WordPress powers about 40% of the web, which makes it the biggest target on the internet — most attacks are automated bots trying the same handful of doors on millions of sites. The good news: closing those doors is not hard. This guide covers what actually protects a WordPress site, in order of importance, without the fear-mongering.
- How WordPress Actually Gets Hacked
- Update Everything. Yes, Everything.
- Lock Down Your Logins
- Be Ruthless About Plugins and Themes
- Backups: Your Actual Safety Net
- Install One Good Security Plugin
- SSL and Decent Hosting
- Small Hardening Moves That Add Up
- Know the Signs of a Hacked Site
- If You've Been Hacked: The First Hour
- When to Bring in Help
The No-Panic WordPress Security Guide
- How WordPress Actually Gets Hacked
- Update Everything. Yes, Everything.
- Lock Down Your Logins
- Be Ruthless About Plugins and Themes
- Backups: Your Actual Safety Net
- Install One Good Security Plugin
- SSL and Decent Hosting
- Small Hardening Moves That Add Up
- Know the Signs of a Hacked Site
- If You've Been Hacked: The First Hour
- When to Bring in Help
How WordPress Actually Gets Hacked
First, a reality check that should make you feel better: almost nobody is personally targeting your site. The overwhelming majority of WordPress attacks are automated, with bots crawling millions of sites and rattling the same handful of door handles: outdated plugins with known holes, weak or reused passwords, and unprotected login pages. That's good news, because it means you don't need to outrun a determined, skilled hacker. You just need to not be the easiest door on the street. Close the common vulnerabilities and the bots move on to a softer target.
Update Everything. Yes, Everything.
The vast majority of hacked WordPress sites are compromised through outdated plugins, themes or core, using known vulnerabilities with public exploits that the developer patched months before the site got hit. The fix is unglamorous but it is the single most important thing on this list. Turn on automatic updates for minor core releases, review plugin and theme updates at least weekly, and delete (not just deactivate) anything you no longer use. A deactivated plugin still has its code sitting on your server, and a vulnerability in it is still a door someone can walk through. If you're nervous an update might break something, update on a staging copy first, but do not simply leave things unpatched. "It works, don't touch it" is exactly how sites get owned.
Lock Down Your Logins
Bots hammer wp-login.php around the clock, guessing username and password combinations thousands of times a day. Four moves shut most of them down. Use a long, unique password, which a password manager makes painless since you'll never type it anyway. Enable two-factor authentication on every admin account, so a stolen password alone isn't enough to get in. Limit login attempts so brute-force bots get locked out after a handful of tries. And if any of your usernames is still "admin," change it, because that's literally half the guess already done for the attacker. For higher-value sites, consider moving the login URL or putting it behind an extra layer at the server or Cloudflare level.
Be Ruthless About Plugins and Themes
Every plugin and theme is code you are trusting with full access to your site and its database. Before you install anything, check three things: when it was last updated, how many active installations it has, and whether the developer actually responds to support and security reports. A plugin abandoned two years ago is a liability no matter how useful it looks, because nobody is patching it when the next vulnerability surfaces. Only install from the official WordPress repository or reputable commercial vendors, and never use "nulled" (pirated premium) plugins, which are one of the most common ways malware walks straight into a site, pre-installed. The hygiene rule is the same as for speed: fewer, better-maintained plugins beat a pile of half-used ones, and slow and insecure usually share the same root causes.
Backups: Your Actual Safety Net
Security is a game of layers, and backup is the layer that saves you when every other layer fails. You want automatic daily backups (more often for a busy store), stored off-server on Google Drive, Amazon S3, Dropbox, anywhere that is not the same machine as the site, because a hacked server takes its local backups down with it. Most importantly, you want restores you have actually tested at least once, because a backup you have never restored is a hope, not a plan. UpdraftPlus and BlogVault both handle this well, and BlogVault in particular keeps everything fully off-site. When a hack does happen, one clean recent backup turns a catastrophe into a twenty-minute inconvenience.
Install One Good Security Plugin
One. Not three. Wordfence or Solid Security (formerly iThemes Security) will give you a firewall that blocks malicious traffic before it reaches WordPress, malware scanning that flags changed core files, login protection, and alerts when something looks wrong. Running two security plugins at once is actively counterproductive: they conflict, double-scan, and slow the site down for no extra safety. Install one, configure the basics (firewall on, scans scheduled, alerts going to an email address you actually read) and then let it do its job instead of stacking four more on top.
SSL and Decent Hosting
If your site still serves anything over plain HTTP, fix that today. Let's Encrypt certificates are free, every decent host installs them in one click, and modern browsers actively warn visitors away from non-HTTPS pages. While we're on hosts: good hosting is a security feature you are already paying for. Quality managed hosts give you server-level firewalls, automatic malware scanning, isolation between accounts so a neighbour's hacked site can't reach yours, and staff who actually help when something goes wrong. If your host's answer to a compromised site is "that's your problem," you have the wrong host.
Small Hardening Moves That Add Up
None of these stops a determined attacker on its own, but together they close a lot of quiet doors and take about five minutes. Disable the built-in file editor in wp-admin so a stolen login can't rewrite your theme's code: add define('DISALLOW_FILE_EDIT', true); to wp-config.php. Disable XML-RPC if you don't use it, since it's a favourite brute-force and DDoS vector. Keep file and folder permissions tight (644 for files, 755 for folders, never 777 on anything). Move wp-config.php up a directory if your host allows it, and hide your exact WordPress version so bots can't shop for a matching exploit. Small stuff individually, but together it's the difference between "easy target" and "not worth the bother."
Know the Signs of a Hacked Site
Catching a compromise early limits the damage, so learn the tells: unexpected redirects sending visitors to strange domains, admin users in your dashboard you didn't create, a sudden unexplained drop in traffic, Google flagging your site with a red warning screen, spam pages in unfamiliar languages or pharma keywords appearing in search results for your own domain, or your host suspending the account for sending spam. If any of these show up, don't panic and don't start deleting files at random, which usually makes recovery harder. Move calmly to the steps below.
If You've Been Hacked: The First Hour
Work in order. Take the site into maintenance mode or offline so it stops harming visitors and your reputation. Restore from the most recent clean backup, ideally one from before the infection. Then, on the clean site, update WordPress core, every plugin and every theme, and change every password: admin accounts, hosting panel, database, and FTP/SFTP. Run a full malware scan with Wordfence or a service like Sucuri. If the infection keeps coming back after all that, a backdoor survived the cleanup, a hidden file or database entry that lets the attacker back in, and that is the moment to stop looping and bring in professional cleanup rather than fighting it by hand.
When to Bring in Help
Doing the basics yourself covers something like 90% of real-world risk, and most site owners can and should handle that list. The remaining 10% is where professional help pays for itself: recurring infections that won't stay gone, WooCommerce stores handling real customer money and card data, or sites where an hour of downtime costs more than a year of maintenance. Our WordPress optimization service bakes security hardening into every speed engagement, because a lightning-fast site that gets hacked on Tuesday isn't much of a win, and the two problems share roots. And if the site needs deeper structural work to be genuinely secure, that's a WordPress development conversation rather than a plugin one.