How to Secure a WordPress Website

WordPress powers a huge share of the web, which makes it a constant target for automated attacks. The good news is that the vast majority of breaches exploit a handful of well-known weaknesses, and closing those gaps does not require deep technical expertise. This hardening checklist walks you through the practical steps that deliver the most protection for the least effort, from logins to file permissions.

Strong Logins and Two-Factor Authentication

Weak credentials remain the number one cause of compromised sites. Use long, unique passwords for every account and store them in a password manager. More importantly, enable two-factor authentication so that even a stolen password is not enough to get in. Avoid the default admin username, which bots try first.

Keep Everything Updated

Outdated software is the single largest source of vulnerabilities. Update WordPress core, themes, and plugins promptly, and enable automatic updates for minor releases. If a plugin has not been updated by its author in over a year, treat it as a liability and look for a maintained alternative.

Apply Least-Privilege User Roles

Not everyone needs to be an administrator. Assign the lowest role that lets each person do their job: authors write posts, editors manage content, and only trusted technical staff get admin access. Fewer admins means fewer accounts an attacker can target.

Use Reputable Themes and Plugins Only

Every theme and plugin is executable code running on your site. Install only from the official WordPress repository or established commercial vendors with active support. Never use nulled or pirated premium plugins; they are a notorious vehicle for hidden backdoors.

Install a Security Plugin and Firewall

A reputable security plugin adds a web application firewall, malware scanning, and login protection in one package. A firewall blocks malicious traffic before it reaches WordPress, filtering out known bad actors and common exploit attempts automatically.

Enforce SSL and HTTPS

An SSL certificate encrypts data between your visitors and your server, protecting login credentials and form submissions. Most hosts offer free certificates through Let’s Encrypt. Once installed, force all traffic to HTTPS so no page loads over an insecure connection.

Limit Login Attempts and Change the Login URL

Brute-force bots hammer the default wp-login.php page relentlessly. Limit the number of failed login attempts per IP address and consider moving your login page to a custom URL. Both measures dramatically reduce automated attacks against your dashboard.

Disable the Built-In File Editor

WordPress lets admins edit theme and plugin code directly from the dashboard, which is a gift to anyone who gains access. Disabling it means an attacker cannot inject code through the editor even if they log in.

Secure wp-config.php

Your wp-config.php file holds your database credentials and security keys, making it the most sensitive file on your site. Add the following directives to harden it:

// Disable the built-in theme and plugin file editor
define('DISALLOW_FILE_EDIT', true);

// Block plugin and theme installation/updates from the dashboard
define('DISALLOW_FILE_MODS', true);

// Force administrative pages over SSL
define('FORCE_SSL_ADMIN', true);

// Reduce stored post revisions
define('WP_POST_REVISIONS', 5);

You should also confirm your security keys and salts are set to unique values and restrict access to the file at the server level so it cannot be read directly.

Run Regular Backups

Backups will not prevent an attack, but they turn a disaster into an inconvenience. Schedule automated backups of both your files and database, and store copies off-server. Test a restore occasionally so you know it actually works when you need it.

Set Correct File Permissions

Tight file permissions limit what a compromised process can change. As a general rule, directories should be 755 and files should be 644, while wp-config.php can be locked down further:

find /path/to/wordpress -type d -exec chmod 755 {} ;
find /path/to/wordpress -type f -exec chmod 644 {} ;
chmod 600 wp-config.php

Harden the Database and Table Prefix

Use a unique database table prefix instead of the default wp_ to blunt automated SQL injection attempts that assume standard table names. Grant your database user only the privileges WordPress actually needs, and use a strong, dedicated database password.

Monitor Logs and Activity

Visibility is what turns a slow breach into a quick response. Keep an activity log that records logins, content changes, and plugin updates so unusual behavior stands out. Review server access logs periodically and set up alerts for failed logins and file changes.

Security is not a one-time task. Revisit this checklist every few months and after any major change to your site.

Quick Recap Checklist

• Strong passwords plus two-factor authentication
• Automatic updates for core, themes, and plugins
• Least-privilege user roles
• Reputable themes and plugins only
• Security plugin and firewall enabled
• HTTPS enforced everywhere
• Limited login attempts and a custom login URL
• File editor disabled and wp-config.php locked down
• Regular, off-server backups
• Correct file permissions and a unique table prefix
• Active logging and monitoring

Work through this list one item at a time and you will close the doors that attackers rely on most. Start today with the quickest wins, strong passwords and updates, then build out the rest until your site is genuinely hard to break into.