Over 30,000 WordPress websites get hacked every single day. That sounds terrifying, but here is the reassuring part: the vast majority of these hacks happen because of preventable mistakes. Outdated plugins. Weak passwords. Cheap hosting with no security features. Fix these basics and your site becomes dramatically harder to compromise.
WordPress itself is remarkably secure. The core software is maintained by a large team of developers and security experts. The problem is almost never WordPress itself. It is what we do (or fail to do) with our WordPress sites that creates vulnerabilities.
This guide walks you through 10 practical security steps that prevent over 90% of WordPress attacks. No coding required. No expensive security services. Just smart, proven practices that take about an hour to set up.
Why WordPress Security Matters
A hacked website does not just go offline for a few hours. The consequences can be devastating and long lasting.
Google blacklisting. If Google detects malware on your site, it removes your pages from search results and shows a “This site may be hacked” warning. Recovering from a Google penalty can take weeks or months, and you lose all the organic traffic you worked hard to build.
Data theft. If your site collects any user information (contact forms, email signups, WooCommerce orders), a breach exposes that data. This is not just an inconvenience. In many countries, it is a legal liability.
SEO spam injection. Many hackers do not destroy your site. Instead, they quietly inject hidden links and pages promoting pharmaceutical, gambling, or adult content. Your site’s authority is hijacked to boost their rankings while yours plummet.
Revenue loss. Every hour your site is down or compromised, you lose visitors, leads, sales, and affiliate commissions. For sites that generate income, a hack directly hits your earnings.
The good news: preventing all of this takes less effort than recovering from it.
Step 1: Choose Secure Hosting
Your hosting provider is your first line of defense. Good hosting includes server level security features that no plugin can replicate: firewalls, malware scanning, DDoS protection, automatic updates, and isolated account environments.
Cheap shared hosting often lacks these features. When one site on a shared server gets compromised, every other site on that server is at risk.
Our recommendation: Hostinger includes server level security with all plans: free SSL, automatic WordPress updates, daily backups, advanced firewall protection, and malware scanning. Their LiteSpeed servers also include built in DDoS mitigation. Starting under $3 per month. See our Hostinger Review for the full breakdown.
For growing sites that need enterprise level security, Cloudways offers dedicated firewalls, automated security patching, IP whitelisting, and two factor authentication at the server level. See our Cloudways Review.
Read our Best WordPress Hosting guide to compare all options with security features included.
Step 2: Use Strong, Unique Passwords
Weak passwords are the number one cause of WordPress hacks. Bots run automated brute force attacks that try thousands of username and password combinations every minute. If your password is “admin123” or “password,” your site will be compromised. It is not a question of if, but when.
Rules for strong passwords: Use at least 16 characters. Combine uppercase, lowercase, numbers, and special characters. Never reuse passwords across different sites. Never use your name, birthday, or common words.
Use a password manager. Tools like Bitwarden (free) or 1Password generate and store strong, unique passwords for every account. You only need to remember one master password. The manager handles everything else.
Change the default “admin” username. If your WordPress username is “admin,” create a new administrator account with a unique username, log in with the new account, and delete the old “admin” account. This eliminates the most commonly targeted username.
Step 3: Enable Two Factor Authentication (2FA)
Two factor authentication adds a second verification step when you log in. Even if someone steals your password, they cannot access your site without the second factor (usually a code from your phone).
How to set it up: Install and activate the WP 2FA plugin (free). Go to Users > Your Profile > Two Factor Authentication. Scan the QR code with an authenticator app like Google Authenticator or Authy on your phone. Enter the verification code to complete setup.
From now on, every login requires your password plus a 6 digit code from your phone. This single step blocks the majority of unauthorized access attempts.
Step 4: Hide Your Login Page
The default WordPress login URL is yoursite.com/wp-admin or yoursite.com/wp-login.php. Every hacker and bot in the world knows this. They run automated attacks against this URL 24/7.
By changing your login URL to something only you know (like yoursite.com/my-secret-login), you make your login page invisible to automated attacks.
How to set it up: Install and activate WPS Hide Login (free). Go to Settings > WPS Hide Login. Change the login URL to something unique that only you know. Save changes. Bookmark your new login URL.
This is one of the easiest and most effective security hardening steps. It stops the vast majority of brute force login attempts because the bots cannot find your login page.
Step 5: Limit Login Attempts
Even with a hidden login page, add a second layer of protection by limiting how many times someone can try to log in. After a set number of failed attempts, the IP address gets locked out temporarily.
How to set it up: Install and activate Limit Login Attempts Reloaded (free). Go to Settings > Limit Login Attempts. Set allowed retries to 3. Set lockout duration to 20 minutes. Set lockouts increase to 24 hours after 3 lockouts. Enable GDPR compliance if your visitors include EU residents.
Combined with a strong password, 2FA, and a hidden login page, this makes brute force attacks virtually impossible.
Step 6: Keep Everything Updated
Outdated software is responsible for the majority of successful WordPress attacks. When a plugin or theme developer releases an update that mentions “security fix,” they are publicly announcing that the previous version had a vulnerability. Hackers read those changelogs and immediately scan the internet for sites still running the old version.
Update regularly: WordPress core, all plugins, and all themes. Check for updates at least once per week. Go to Dashboard > Updates and apply everything available.
Delete what you do not use. Deactivated plugins and unused themes can still be exploited. If you are not using something, delete it completely. Do not just deactivate it. Our Best WordPress Plugins guide lists the 15 essentials. Everything else should be removed.
Step 7: Set Up Automated Backups
Backups are your safety net. If your site gets hacked, a clean backup lets you restore everything to its pre hack state in minutes instead of hours or days.
The 3 rules of good backups: Back up automatically (do not rely on remembering to do it manually). Store backups off site (not on the same server as your website). Test your backups periodically (a backup you cannot restore is useless).
Our recommendation: Install UpdraftPlus (free). It schedules automatic backups of your entire site (files and database) and stores them in Google Drive, Dropbox, or Amazon S3. You can restore your entire site from any backup with one click.
Set UpdraftPlus to back up weekly (or daily if you publish frequently). Keep at least 3 backup copies. Always back up before updating WordPress, plugins, or themes.
Your hosting provider may also offer backups. Hostinger includes daily automatic backups with all plans. But having both host backups AND plugin backups gives you double protection. If one fails, you have the other.
Step 8: Install an SSL Certificate (HTTPS)
An SSL certificate encrypts the data between your website and your visitors. Google has confirmed that HTTPS is a ranking signal, and modern browsers mark non HTTPS sites as “Not Secure” in the address bar, which scares visitors away.
Most hosting providers include a free SSL certificate. With Hostinger, SSL activates automatically. With Cloudways, you can enable Let’s Encrypt SSL with one click.
Verify your SSL is active: Visit your site and check the address bar. It should show a padlock icon and your URL should start with https://. If it shows “Not Secure,” contact your hosting provider to activate SSL.
Step 9: Disable Features You Do Not Need
WordPress includes several features that most sites never use but that create potential security vulnerabilities.
Disable XML-RPC. XML-RPC allows external applications to communicate with WordPress. Most sites do not use it, but hackers exploit it for brute force attacks and DDoS amplification. You can disable it by adding this to your .htaccess file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Disable the file editor. WordPress includes a built in code editor at Appearance > Theme File Editor. If a hacker gains admin access, they can use this editor to inject malicious code directly. Disable it by adding this to your wp-config.php file:
Disable pingbacks and trackbacks. Go to Settings > Discussion and uncheck “Attempt to notify any blogs linked to from the post” and “Allow link notifications from other blogs.” These features are outdated and can be exploited for DDoS attacks.
Step 10: Monitor Your Site for Issues
Security is not a one time setup. It requires ongoing monitoring. Check your site regularly for signs of compromise.
Use Google Search Console. Connect your site via Rank Math (go to Rank Math > General Settings > Search Console). Google Search Console alerts you if Google detects security issues, manual actions, or malware on your site. See our WordPress SEO Guide for setup instructions.
Use WordPress Site Health. Go to Dashboard > Tools > Site Health. This built in tool checks for security issues, outdated software, incorrect file permissions, and configuration problems. Address any items marked as “Critical” or “Recommended.”
Review user accounts. Go to Users > All Users periodically. Look for any accounts you do not recognize. If you find unfamiliar admin accounts, your site may already be compromised. Delete unknown accounts immediately and change all passwords.
WordPress Security Checklist
Your WordPress Security Checklist
☐ Use secure hosting (Hostinger or Cloudways)
☐ Use strong, unique passwords (16+ characters)
☐ Change default “admin” username
☐ Enable two factor authentication (WP 2FA plugin)
☐ Hide login page (WPS Hide Login plugin)
☐ Limit login attempts (Limit Login Attempts Reloaded)
☐ Update WordPress core, plugins, and themes weekly
☐ Delete unused plugins and themes
☐ Set up automated backups with UpdraftPlus
☐ Store backups off site (Google Drive or Dropbox)
☐ Activate SSL certificate (HTTPS)
☐ Disable XML-RPC
☐ Disable file editor in wp-config.php
☐ Disable pingbacks and trackbacks
☐ Connect Google Search Console via Rank Math
☐ Check Site Health dashboard monthly
☐ Review user accounts for unknowns
Frequently Asked Questions
Your WordPress Site Deserves to Be Secure
WordPress security is not complicated. It is a checklist. The 10 steps above take about an hour to implement and protect your site against the vast majority of attacks. Most WordPress hacks are crimes of opportunity. Bots scan millions of sites looking for the easy targets: sites with weak passwords, outdated plugins, and default settings. By implementing these steps, your site stops being an easy target.
Start with secure hosting, strong passwords, 2FA, and backups. These four steps alone prevent over 90% of attacks. Then work through the remaining steps over the next week using the checklist above.
Secure Your WordPress Site Today
Start with secure hosting. Free SSL, daily backups, advanced firewall included.
Get Hostinger (Up to 75% Off)What to Read Next
- Speed up your site: Follow our How to Speed Up WordPress guide for 10 proven fixes.
- Set up SEO: Read our WordPress SEO Guide for complete optimization.
- Install the right plugins: See our 15 Best WordPress Plugins guide.
- Choose secure hosting: See our Best WordPress Hosting comparison.
- Read our Hostinger review: Full security breakdown in our Hostinger Review.
- Set up cloud hosting: Read our Cloudways Review for enterprise security features.