WordPress Security Best Practices

The single most effective thing you can do for WordPress security is keep your core installation, themes, and plugins current. The majority of successful WordPress attacks exploit known vulnerabilities that have already been patched — in software that simply wasn't updated.

Enable automatic updates for minor core releases at a minimum. For plugins and themes, review updates regularly and apply them promptly. If a plugin hasn't been updated by its developer in over a year, treat it as a risk and look for an actively maintained alternative.

Delete anything you're not using. Inactive plugins and themes still represent attack surface even when disabled.

Weak passwords and reused credentials are responsible for a significant share of WordPress compromises. Every account associated with your site — WordPress admin, hosting panel, FTP, and database — should have a long, unique password that isn't used anywhere else.

Use a password manager to generate and store credentials rather than relying on memory. Change the default admin username from "admin" to something less predictable. Attackers run brute-force scripts that specifically target the admin account because it's the default on every WordPress install.

Assign the lowest permission level that lets each user do their job. Editors don't need admin access. Contributors don't need editor access. Limiting roles limits the damage if an account is ever compromised.

Passwords alone aren't enough for high-privilege accounts. Two-factor authentication (2FA) adds a second verification step — typically a time-based code from an app like Google Authenticator or Authy. And that makes stolen passwords far less useful to an attacker.

Enable 2FA for all administrator and editor accounts at minimum. Plugins like WP 2FA or the Wordfence Security plugin make this straightforward to set up without technical expertise.

A dedicated security plugin handles several protective layers in one place. Look for one that offers login protection, malware scanning, firewall rules, and activity logging.
Well-regarded options include Wordfence, Sucuri Security, and iThemes Security.

Each takes a slightly different approach, but any of them is significantly better than nothing. At a minimum, configure login attempt limits to block brute-force attacks, and set up email alerts for suspicious activity so you know when something unusual happens.

The WordPress login page at /wp-login.php is one of the most targeted URLs on the internet because it's identical on every default installation. A few changes meaningfully reduce automated attacks.

Limit login attempts to lock out IPs after a set number of failed tries. Consider changing the login URL to something non-default — not a silver bullet, but it eliminates the lowest-effort automated scans. If your site has a small, known group of admins, restrict login page access by IP address entirely.

Disable XML-RPC if you don't need it. This older WordPress feature is frequently exploited for brute-force attacks and can be turned off without affecting most modern sites.

Backups are your safety net when everything else fails. They won't prevent an attack, but they determine how quickly and completely you can recover from one.

Automate daily backups of both your site files and your database. Store copies in at least two locations — your hosting server and an offsite destination like Amazon S3, Dropbox, or Google Drive. On-server-only backups don't help if the server itself is compromised.

Test your backups periodically by actually restoring from one. A backup you've never verified is a backup you can't trust.