The WordPress Security Threat Landscape

WordPress is the most targeted CMS on the internet — not because it's insecure by design, but because its 43% market share makes it the highest-value target for automated attack scripts. The vast majority of WordPress hacks aren't sophisticated zero-day exploits — they're automated attacks exploiting known vulnerabilities in outdated plugins, weak passwords, and default configurations.

A properly-hardened WordPress site is genuinely difficult to compromise. Here are the 15 steps we implement on every WordPress site we build or maintain.

Steps 1–5: Hosting and Core Hardening

1. Use managed WordPress hosting: Kinsta, WP Engine, and Pressable include server-level firewalls, automatic malware scanning, and managed core/plugin updates. The security gap between managed and shared hosting is substantial.

2. Keep WordPress core, themes, and plugins updated: 60% of WordPress hacks exploit known vulnerabilities that had patches available for weeks or months before the attack. Enable automatic updates for minor WordPress releases and audit plugin updates weekly.

3. Delete unused themes and plugins: Inactive plugins with known vulnerabilities are still exploitable. Delete — not just deactivate — any plugin or theme you're not actively using.

4. Use PHP 8.2+: Older PHP versions have known security vulnerabilities. PHP 8.0 reached end-of-life in November 2023. Check your version in hosting control panel and upgrade.

5. Change the default database prefix: WordPress uses wp_ as the database table prefix by default — every SQL injection script targets this. Change it during installation or use a plugin like WP-DBManager to change it on existing sites.

Steps 6–10: Login and Access Security

6. Enforce strong passwords and two-factor authentication: Use a plugin like WP 2FA to require TOTP-based two-factor authentication for all admin and editor accounts. This single step blocks 99.9% of credential-stuffing attacks.

7. Limit login attempts: Brute force attacks try thousands of username/password combinations. Limit to 5 failed attempts per IP before a 15-minute lockout using Wordfence or Limit Login Attempts Reloaded.

8. Change the default admin username: Automated attacks try admin as the username first. If your admin account is named "admin," create a new admin with a unique username, transfer all content, and delete the original.

9. Disable XML-RPC: XML-RPC is a WordPress remote procedure call protocol that's rarely needed but commonly exploited for brute-force and DDoS attacks. Disable it via your .htaccess file or Wordfence unless you specifically need it for mobile apps or Jetpack.

10. Use application passwords for REST API access: WordPress 5.6+ supports application-specific passwords for API access. Never use your main admin credentials for API integrations.

Steps 11–15: File, Database, and Monitoring Security

11. Set correct file permissions: WordPress files should be 644 (readable by all, writable by owner). Directories should be 755. wp-config.php should be 440 or 400. Never use 777 permissions — this allows any process on the server to write to your files.

12. Move wp-config.php up one directory: WordPress looks for wp-config.php one directory above the web root if it's not found in the web root. Moving it makes it inaccessible via HTTP requests.

13. Install Wordfence Security: Wordfence's free tier includes a firewall, malware scanner, and real-time IP blacklisting. Run a full scan after installation. The premium tier ($119/year) adds real-time threat intelligence that's worth the cost for business-critical sites.

14. Implement SSL/HTTPS: All WordPress sites should run on HTTPS. Use Cloudflare's free SSL or Let's Encrypt via your hosting panel. Enable HSTS to prevent downgrade attacks.

15. Automated backups with off-site storage: UpdraftPlus (free/premium) can run daily backups to Google Drive, Dropbox, or Amazon S3. A clean backup from before a hack is the only guaranteed recovery path. Test your restore process — a backup you've never restored from is a backup you don't know works.

Security monitoring setup: Configure Wordfence email alerts for new admin users, failed logins, file changes, and malware detections. Set up UptimeRobot (free) to alert you when the site goes down. Early detection is everything.