WordPress Security: Harden Your Site in 2026
The WordPress security checklist that stops 99% of attacks — logins, updates, permissions, WAF, and backups.
Keep Everything Updated
Enable auto-updates for minor WordPress core releases (default in modern WP).
Auto-update for well-maintained plugins/themes; manual for high-risk ones (page builders, complex integrations).
Remove any plugin or theme unused for 90 days — dormant code is attack surface.
Login Hardening
Enforce strong passwords (12+ chars, complexity).
Enable 2FA for all admin accounts (Wordfence, WP 2FA, or Google Authenticator).
Change the default 'admin' username.
Limit login attempts (Wordfence, iThemes, or manual .htaccess).
Change wp-login.php URL (WPS Hide Login) — reduces brute-force noise.
File Permissions & Users
Files: 644. Directories: 755. wp-config.php: 600.
Give users the minimum role they need.
Delete inactive user accounts.
Security priorities by site value
| Site type | Must have | Nice to have |
|---|---|---|
| Personal blog | Auto-updates, 2FA, backups | Wordfence free |
| Business site | Above + Wordfence, WAF | Sucuri, host WAF |
| Ecommerce | Above + PCI-compliant host | 24/7 monitoring, WAF Pro |
| Membership / paid content | Above + strict user roles | Log audit + SIEM |
WAF & Firewall
Wordfence Premium or Sucuri for application-level WAF.
Cloudflare (free tier includes basic WAF; Pro tier adds managed rules).
Host-level WAF (WP Engine, Kinsta, Cloudways) covers the basics.
Backups (Tested!)
UpdraftPlus, BlogVault, or Jetpack Backup for automated offsite backups.
Daily incremental + weekly full is typical.
Test restore quarterly. An untested backup is not a backup.
SSL / HTTPS
HTTPS everywhere. Let's Encrypt via your host, or Cloudflare's flexible SSL.
Force HTTPS redirect. HSTS header for extra protection.
Monitoring
Enable Wordfence's malware scan on a daily schedule.
Set uptime + integrity monitoring (UptimeRobot, Better Uptime).
Watch Search Console for security warnings.
Frequently Asked Questions
What's the #1 cause of WordPress hacks?+
Outdated plugins and themes. Enable auto-updates and remove unused code.
Do I need a security plugin?+
Yes for most sites. Wordfence or Solid Security handles firewall, malware scan, login limits, and 2FA in one place.
Is Cloudflare enough for security?+
Cloudflare handles DDoS + basic WAF well. Combine with a WordPress-aware plugin for full coverage.
How often should I back up?+
Daily for active sites. Store backups offsite (not on the same server). Test restores quarterly.
Should I hide wp-admin?+
It's low-impact security (obscurity) but reduces brute-force log noise. Worth doing but not a substitute for 2FA.