How to Secure a WordPress Site: 15 Practical Steps That Prevent Hacks

WordPress can be very secure, but only if you treat security as ongoing maintenance, not a one-time setup task. According to WordPress’s own security documentation, the most important thing you can do is keep WordPress core, plugins, and themes up to date. The same guidance also makes it clear that good security requires monitoring, maintenance, and a recovery plan.

That matters because WordPress is a huge target. W3Techs reports that WordPress powers about 42.2% of all websites and 59.6% of websites with a known CMS. Attackers naturally go where the opportunity is.

The good news is that most WordPress compromises are preventable.

In my experience, hacked WordPress sites usually do not get compromised because “WordPress is insecure.” They get hacked because of a small number of repeated problems: outdated plugins, weak admin security, bad backup habits, unsafe file access, and missed signs of malware persistence. That pattern also matches broader WordPress security data. Patchstack reported 7,966 new vulnerabilities in the WordPress ecosystem in 2024, and 96% of them were in plugins , while only seven vulnerabilities were found in WordPress core itself.

So if you want to secure a WordPress site properly, focus on the controls that reduce real-world risk. If your site is already infected, reinfected, or blacklisted, you may need a proper WordPress malware removal service before hardening alone will be enough.

Why WordPress Sites Get Hacked

Most WordPress attacks follow a familiar path. An attacker finds an outdated or vulnerable plugin, brute-forces a weak login, abuses a poorly secured admin area, or plants malware that stays hidden in files or the database.

That is why prevention matters so much for both security and SEO. Sucuri’s 2024 malware trends report found 422,741 websites affected by SEO spam in its analysis, including 117,393 Japanese SEO spam detections. Once that kind of infection lands on a site, rankings, trust, and conversions can all suffer at the same time.

If your goal is to keep a WordPress site safe, these are the hardening steps I would prioritize first.

1. Keep WordPress Core, Themes, and Plugins Updated

This is the foundation.

WordPress’s security guide says the most important thing to do for WordPress security is to keep WordPress itself and all installed plugins and themes up to date. It also recommends choosing themes and plugins that are actively maintained.

Why this matters is simple: most real-world attacks do not start with WordPress core. They start with outdated extensions. If you delay updates for months, you leave known vulnerabilities exposed.

A practical routine is:

• update WordPress core promptly
• update plugins and themes regularly
• remove anything abandoned by its developer
• test major updates on a staging copy when possible

2. Delete Plugins and Themes You Do Not Use

Deactivated is not the same as safe.

Unused plugins and themes still increase your attack surface, especially if they are old, abandoned, or vulnerable. If you are not using something, delete it completely instead of leaving it installed “just in case.”

This is one of the simplest ways to reduce risk without adding anything new.

3. Only Use Plugins and Themes from Trusted Sources

Not every plugin risk comes from obscure software. Patchstack found that 1,018 vulnerabilities in 2024 affected plugins with at least 100,000 installs , which is a good reminder that popularity is not the same as safety.

Use plugins and themes from:

• the WordPress.org repository
• reputable premium vendors
• developers with active update and support histories

Avoid nulled themes, pirated plugins, and random downloads from unknown sites. Those are still one of the fastest ways to get backdoors, hidden admin users, spam injections, or reinfections.

4. Use Strong Passwords and a Password Manager

Weak passwords are still one of the easiest entry points for attackers.

WordPress’s brute-force guidance recommends strong, unique credentials and modern login hardening.

At minimum:

• use a unique password for every admin account
• avoid reusing hosting, email, and WordPress passwords
• use a password manager for admins and editors
• change credentials immediately after staff changes or suspicious activity

5. Enable Two-Factor Authentication for Every Admin Account

A strong password is good. A strong password plus 2FA is far better.

WordPress’s brute-force documentation recommends enabling two-factor authentication for all administrator and privileged accounts. If you want a practical setup tutorial, see my guide on how to enable two-factor authentication in WordPress.

If I had to choose only a few login protections, 2FA would be near the top of the list.

6. Add Login Rate Limiting and Bot Protection

Brute-force attacks are not unique to WordPress, but WordPress’s popularity makes it a common target. WordPress’s brute-force guide recommends targeted rate limiting, monitoring authentication anomalies, and blocking bad traffic at the edge before it reaches your server.

That means your login should not be protected by a password alone.

A stronger setup includes:

• login rate limiting
• bot checks such as CAPTCHA or Turnstile
• temporary IP blocking for abusive attempts
• WAF or CDN filtering before requests hit the server

7. Protect or Disable XML-RPC If You Do Not Need It

XML-RPC is still useful for some integrations, but if you do not use it, it should not be left open without a reason.

WordPress’s brute-force documentation specifically recommends protecting or disabling XML-RPC if you do not need it, and otherwise restricting and rate-limiting it.

A lot of site owners never check it at all.

8. Force HTTPS Across the Site

HTTPS is not optional anymore. It protects data in transit, reduces the risk of interception, and supports trust for users and search engines.

WordPress recommends HTTPS and provides guidance for securing the admin area with SSL.

At a minimum:

• install a valid SSL certificate
• force HTTPS sitewide
• ensure wp-admin and logins are always secured
• fix mixed-content issues after migration

9. Lock Down File Permissions

File permissions are one of those areas many site owners ignore until after a hack.

WordPress’s hardening guidance recommends using strict file system permissions and avoiding write and execute permissions more than necessary.

The goal is simple: only allow the access that is truly needed.

Bad permissions can make it much easier for attackers or malware to modify files, upload backdoors, or persist after partial cleanup. If you need a practical walkthrough, I also have a guide on fixing WordPress file and folder permissions.

10. Disable the Built-In Theme and Plugin File Editor

If an attacker gets into wp-admin, one of the first things they may do is use the built-in editor to modify theme or plugin files.

That is why WordPress hardening guidance recommends disabling dashboard file editing.

For most production sites, this should be disabled in wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

11. Review User Roles and Remove Unused Admin Accounts

Security is not only about plugins and servers. It is also about people.

WordPress’s main security documentation specifically mentions proper user roles as part of a solid security foundation.

Practical steps:

• remove unused accounts
• downgrade unnecessary admin users
• give freelancers temporary access instead of permanent admin rights
• audit accounts after redesigns, migrations, or team changes

Too many hacked sites keep old admin users around for months or years. If you suspect this is already happening, read my guide on how hackers create hidden admin users in WordPress.

12. Use a Firewall or WAF in Front of the Site

A WAF helps block malicious traffic before it reaches WordPress.

WordPress’s brute-force guidance prefers edge or WAF protections because bad traffic is blocked before it consumes server resources.

This is especially useful for:

• brute-force login traffic
• exploit probes
• bot abuse
• automated spam and malicious requests

A WAF is not a replacement for updates, but it is a strong additional layer.

13. Back Up Both Files and Database — and Test Restore

Backups are not just a box to tick. They are your recovery plan.

WordPress’s security guidance says good security includes planning for recovery, not just reducing unauthorized access risk. Its backup documentation also makes it clear that a full WordPress backup includes both files and database.

A proper WordPress backup strategy should include:

• website files
• database backups
• offsite storage
• routine restore testing

A backup you have never tested is not yet a trusted backup.

If you want plugin-specific walkthroughs, here are two useful guides:

• How to back up your WordPress site with UpdraftPlus
• How to use All-in-One WP Migration to back up and migrate your site

14. Monitor Logs, File Changes, and Suspicious Activity

Good security requires monitoring. WordPress says security is continuous work, and its hardening guide also recommends file integrity monitoring, especially for executable file types.

This matters because some infections are designed to stay quiet.

Recent Sucuri research shows attackers increasingly hiding malware in unusual places, including database entries and modified plugin-related data, not just obvious theme files. That is one reason basic file-only scanning often misses the real source of reinfection.

If you want real examples of how logs and persistence clues expose hidden malware, see these case studies:

• How I found and fixed a WordPress mobile redirect hack using access logs
• Case study: fixing regenerating index.php malware in WordPress
• How to detect WordPress malware

15. Have a Cleanup and Recovery Plan Before You Need One

This is the step most site owners skip.

WordPress’s security documentation says risk can never be reduced to zero, which is why you must plan for recovery so sites can be restored quickly if something goes wrong.

A basic recovery plan should include:

• who has access to hosting, domain, DNS, CDN, and admin logins
• where clean backups are stored
• how to take the site offline safely if needed
• how to rotate passwords and revoke user sessions
• how to check for hidden users, backdoors, cron jobs, and database injections
• how to request blacklist review if the site gets flagged

That last part matters a lot for hacked WordPress sites with spam or redirect malware. If you want to understand why some infections keep returning, read why WordPress malware keeps coming back.

My Practical Monthly WordPress Security Checklist

If you want a simple routine, do this once a month:

1. Update WordPress core, plugins, and themes
2. Delete anything unused or abandoned
3. Review admin users and permissions
4. Check backups and confirm restore access
5. Review login activity and suspicious IPs
6. Scan for malware, file changes, and spam pages
7. Check Search Console for security warnings or indexing anomalies
8. Review performance drops, redirect behavior, and unexpected page creation
9. Confirm SSL, WAF, and login protections are still active
10. Fix issues immediately instead of letting them pile up

That simple discipline prevents a lot of emergencies.

What to Do If Your WordPress Site Is Already Hacked

If your site is already compromised, do not just delete a few suspicious files and assume it is clean.

A proper cleanup usually means:

• identifying the original entry point
• removing malicious code from files and database
• checking for hidden admin users and scheduled reinfection paths
• updating everything vulnerable
• rotating passwords
• hardening the site so it does not get reinfected

This is especially important for spam infections. Japanese SEO spam, hidden redirects, and database-based malware often survive incomplete cleanups and come back weeks later. If you are dealing with this now, these guides may help:

• How to fix Japanese keyword hack in WordPress
• How to scan and clean your WordPress database for hidden malware
• What to do after fixing a hacked WordPress site

If you are dealing with reinfection, SEO spam, blacklist warnings, or unknown admin users, it is usually faster and cheaper to do a full cleanup properly once than to keep patching symptoms.

Final Thoughts

Securing a WordPress site is not about chasing every security trick on the internet. It is about reducing the most common risks in a consistent way.

Start with the basics that matter most:

• keep everything updated
• remove what you do not use
• secure admin access with strong passwords and 2FA
• use a WAF
• back up properly
• monitor for suspicious behavior
• plan for recovery before disaster hits

That is the difference between a WordPress site that gets repeatedly compromised and one that stays stable over the long term.

If you run a business website, online store, or client site, these steps are not optional maintenance. They are part of protecting your traffic, rankings, reputation, and revenue.

Need help cleaning or hardening a hacked WordPress site? See my WordPress malware removal service.

FAQ

Is WordPress secure out of the box?

WordPress provides a solid security foundation, but WordPress itself says security also depends on hosting, maintenance, proper user roles, updates, monitoring, and recovery planning.

What is the biggest WordPress security risk?

In practice, outdated plugins are one of the biggest risks. Patchstack found that 96% of WordPress ecosystem vulnerabilities reported in 2024 were in plugins.

Do I really need a security plugin?

A security plugin can help, but it is not a substitute for updates, backups, strong passwords, 2FA, access control, and proper hardening. Think in layers, not single tools. WordPress’s own security guidance emphasizes layered operational practices rather than one magic fix.

Should I disable XML-RPC?

If you do not need it, protecting or disabling it is a smart move. WordPress’s brute-force guidance says to protect or disable XML-RPC if unused, and otherwise restrict and rate-limit it.

Can a hacked WordPress site hurt SEO?

Yes. Spam pages, redirects, cloaking, and malware can damage rankings and trust. Sucuri reported 422,741 SEO spam detections in its 2024 analysis, including 117,393 Japanese SEO spam detections.