
WordPress powers a huge share of the web, which also makes it a favourite target for automated attacks. The good news: nearly all WordPress hacks exploit the same few weaknesses — outdated plugins, weak logins, and missing hardening — and all are preventable. Here’s how to lock your site down.
Reviewed and kept current by the Coppers.io editorial team — see how we research . For non-WordPress sites, start with our broader website security guide.
Why WordPress is targeted
WordPress itself is well-maintained and secure at its core. The risk comes from its ecosystem: tens of thousands of third-party plugins and themes of varying quality, plus millions of sites running outdated versions. Attackers use bots to scan for known plugin vulnerabilities and weak passwords at massive scale — so most “hacks” are opportunistic, not targeted.
The main WordPress threats
- Brute-force login attacks — bots guessing username/password combinations against
wp-login.php. - Plugin and theme vulnerabilities — by far the most common entry point. Outdated or poorly coded extensions get exploited to inject malware or gain access.
- SQL injection & XSS — flaws in custom or vulnerable code that expose your database or visitors.
- Outdated core — running an old WordPress version with known, published vulnerabilities.
A well-known example: the plugin behind the Panama Papers and the SoakSoak malware campaign was an outdated copy of a popular slider plugin — proof that one neglected extension can compromise an entire site.
How to secure your WordPress site
1. Update everything, promptly
This is the single most important habit. Keep WordPress core, plugins, and themes updated — enable auto-updates where you can — and delete anything you don’t use. Unused, un-updated plugins are pure risk.
2. Harden your logins
- Use strong, unique passwords via a password manager .
- Enable two-factor authentication (2FA) on every admin account.
- Limit login attempts to blunt brute-force bots, and avoid the default
adminusername.
3. Use a security plugin and a firewall
A reputable WordPress security plugin adds a Web Application Firewall (WAF), malware scanning, and login protection in one place. Well-established options include Wordfence, Sucuri, and Solid Security — choose one and configure it rather than stacking several. A CDN/WAF like Cloudflare in front of your site adds DDoS protection too.
4. Harden the installation
Following the official Hardening WordPress guidance:
- Protect
wp-config.php(it holds your database credentials and keys) with strict file permissions. - Disable file editing in the dashboard (
define('DISALLOW_FILE_EDIT', true);). - Apply least privilege — give each user only the role they need.
- Ensure your whole site runs on HTTPS (see what HTTPS is ).
5. Back up automatically — and test restores
Automated, off-site backups are your safety net. A reliable backup plugin (such as UpdraftPlus or your host’s built-in backups) lets you restore a clean copy fast after any compromise. Test a restore so you know it actually works.
6. Choose a secure host
A good managed-WordPress host handles a lot for you: server hardening, automatic updates, malware scanning, and backups. (We’re preparing an independent hosting comparison; until it’s live, prioritise hosts with strong, documented security practices.)
Quick WordPress security checklist
- Core, plugins, and themes auto-updating; unused ones removed
- Strong unique admin passwords + 2FA
- Login-attempt limiting (no
adminusername) - A security plugin with a WAF + malware scanning
-
wp-config.phpprotected; dashboard file editing disabled - Site fully on HTTPS
- Automated off-site backups, restore tested
The bottom line
WordPress security comes down to discipline, not wizardry: update relentlessly, harden your logins with 2FA, run a security plugin/WAF, lock down wp-config.php, and keep tested backups. Do those, and you’ll shut out the automated attacks that compromise the vast majority of WordPress sites.
FAQs
- Keep WordPress core, plugins, and themes updated; use strong passwords with two-factor authentication; install a security plugin with a firewall; harden wp-config.php and disable dashboard file editing; run on HTTPS; and keep automated off-site backups. Those steps stop almost all WordPress attacks.
- Outdated or vulnerable plugins and themes, followed by weak or reused passwords. Automated bots scan for known plugin flaws and guess logins at scale, so prompt updates and strong authentication close the biggest gaps.
- For most sites, yes — a reputable security plugin bundles a firewall, malware scanning, and login protection in one place. Pick one well-regarded option (such as Wordfence, Sucuri, or Solid Security) and configure it, rather than running several at once.
- No — WordPress core is actively maintained and secure. Most breaches come from the surrounding ecosystem: outdated third-party plugins and themes, weak passwords, and sites that aren't kept up to date.
- Match the backup frequency to how often your site changes — daily for active sites or stores, weekly for static ones. Store backups off-site and test a restore so you can recover quickly if your site is ever compromised.
