Why WordPress Is a Primary Target
WordPress's enormous market share makes it a high-value target for automated attacks. Bots continuously scan the internet for outdated plugins, weak admin credentials, and exposed configuration files. The good news: most successful attacks exploit preventable misconfigurations, not sophisticated zero-days. A disciplined hardening approach eliminates the vast majority of risk.
Step 1: Keep Everything Updated
Outdated WordPress core, themes, and plugins account for a significant proportion of compromised sites. Enable automatic updates for minor releases and security patches. For major updates, test in a staging environment first.
- Update WordPress core promptly after security releases.
- Remove unused plugins and themes — deactivated but installed plugins can still be exploited.
- Use only plugins from reputable sources with active maintenance histories.
Step 2: Secure the Admin Login
The /wp-admin and /wp-login.php URLs are hammered by credential-stuffing bots constantly. Harden this surface with multiple layers:
- Change the default admin username. Never use "admin" — it's the first thing bots try.
- Use a strong, unique password. At least 20 characters using a password manager.
- Enable two-factor authentication (2FA). Plugins like WP 2FA or Google Authenticator add this easily.
- Limit login attempts. Plugins like Limit Login Attempts Reloaded block IP addresses after repeated failures.
- Restrict wp-admin access by IP. If you have a static IP, whitelist it via your
.htaccessor server firewall.
Step 3: Configure File Permissions Correctly
Incorrect file permissions are a common entry point. Use these recommended settings:
| Resource | Recommended Permission |
|---|---|
| WordPress directories | 755 |
| WordPress files | 644 |
| wp-config.php | 440 or 400 |
| .htaccess | 444 |
Step 4: Protect wp-config.php
The wp-config.php file contains your database credentials. Move it one directory above the web root if your host allows it, or block access via .htaccess:
<files wp-config.php>
order allow,deny
deny from all
</files>Also disable file editing from within the WordPress dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php.
Step 5: Install a Web Application Firewall (WAF)
A WAF filters malicious traffic before it reaches your application. For WordPress, options include:
- Wordfence: Popular plugin-based WAF with malware scanning and firewall rules.
- Sucuri: DNS-level WAF that blocks attacks before they reach your server.
- Cloudflare WAF: CDN-integrated protection with a free tier for basic coverage.
Step 6: Implement SSL/TLS Correctly
Every WordPress site should run over HTTPS. Use a certificate from Let's Encrypt (free) or your hosting provider. After enabling SSL:
- Force HTTPS via redirects in
.htaccessor your server config. - Set the
HTTPSandCOOKIE_DOMAINconstants in wp-config.php. - Enable HTTP Strict Transport Security (HSTS) headers.
Step 7: Regular Backups and Monitoring
Security hardening reduces risk but doesn't eliminate it entirely. Maintain regular, tested backups stored offsite (not just on your hosting server). Use a monitoring service to alert you to file changes, downtime, or suspicious login activity.
Hardening WordPress is an ongoing practice, not a one-time task. Revisit this checklist quarterly and after any major plugin or theme changes.