

Where it fits best

Solid Security is a strong choice for small businesses, blogs, and membership sites with multiple users, especially when you want better login security and hardening in one plugin.

Watch-outs

As with any plugin that can lock out attackers, it can also lock out admins if you configure lockouts too aggressively or forget to whitelist your own IP. Start with conservative limits, enable 2FA for admin accounts first, then tighten rules gradually.

Patchstack (Free; Premium $69/mo/site)

What it is best at: vulnerability awareness and virtual patching oriented workflows.

Patchstack’s value proposition is vulnerability intelligence and protection workflows, and it offers a free version (with defined limits) so site owners can get started with vulnerability visibility.

Key strengths

Vulnerability detection for WordPress core, plugins, and themes, with clear reporting on what is affected

Early warnings and security alerts so you can patch or mitigate high-risk issues faster

Virtual patching (Premium) to help block exploit attempts for known vulnerabilities, buying you time before updates

Centralized reporting that is especially useful if you manage multiple sites or client installs

Where it fits best

Agencies, developers, and site owners who prioritize vulnerability management (what is outdated, what is vulnerable, what should be patched first).

Watch-outs

Patchstack is not primarily a malware removal tool. It works best as part of a layered setup alongside a firewall/login protection plugin and, if needed, a separate scanner/cleanup solution.

MalCare (Free; Premium $99/year/site)

What it is best at: scanning approach designed to reduce server load, plus faster cleanup on paid tiers.

MalCare’s describes its security focus, including scanning and firewall positioning, with premium upgrades available.

Key strengths

Automatic malware scanning across files and database, with clear reporting

Malware removal/cleanup (Premium) with streamlined remediation when something is detected

Firewall and login protection features to reduce common attack vectors

Vulnerability checks to highlight risky outdated components

Site management workflow that can be helpful if you maintain more than one WordPress site

Where it fits best

MalCare is a good fit for business sites and ecommerce stores that want reliable scanning and an easy path to cleanup if a problem is found, especially on hosting environments where performance and resource usage matter.

Watch-outs

The free version is primarily focused on detection. If you need automatic removal and incident response features, you typically need the premium plan.

Sucuri Security (Free; Premium $229/year/site)

What it is best at: auditing and monitoring, plus optional advanced services.

Sucuri’s free plugin is typically used for auditing, monitoring, and security hardening basics, while its paid offering focuses more on broader platform-level protection and cleanup services.

Key strengths

Security activity auditing and monitoring to help you spot suspicious behavior early

File integrity checks to detect unexpected changes to core files

Hardening options that improve baseline WordPress security settings

Blacklist monitoring to warn you if your site gets flagged by security services

Where it fits best

Sucuri is a strong fit for small businesses and higher-risk sites that want good monitoring in the free plugin and the option to move to a managed firewall and cleanup service when needed.

Watch-outs

The free plugin is mainly for monitoring and hardening. For the full “cloud firewall + cleanup” experience, you typically need the paid plan.

So which one is the “best free WordPress security plugin”?

Here is the most practical answer for 2026:

If your goal is fewer attacks reaching WordPress at all: choose WP Ghost as the prevention layer.

If your goal is the most capability in a classic free security suite: choose Wordfence, Sucuri Security, MalCare, Patchstack for scanning, monitoring, and endpoint controls.

If your goal is straightforward hardening with a solid free baseline: choose Solid Security, All-In-One Security.

In practice, many site owners get the best day-to-day experience by combining prevention + scanning, rather than trying to make one plugin do everything.

Common mistakes to avoid when picking a free security plugin

Thinking hosting security replaces application security. Hosting helps, but WordPress is an application with its own attack surface (login, XML-RPC, REST endpoints, plugins, themes).

Installing multiple “full suites” that overlap heavily. This can increase conflicts, duplicate blocking, and noise.

Turning everything on at once. Start with the essentials: login protection, 2FA for admins, basic firewall/hardening, and monitoring. Then expand.

Ignoring updates. A security plugin helps, but outdated plugins and themes remain one of the most common breach vectors.

FAQ

Can I use more than one security plugin?

You can, but avoid running two plugins that both want to be the “main firewall.” A safer approach is to pair one prevention/hardening layer with one scanner/alerting layer, and let your edge WAF handle volume.

Is a free plugin enough for a business site?

Often, yes for baseline protection, if you combine it with good operational hygiene (updates, backups, least privilege, 2FA). Paid plans become more attractive when you need faster threat intel updates, cleanup, or incident response guarantees.

Why do “prevention” plugins matter if I already have a scanner?

Because scanners tell you what happened. Prevention reduces what can happen in the first place and can materially reduce bot noise and low-skill exploit attempts that hit default endpoints.

How can I protect my WordPress login page from brute-force attacks and bots?

Calin V. — Mon, 15 Dec 2025 10:54:35 +0000

Brute-force attacks are not “rare edge cases.” They are constant background noise: automated bots repeatedly try common username/password combinations, test leaked credentials from past breaches (credential stuffing), and probe standard entry points like wp-login.php, xmlrpc.php, and the REST API.

Cloudflare specifically calls out brute force mitigation through rate limiting, 2FA, and use of a WAF, and also notes WordPress-specific measures like blocking XML-RPC requests.

The key question for 2026 is not whether your site will be targeted, but whether your setup forces attackers to waste time and get blocked before they touch anything sensitive.

This guide compares two approaches:

Protecting WordPress without plugins (server rules, Cloudflare, hardening)
Protecting WordPress with a security plugin that centralizes brute-force and bot protection (fewer moving parts, fewer update conflicts)

Along the way, I’ll cover the practical stack that works best in real environments:

Cloudflare (or another cloud WAF) to reduce volume at the edge
A firewall plugin / hardening layer inside WordPress to reduce attack surface and filter malicious requests early
A scanner/monitoring layer to alert you if anything slips through

What a WordPress brute-force attack actually looks like in 2026

Most site owners imagine a “hacker” typing passwords manually. In reality, the bulk of login attacks are automated:

Dictionary attacks: bots try lists of common passwords with variations
Credential stuffing: bots test username/password pairs leaked from other services
Distributed brute force: large botnets spread attempts across many IPs to evade simple lockouts

These attacks often target multiple entry points, not only the login page:

wp-login.php (classic login form)
xmlrpc.php (historically abused for authentication and pingbacks)
REST API endpoints (site-specific, but often probed)
Signup and comment forms (spam + account creation abuse)

That is why “just hiding the login URL” is helpful, but rarely sufficient alone.

Option A: Protect WordPress without plugins

You can build strong brute-force protection without any WordPress plugin, but it usually requires multiple layers and more maintenance.

1) Put a cloud WAF in front (Cloudflare example)

A cloud WAF reduces abusive traffic before it reaches your server. Cloudflare explicitly positions rate limiting as protection against brute force login attempts and other abuse.

Common edge measures that work well:

Rate limit requests to /wp-login.php (block or challenge after a threshold)
Challenge suspicious login attempts (JS challenge / managed challenge)
Block or challenge abusive IPs, ASNs, or countries (where appropriate)
Apply managed WAF rulesets to reduce generic exploit traffic (SQLi/XSS patterns)

Cloudflare’s own guidance for CMS platforms notes rate limiting rules can protect the login page from password guessing attacks.

Tradeoff: Cloud WAF tuning takes effort. Too strict and you block real users; too loose and you still get noise.

2) Server-level rate limiting and bans (Fail2ban, Nginx, Apache rules)

On a VPS or dedicated server, you can:

Rate-limit requests per IP
Ban IPs after repeated failures (Fail2ban reading logs)
Add Nginx rules for wp-login.php and xmlrpc.php

Tradeoff: You need reliable logs, careful whitelisting, and ongoing maintenance, especially when WordPress changes behavior or when you add new plugins.

3) Basic WordPress hardening (no plugin)

Without plugins, the basics are still mandatory:

Enforce strong passwords and unique usernames
Disable or restrict XML-RPC if you don’t need it (Cloudflare also points to XML-RPC as a WordPress-specific brute-force vector)
Limit admin access by IP (only if your team has stable IPs)
Reduce exposed endpoints where possible

Reality check: Doing all of this “manually” is possible, but it’s fragmented and error-prone. Most site owners end up with partial coverage: login protected, but signup forms open; XML-RPC forgotten; comments spammed; or rules broken after a hosting migration.

Option B: Protect WordPress with a security plugin (recommended for most sites)

A well-designed security plugin can consolidate multiple controls that otherwise require:

Cloudflare rules + server rules + separate CAPTCHA plugin + separate 2FA plugin + separate limit-attempts plugin

In practice, fewer plugins often means:

fewer compatibility issues during WordPress core updates
fewer “mystery lockouts”
fewer overlapping features fighting each other

This is also where a hardening-focused plugin can be a strong complement to your edge WAF.

The 2026 login protection checklist that actually stops bots

1) Limit login attempts (the non-negotiable baseline)

WordPress, by default, allows unlimited login attempts, which is why brute-force scripts love it.

A proper limit-attempts policy typically includes:

Max attempts (example: 3–5)
Lockout duration (example: 15–60 minutes)
Longer lockouts for repeated offenses
Separate rules for XML-RPC and REST API auth attempts
Whitelisting for trusted IPs (office/VPN)

This single step dramatically reduces brute-force success rates.

2) Add bot challenges: Math CAPTCHA and Google reCAPTCHA

Bots can rotate IPs and distribute attempts. CAPTCHA adds friction where it matters most:

login form
lost password form
registration form
comment form
WooCommerce login (if applicable)

A strong implementation gives you options:

Math CAPTCHA: lightweight, privacy-friendly, effective against simple bots
Google reCAPTCHA v2/v3: stronger bot detection, widely supported
Google reCAPTCHA Enterprise: enterprise-grade risk scoring and analytics, plus a free tier for many use cases

3) Enable 2FA (including passkeys if available)

Even perfect rate limiting won’t stop credential stuffing if the attacker has valid credentials. That is why 2FA is critical. Cloudflare itself cites 2FA as a mitigation for brute force attacks.

For 2026, prioritize:

2FA by code (TOTP or one-time codes)
2FA by email (for simpler setups)
Passkeys (where supported) for phishing-resistant authentication

4) Block by IP and country when it fits your business

IP blocking is useful when you see persistent abusive sources

Country blocking can be effective if you only serve specific geographies

Use geo-blocking carefully. It can reduce noise, but it can also block legitimate travelers, VPN users, or international customers.

A staged approach works best:

monitor first
challenge high-risk regions
block only if the business case is clear

How WP Ghost’s brute-force and bot protection fits into a 2026 setup

When you already run a scanner or security suite, what often remains is “attack surface noise”: bots constantly probing classic WordPress paths and forms.

WP Ghost is designed as a hack-prevention layer that focuses on reducing exposure and filtering malicious patterns early, rather than acting only as a malware scanner.

This matters operationally because it:

reduces how often WordPress is invoked for obviously malicious requests
cuts down noise in logs and alerts
reduces load during attack spikes

The most effective 2026 posture is layered:

Cloud WAF blocks volume and abuse at the edge
WP Ghost reduces WordPress fingerprinting and blocks common exploit patterns early
A scanner/monitoring tool alerts you if anything makes it through

Google reCAPTCHA: migrating “Classic” to reCAPTCHA Enterprise

If your WordPress login protection relies on Google reCAPTCHA, 2026 planning must include Google’s migration path.

Google provides official guidance on migrating reCAPTCHA Classic keys to reCAPTCHA Enterprise in Google Cloud, including migration steps and supported key types (v2 checkbox, v2 invisible, v3).

Two practical points from Google’s own documentation that matter for site owners:

You can migrate from v2/v3 to reCAPTCHA Enterprise quickly and, in many cases, without code changes.
Existing keys can continue working after migration, and Google notes you’ll receive notification when a key is migrated automatically; manual migration is available if you want control over the Google Cloud project.

Google also documents that reCAPTCHA Enterprise has a free tier (commonly referenced as 10,000 assessments per month) which is sufficient for many small and medium sites.

Why “all-in-one login protection” matters (and why 2026 punishes fragmented setups)

Many WordPress sites end up with:

one plugin for limit attempts
one plugin for CAPTCHA
one plugin for 2FA

and then a security suite that also tries to do some of the above

That creates problems:

overlapping features cause lockouts
duplicated CAPTCHA hooks break login UX
updates introduce conflicts
debugging becomes slow during an incident

A single plugin that covers brute-force protection, CAPTCHA, and 2FA across login/signup/comments reduces compatibility risk and makes maintenance simpler—especially as WordPress and browser security expectations evolve in 2026.

Prepare your WordPress login security for 2026

Here is the operational plan I recommend for most serious sites:

Edge protection: Cloudflare WAF + rate limiting for /wp-login.php and XML-RPC/REST patterns
Inside WordPress: enable brute-force protection, CAPTCHA on all relevant forms, and 2FA
Reduce attack surface: hide/protect default WordPress paths where feasible
Access controls: IP allowlists for admins (when possible), IP bans for abusers, and selective country blocking
Monitoring: keep a scanner/alerting layer for malware and file changes
Maintenance: update core, plugins, themes quickly; remove unused plugins; enforce strong passwords

FAQ

*Do I need Cloudflare if I already have a WordPress firewall plugin?
*
Not strictly, but Cloudflare can reduce attack volume before it reaches your server, and it is particularly effective for brute force via rate limiting at the edge.

*Is limiting login attempts enough?
*
It is necessary, but not sufficient. Credential stuffing plus distributed botnets can still succeed. Pair it with CAPTCHA and 2FA.

*What should I protect besides wp-login.php?
*
At minimum: XML-RPC (if enabled), REST API endpoints relevant to authentication, signup/registration, lost password, comments, and WooCommerce login flows.

6 Top WordPress Security Plugins to Use in 2026

Calin V. — Fri, 12 Dec 2025 10:16:05 +0000

If you want serious protection for a WordPress site in 2026, one plugin is rarely the whole story. The most resilient setups usually combine:

A security suite for scanning, alerts, and login protection
A hack-prevention layer that makes your WordPress install much harder to detect and exploit
Optional vulnerability intelligence that tracks plugin/theme issues

The six plugins below map very well to that layered approach.

Cerber Security

What it is

Cerber (WP Cerber Security) is a comprehensive security plugin that gives you a firewall, anti-spam engine, and malware scanner in one package. It is especially strong at blocking brute-force attacks and cleaning up spam registrations and comments.

Key strengths

Brute-force protection for login, XML-RPC, and REST API
Anti-spam for comments and forms
Malware and file-integrity scanning
IP access rules, rate limiting, and detailed activity logging

Best use

Cerber is a solid “main shield” for small and medium sites: it takes care of login security, bot spam, and malware checks so you do not need three different plugins for that.

WP Ghost (Hide My WP Ghost)

What it is

WP Ghost is a hack-prevention and path-hiding layer that changes how your site looks to bots and automated exploit tools.

Instead of focusing primarily on cleaning infections, it makes your site much harder to fingerprint as WordPress in the first place.

What it does in practice

Hides / changes classic WordPress paths like: /wp-admin, /wp-login.php, /wp-content, /wp-includes, /wp-json, plugins and themes URLs
Applies 7G/8G firewall filters to block common exploit patterns before they hit your plugins or themes
Adds 2FA (code, email, passkey), brute-force protection, and CAPTCHA / reCAPTCHA on login, lost password, signup, comments, and WooCommerce login
Blocks by IP, user agent, referrer, hostname; adds content-protection and mapping tools

How it works alongside other plugins (your comment idea)

From real-world use, a very effective pattern is:

One thing I’d add from my own experience is WP Ghost (Hide My WP Ghost) alongside the usual security suites. It behaves more like a hack-prevention layer than a scanner or firewall. After installing the plugin and letting it run for a while, I saw a huge drop in bots attacks on common WordPress paths in the logs, and since then I have not had any new breach incidents on that site.

I still keep a security suite (like Sucuri or Cerber) for scanning and alerts, but WP Ghost quietly reduces the number of automated attacks that ever reach WordPress in the first place, which also means fewer alerts and less noise to deal with day to day.

That is the key: WP Ghost plays with other security plugins instead of trying to replace them.

Best use

Hide and protect default WordPress paths
Add brute-force protection for login, XML-RPC, and REST API
Cut down automated hacker and bot attacks to almost none
Use 7G/8G firewall filters to block common exploit patterns before they reach plugins and themes

Sucuri Security

What it is

Sucuri offers a free WordPress plugin for integrity checks, malware detection, and security logging, plus a paid website firewall and cleanup service.

Where Cerber and MalCare focus more on in-site scanning, Sucuri shines when you also use their cloud WAF, which filters a lot of bad traffic before it ever reaches your server.

Key strengths

File integrity and malware detection
Security activity audit logs
Security hardening presets and post-hack tools
Optional cloud WAF and DDoS protection on paid plans

Best use

Sites that want both plugin-level monitoring and the option of a managed firewall and cleanup team when something serious happens (ecommerce, membership, client sites that cannot afford downtime).

MalCare

What it is

MalCare is built around cloud-based malware scanning and one-click malware removal. Instead of running heavy scans on your server, it sends data to MalCare’s infrastructure and processes it there.

Key strengths

Cloud malware scanning that does not slow down your site
One-click automatic malware removal on paid plans
Built-in firewall and login protection
Uptime monitoring and multi-site dashboard

Best use

If you are worried about getting hacked or you already had a security incident, MalCare is a very strong choice as your primary “cleaner and watcher.” Pairing it with WP Ghost for path-hiding creates a good balance between prevention and rapid cleanup.

Solid Security

What it is

Solid Security (formerly iThemes Security) is focused heavily on login and policy security: passwords, roles, 2FA, device recognition, and general hardening of the WordPress environment.

It does less on the malware-cleanup side and more on preventing human mistakes from becoming security holes.

Key strengths

Brute-force protection and lockouts
Two-factor authentication and passkey support in Pro
Password policies and user enforcement
File-change detection and basic vulnerability scans
Core and settings hardening (XML-RPC, file editing, etc.)

Best use

Great “policy and login” layer for sites with multiple users, editors, or customers logging in. It pairs well with Cerber, Sucuri, or MalCare plus WP Ghost.

Patchstack

What it is

Patchstack is vulnerability intelligence and virtual patching for WordPress. Rather than scanning every file for malware, it keeps track of known vulnerabilities in:

WordPress core
Plugins
Themes

Then it alerts you and, on premium plans, can apply virtual patches that block exploit attempts even before you update the affected plugin/theme.

Key strengths

Real-time vulnerability detection for your stack
Early warning and virtual patching for serious issues
Central dashboard and reporting for many sites
Useful for agencies and developers managing client sites

Best use

Agencies, hosting providers, or anyone responsible for many WordPress sites. Patchstack watches the plugin/theme side of security while you let tools like Cerber, MalCare, Sucuri, and WP Ghost handle firewalls, scanning, and path-hiding.

How to combine these 6 plugins in a smart 2026 setup

You definitely do not want all six active doing heavy work at once. A strong, realistic stack for most sites looks like:

One primary security suite: Cerber or Sucuri or MalCare
One hack-prevention plugin: WP Ghost
One policy / login hardening plugin (optional but recommended): Solid Security
One vulnerability-intelligence layer (optional, especially for many sites): Patchstack

Example combos:

Cerber + WP Ghost
Sucuri + Solid Security + WP Ghost
MalCare + WP Ghost + Patchstack
Sucuri (with WAF) + WP Ghost + Solid Security + Patchstack for higher-risk or agency setups

This way you cover:

Firewall + scanning + alerts (Cerber / Sucuri / MalCare)
Stealth and hack-prevention (WP Ghost)
Strong logins and policies (Solid Security)
Proactive plugin/theme vulnerability awareness (Patchstack)

All without running half a dozen overlapping scanners on the same site.