Blog / WordPress

WordPress Security Tips: How to Protect Your Site from Hackers

Protect your WordPress site with these essential security tips — from strong passwords and two-factor authentication to firewalls, backups, and malware scanning.

B
Betwixt Designs Team
· · 8 min read
WordPress security setup and protection configuration

WordPress powers 43% of the internet, which makes it an attractive target for hackers and malicious bots. An insecure WordPress site can be hacked, infected with malware, used to send spam, or completely wiped out. The good news: most WordPress security vulnerabilities are preventable with proper configuration.

Here are the essential WordPress security measures every site owner should implement.

1. Keep Everything Updated

The most common cause of WordPress hacks is outdated software. WordPress core, themes, and plugins are regularly updated with security patches. Running outdated versions leaves known vulnerabilities open.

Best practice:

  • Enable automatic minor WordPress core updates
  • Update plugins and themes weekly
  • Delete unused plugins and themes entirely (inactive doesn’t mean safe)
  • Follow the WordPress support documentation for security advisories

2. Use Strong Passwords and a Password Manager

Brute force attacks — automated scripts trying thousands of password combinations — are responsible for a significant portion of WordPress hacks. Use passwords that are:

  • At least 16 characters long
  • A combination of letters, numbers, and symbols
  • Unique to your WordPress account (never reused from other sites)

Use a password manager like 1Password or Bitwarden to generate and store complex passwords securely.

3. Enable Two-Factor Authentication (2FA)

2FA adds a second verification step to your login — typically a time-sensitive code sent to your phone or generated by an authenticator app. Even if your password is compromised, 2FA prevents unauthorized access.

Plugins: WP 2FA, Google Authenticator, or use Wordfence, which includes 2FA in its security suite.

4. Change the Default Admin Username

If your WordPress username is “admin” — the default suggested during installation — change it immediately. Using “admin” makes brute force attacks significantly easier because attackers already know half the credentials needed to log in.

You can’t rename a username in WordPress directly; you’ll need to create a new admin account and delete the old one.

5. Install a Security Plugin

A comprehensive security plugin provides a firewall, malware scanning, login protection, and security notifications.

Top options:

  • Wordfence — Most popular, excellent firewall and malware scanner (free and premium)
  • Sucuri Security — Particularly strong for post-hack cleanup and monitoring
  • iThemes Security — Good all-around option with easy-to-use interface

6. Use SSL/HTTPS

An SSL certificate encrypts data transmitted between your server and users’ browsers. It’s non-negotiable for any website handling user data, and Google flags non-HTTPS sites as “Not Secure” in Chrome.

Most modern hosts provide free SSL certificates via Let’s Encrypt. Enable HTTPS and configure a redirect from HTTP to HTTPS in your security plugin settings.

7. Limit Login Attempts

By default, WordPress allows unlimited login attempts. This makes brute force attacks easy. Limit login attempts to 3-5 before temporarily blocking the IP address.

Most security plugins include this feature. Alternatively, use the Limit Login Attempts Reloaded plugin.

WordPress security monitoring and protection dashboard

8. Implement Regular Backups

Even with perfect security, backups are your insurance policy. A hacked site can often be restored from a clean backup in hours; without one, recovery may be impossible.

Backup best practices:

  • Back up both files and database
  • Store backups in an offsite location (not just on the same server)
  • Automate daily or weekly backups depending on how frequently you update content
  • Test backup restoration periodically

Plugins: UpdraftPlus, BackWPup, or use your host’s built-in backup solution.

9. Harden File Permissions

Incorrect file permissions can give attackers the ability to write to or execute files on your server. Standard secure permissions for WordPress:

  • Directories: 755
  • Files: 644
  • wp-config.php: 600

Your host can help configure these if you’re unsure.

10. Use a Web Application Firewall (WAF)

A WAF filters malicious traffic before it even reaches your server, blocking common attacks like SQL injection, XSS, and brute force attempts.

Cloudflare’s free plan provides a basic WAF, or use the firewall included with Wordfence or Sucuri.

What to Do If You’re Hacked

Despite best efforts, hacks happen. If your site is compromised:

  1. Take it offline immediately if possible
  2. Scan for malware with a plugin or hire a professional
  3. Restore from a known clean backup
  4. Change all passwords and revoke suspicious user accounts
  5. Update everything
  6. Investigate the attack vector to prevent recurrence

Security is a core part of our WordPress design services. Every WordPress site we build includes security hardening, SSL configuration, and backup setup as standard. Speed up your WordPress security with our guide on how to speed up WordPress alongside these security measures.

Newsletter

SEO Tips Straight to
Your Inbox

Join 2,400+ business owners getting weekly actionable tips on SEO, web design, and digital marketing. No fluff — only what works.

No spam. Unsubscribe any time. We respect your privacy.

+
+
+
+
2,400+ subscribers