WordPress Security Hardening: Protect Your Site from Hackers

Why WordPress Sites Get Hacked

WordPress powers 43% of the web, making it the primary target for automated hacking tools. The most common attack vectors: brute force login attempts (guessing admin passwords), outdated plugins with known vulnerabilities, nulled (pirated) themes and plugins with backdoors, weak file permissions, and WordPress installations without security updates. Most hacks are automated and target known vulnerabilities, not specific sites.

Securing the Login Page

The wp-admin login page receives thousands of brute force attempts on any public WordPress site. Install Limit Login Attempts Reloaded to block IPs after failed attempts. Change your admin username from 'admin' (the default that every bot tries). Enable two-factor authentication with the WP 2FA plugin. Consider moving your login URL from /wp-admin to a custom URL with WPS Hide Login — this eliminates most automated attacks.

Keeping WordPress Updated

Enable automatic updates for WordPress core minor versions (security releases) in wp-config.php: define('WP_AUTO_UPDATE_CORE', 'minor'). Enable automatic plugin updates for trusted plugins via the Plugins screen. Update themes after testing on a staging site. The vast majority of hacked WordPress sites were running outdated software with known vulnerabilities. Updates are your first line of defense.

Security Plugins

Wordfence Security (free tier) provides a firewall, malware scanner, login security, and IP blocklist. Sucuri Security offers similar features plus a DNS-level Web Application Firewall (premium). Both monitor for file changes, which alerts you immediately if malicious files are added. Run a malware scan immediately after any unusual behavior — early detection limits the damage from a successful attack.

File Permissions and wp-config.php

Set correct file permissions: directories should be 755, files should be 644, and wp-config.php should be 440 or 400 (read-only, not writable by the web server). Move wp-config.php one directory above the web root if your host allows it. Add these lines to wp-config.php to disable file editing from the admin: define('DISALLOW_FILE_EDIT', true) and define('DISALLOW_FILE_MODS', true).

Backups and Recovery

Backups are your ultimate recovery mechanism. Use UpdraftPlus or BlogVault to schedule automated backups of your files and database to off-site storage (Google Drive, Dropbox, Amazon S3). Test your backups by restoring to a staging site — an untested backup is not a backup. Keep at least 30 days of backups. If your site is hacked, restore a clean backup and then harden security before bringing it back online.