WordPress powers 43% of the web, which makes it the most targeted CMS for automated attacks. Most WordPress hacks are not sophisticated targeted attacks – they are automated bots exploiting known vulnerabilities in outdated plugins, weak passwords, and default configurations. Security hardening closes the most common attack vectors without requiring deep technical knowledge.
Step 1: Keep Everything Updated
The most important security measure is the least exciting: keep WordPress core, themes, and plugins updated. Most successful WordPress hacks exploit known vulnerabilities in outdated software for which patches already exist. Enable auto-updates for minor WordPress core versions in wp-config.php:
define( 'WP_AUTO_UPDATE_CORE', true );For plugins, enable automatic updates for trusted plugins in Plugins -> Auto-updates. Review the automatic update list – only enable auto-updates for plugins from established developers with good update track records. For major version updates (plugin going from 2.x to 3.x), review the changelog before updating.
Step 2: Use Strong Passwords and Two-Factor Authentication
Brute force attacks cycle through common passwords against wp-login.php. A random 20-character password makes brute force practically impossible. Use a password manager (1Password, Bitwarden) to generate and store strong unique passwords for every account. WordPress generates strong passwords by default – use them rather than overriding with memorable ones.
Two-factor authentication (2FA) requires a second form of verification beyond the password. Even if an attacker gets your password, they cannot log in without the second factor. The free Wordfence plugin includes 2FA, as does WP 2FA (free on WordPress.org).
Need help optimising your WordPress site? Describe your project and get a free estimate.
Step 3: Limit Login Attempts
By default, WordPress allows unlimited login attempts. This enables brute force attacks. Install Limit Login Attempts Reloaded (free) or use the login protection built into Wordfence or Solid Security. Configure: block IPs after 3-5 failed attempts, lock them out for 20-60 minutes. This does not prevent determined attackers but eliminates basic automated brute force.
Step 4: Change the Login URL
WordPress’s default login URL is /wp-login.php. Every automated attack bot knows this URL. Changing it to /my-secure-login or similar stops bots that target the default URL specifically. WPS Hide Login (free) or Solid Security’s “Hide Login” feature handles this. Important: document the new URL and share it with anyone who needs admin access. If you lose it, access through /wp-admin/ (which redirects to the hidden login) or temporarily disable the plugin via FTP.
Step 5: Disable XML-RPC
XML-RPC is a legacy WordPress API that allows external applications to interact with WordPress. Most modern integrations use the REST API instead. XML-RPC is a common attack vector for brute force attempts (it allows multiple login attempts per request, bypassing per-attempt rate limiting) and is used to amplify DDoS attacks via WordPress pingbacks.
Disable it by adding to .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Or in wp-config.php via a filter in functions.php:
add_filter( 'xmlrpc_enabled', '__return_false' );Only disable XML-RPC if you do not use apps that require it (some mobile publishing apps, Jetpack features, and some backup plugins use XML-RPC). Check your integration list before disabling.
Step 6: Set Correct File Permissions
Incorrect file permissions allow attackers to write malicious files or read sensitive configuration. The correct WordPress permission settings:
- Directories: 755 (owner can read/write/execute, others can read/execute)
- Files: 644 (owner can read/write, others can read only)
- wp-config.php: 600 or 640 (owner only, or owner + group)
Set these via your hosting file manager or via SSH:
find /path/to/wordpress -type d -exec chmod 755 {} ;
find /path/to/wordpress -type f -exec chmod 644 {} ;
chmod 600 /path/to/wordpress/wp-config.phpStep 7: Use a Security Plugin
A security plugin provides ongoing monitoring and protection. Wordfence (free) includes a firewall, malware scanner, login protection, and 2FA. Solid Security (formerly iThemes Security) focuses on hardening settings and user security. Both are solid choices. Avoid running two security plugins simultaneously – their firewalls conflict.
Protecting wp-config.php and Sensitive Files
wp-config.php contains your database credentials and security keys. By default it is accessible if server-level protection is not configured. Add this to your .htaccess to block direct HTTP access to wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>Also protect .htaccess itself and the wp-includes directory from direct PHP execution:
<Files ~ ".php$">
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
</IfModule>
</Files>Move wp-config.php one directory above the WordPress root if your hosting allows it. WordPress automatically finds it one level up, but a web visitor cannot access it via URL since it is outside the web root.