Help Center Knowledge Base Security KB-SEC04
Security 4 min read Article KB-SEC04

WordPress Security Hardening — 8 Essential Steps

Protect your WordPress website from hackers, malware, and brute force attacks with these eight proven security measures.

1. Keep Everything Updated

Update WordPress core, all themes, and all plugins as soon as updates are available. Outdated software is the #1 cause of WordPress hacks.

2. Install Wordfence Security

Install the free Wordfence plugin. Enable the firewall and malware scanner. Set up email alerts for login attempts and blocked attacks.

3. Use a Strong Admin Password

Use a password of at least 20 characters with uppercase, lowercase, numbers, and symbols. Use a password manager like Bitwarden.

4. Enable 2FA on WordPress Admin

Install the Wordfence Login Security plugin or WP 2FA to require authenticator codes for admin logins.

5. Limit Login Attempts

Wordfence does this automatically. Alternatively, install Limit Login Attempts Reloaded.

6. Change the Admin Login URL

The default /wp-admin/ URL is targeted constantly by bots. Change it using the WPS Hide Login plugin.

7. Force HTTPS Everywhere

Ensure your SSL is active and all traffic is redirected to HTTPS. Never run WordPress without SSL.

8. Set Up Automated Backups

Install UpdraftPlus, configure daily backups, and store them in Google Drive, Dropbox, or S3. Test a restore at least once every 3 months.

Tip: Remove unused themes and plugins — even inactive plugins can be exploited if they contain vulnerabilities.
Was this article helpful?

Still need help?

If this article didn't fully answer your question, our support team is available 24/7.

Submit a Support Ticket Search FAQs
Back to Security All Articles