10 Essential Tips For WordPress Security: Protect Your Business

Raymond Yima
April 10, 2026

Hacked Websites Are Not Random Bad Luck

Over 70% of WordPress security incidents are caused by outdated software, weak credentials, or abandoned plugins, vulnerabilities that were known, documented, and fixable before the attack occurred. The businesses whose sites get hacked are rarely targeted specifically. They are selected opportunistically, by automated bots scanning the internet for unpatched WordPress installations, default admin usernames, and login pages without brute-force protection.

This means the vast majority of WordPress security incidents are preventable. Not through sophisticated countermeasures, through configuration. Through running updates, removing unused plugins, changing the default login URL, enforcing strong passwords, and backing up consistently to somewhere that isn’t your hosting server.

This checklist covers every layer of WordPress security that matters for a business site. Work through it in order. Some items take two minutes. Some require installing a plugin. A few require a brief code edit. All of them reduce your attack surface in concrete, meaningful ways.

Before You Start: Establish Your Backup Baseline

No security work belongs on a live site without a clean backup in place first. If a security hardening step triggers a plugin conflict or breaks a site function, your recovery path is a backup restore, not a support ticket and days of downtime.

Install UpdraftPlus (free tier is sufficient for most sites). Configure it to back up your full site, files and database, to remote storage: Google Drive, Dropbox, or Amazon S3. Schedule daily automated backups. Confirm the first backup completes and the files are accessible in your remote storage location before proceeding with anything else on this list.

1. Keep WordPress Core, Themes, and Plugins Updated

Why this is the single most important item on this list: The majority of WordPress hacks exploit vulnerabilities in outdated software for which public patches already exist. When a security researcher finds a vulnerability in a plugin and reports it to the developer, the developer releases a fix. The vulnerability and its fix are then publicly documented. Automated bots begin scanning for sites still running the unpatched version within hours. Every site that hasn’t updated is a discovered target.

What to do:

Go to Dashboard → Updates weekly and apply all available updates
Enable automatic updates for WordPress core minor releases (security patches): add define('WP_AUTO_UPDATE_CORE', true); to wp-config.php or enable this via your security plugin
Enable automatic updates for plugins where available: in the plugin list, the “Enable auto-updates” link appears next to each plugin
Delete, do not simply deactivate any plugin or theme not actively in use. Deactivated plugins still present an exploitable attack surface

Critical discipline: Themes and plugins from sources other than the official WordPress repository or reputable commercial developers are a primary malware delivery vector. Never install nulled (pirated) premium plugins or themes. They are almost universally seeded with backdoors.

2. Replace the Default Admin Username

Why it matters: WordPress installs historically defaulted to “admin” as the administrator username. Brute-force login attacks try “admin” first, always. If your administrator account is named “admin,” you have eliminated half of the attacker’s guessing work before they make a single attempt.

What to do: If your current admin account username is “admin,” create a new administrator account with a unique username (your name, a custom handle, anything not “admin”), log in as the new account, and delete the original “admin” user, assigning its content to the new account when prompted. Confirm the new account has Administrator role before deleting the old one.

3. Enforce Strong Password Policies

Why it matters: Dictionary and credential-stuffing attacks are automated. A common password on any WordPress account, not just the admin is a realistic entry point for an attacker who then escalates privileges once inside.

What to do:

Require all user accounts to use a password of at least 16 characters with mixed case, numbers, and symbols. WordPress generates strong passwords by default on new account creation, use them
Enable a password manager across your team (Bitwarden is free and excellent) so strong passwords are stored rather than remembered
Audit all user accounts under Users → All Users and remove any accounts that are no longer active, former employees, temporary contractors, test accounts

4. Install and Configure a Security Plugin

Why it matters: A dedicated security plugin adds multiple hardening layers simultaneously, login protection, malware scanning, file integrity monitoring, and firewall rules and monitors your site continuously for indicators of compromise.

Recommended options:

Wordfence Security (free tier is strong; premium adds real-time firewall rule updates) — includes a web application firewall, malware scanner, and login security features
Solid Security (formerly iThemes Security) — strong hardening checklist with an intuitive setup wizard
Sucuri Security — particularly strong on server-side scanning and post-incident cleanup

Key settings to enable regardless of plugin choice:

Web Application Firewall (WAF) — blocks malicious requests before they reach WordPress
Brute-force login protection — lock accounts after a defined number of failed login attempts (5–10 is a practical threshold)
File change detection — alerts you when core WordPress files are modified (a common indicator of compromise)
Malware scanning — scheduled weekly minimum, daily if your site handles customer data

5. Change the Default Login URL

Why it matters: Every WordPress site’s login page is at yourdomain.com/wp-admin or yourdomain.com/wp-login.php by default. Every bot running login attacks knows this. Changing the login URL doesn’t make login impossible to find, but it eliminates the automated attacks that rely on the default location without any credential guessing required.

What to do: The WPS Hide Login plugin (free) changes your login URL to a custom path of your choice, for example, yourdomain.com/your-custom-path with no code edits required. Store the new login URL in your password manager immediately. If you lose it and are locked out, access is recoverable via FTP or your hosting file manager, but it is an inconvenience worth avoiding.

6. Enable Two-Factor Authentication (2FA)

Why it matters: Even a strong, unique password can be compromised through phishing, data breaches at third-party services where the same password was reused, or credential exposure in aggregate data leaks. Two-factor authentication requires a second verification step, a time-sensitive code from an authenticator app that an attacker cannot use even if they have the correct password.

What to do: Enable 2FA through your security plugin (Wordfence and Solid Security both support it) or via a dedicated plugin like WP 2FA. Require 2FA for all Administrator and Editor Accounts at minimum. Use an authenticator app (Google Authenticator, Authy, or 1Password‘s built-in authenticator) not SMS, which is vulnerable to SIM-swapping attacks.

7. Install an SSL Certificate and Force HTTPS

Why it matters: An SSL certificate encrypts data transmitted between your site and your visitors. Without it, form submissions, login credentials, and any data entered on your site travel as readable plain text across the network. Beyond security, Google treats HTTPS as a ranking signal, HTTP sites receive an active downgrade in search results.

What to do: Most business hosting providers include free SSL certificates via Let’s Encrypt. Enable SSL in your hosting control panel if not already active. Then force all traffic to HTTPS by adding the following to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Alternatively, the Really Simple SSL plugin handles this redirect automatically without requiring a manual .htaccess edit.

8. Restrict File Editing Within WordPress

Why it matters: WordPress includes a built-in code editor in the admin dashboard that allows anyone with admin access to directly edit theme and plugin PHP files. If an attacker gains admin access, this editor is an immediate path to executing arbitrary code on your server.

What to do: Disable the built-in file editor by adding the following line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This removes the editor from the admin dashboard entirely without affecting any site functionality. There is no legitimate reason to leave this enabled on a production site.

9. Limit Login Attempts

Why it matters: WordPress by default allows unlimited login attempts. Brute-force attacks work by trying thousands of username and password combinations in automated sequence. Without login attempt limits, this attack has no natural barrier.

What to do: Your security plugin (Wordfence, Solid Security) applies login attempt limits as part of its core configuration. If you haven’t installed a security plugin, Limit Login Attempts Reloaded (free) applies this control specifically. Set the lockout to activate after 5 failed attempts, with a 15-minute lockout on the first occurrence and a 24-hour lockout after repeated failures.

10. Configure Regular Automated Backups with Off-Site Storage

Why it matters: This is addressed first as a prerequisite, but it deserves its place as a formal security control, not just a precaution. A backup is the recovery path for every other security failure: hacks, corrupted updates, accidental deletions, hosting failures. A backup stored only on your hosting server is not a backup, it’s a copy that will be lost along with everything else in a hosting-level incident.

Backup checklist:

Daily automated backups via UpdraftPlus or BlogVault
Off-site storage, Google Drive, Dropbox, or Amazon S3 not just your hosting server
Retention period of at least 30 days (to provide recovery options beyond the most recent incident)
Restoration test every 90 days, a backup you’ve never restored is a backup of unknown reliability. Test it.

Monitoring: Know When Something Goes Wrong

Implementing these controls without monitoring is incomplete. Security events you’re unaware of cannot be responded to. At minimum, configure:

Email alerts for admin account changes — new user creation, role changes, password resets (your security plugin handles this)
Uptime monitoring — UptimeRobot (free) checks your site every 5 minutes and emails you if it goes down
Google Search Console — flags your site if Google’s crawlers detect malware or deceptive content; sign up and verify your site if you haven’t already
Wordfence security scan alerts — schedule weekly malware scans with email notification on any detection

Conclusion

WordPress security is not a one-time setup task. It is an ongoing operational discipline, updates applied consistently, access accounts audited regularly, backups tested rather than assumed, and monitoring in place to detect the incidents that hardening didn’t prevent.

The businesses that get hacked are not primarily the ones who couldn’t implement these measures. They are the ones who knew about them and treated them as low-priority. An unpatched plugin that was last updated 18 months ago, an “admin” username from the original installation, a backup strategy that depends on the hosting server that just got compromised, these are choices, not inevitable outcomes.

Work through this checklist once, systematically. Then schedule a monthly 20-minute maintenance session to review updates, check scan results, and confirm backups are running. That discipline is the difference between a site that gets compromised and one that doesn’t.

If you’d rather have a qualified team handle your WordPress security configuration and ongoing maintenance, Maxify Global can help.

We conduct full WordPress security audits, implement hardening configurations across every layer covered in this checklist, and provide ongoing maintenance plans that keep your site updated, monitored, and backed up reliably, so security doesn’t depend on someone remembering to do it.