Skip to content
Breachroad
Back to the blog
Web security

WordPress security: 10 steps for site owners

WordPress powers most of the web and is the top target for attacks. Ten practical steps to secure your site — no coding knowledge required.

KR
Karol Rapacz
5 June 2026 · 11 min read
WordPress security: 10 steps for site owners

WordPress powers a huge share of the web — from blogs to shops and company sites. That popularity has a flip side: WordPress is the most attacked CMS in the world. The good news is that the overwhelming majority of break-ins don’t exploit sophisticated flaws but the same repeated neglect: outdated plugins, weak passwords, no backup. Below are ten steps a site owner can implement themselves that close the most common attack paths.

Where the risk comes from

The WordPress “core” itself is fairly well secured today and regularly patched. The problem is mainly plugins and themes — that’s where most of the flaws used in attacks live. A typical site has a dozen to several dozen plugins of varying quality, and every outdated or abandoned one is a potential entry point. Add password attacks (brute-force on /wp-login.php) and automated scanners that constantly comb the internet for vulnerable installs.

Ten steps that make the difference

1. Update everything — core, plugins, themes. This is the single most important thing. Most hacked sites fell to a known flaw whose patch had existed for weeks. Enable automatic updates, at least for security fixes.

2. Remove what you don’t use. Every inactive plugin and theme is attack surface — even disabled ones can be vulnerable. Delete (not just deactivate) everything you don’t need.

3. Strong passwords and MFA for login. Protect admin accounts with long, unique passwords from a password manager and enable two-factor authentication (via an MFA plugin). This closes brute-force attacks and login with a stolen password.

4. Change the default admin username. An “admin” account is half the work for an attacker. Create an admin account with a unique name and delete the old “admin”.

5. Limit login attempts and hide the panel. A plugin limiting failed logins, plus optionally changing the /wp-admin address or restricting access by IP, drastically reduces the effectiveness of bots.

6. Install a security plugin / WAF. A reputable plugin (Wordfence, Sucuri, iThemes) adds an application firewall, file monitoring and malicious-code scanning. It’s the first line of defence against mass scanners.

7. Enforce HTTPS. A TLS certificate is standard today and free (Let’s Encrypt). Force all traffic to HTTPS — you can check it with our security scanner.

8. Back up (and test it). An automatic backup of the database and files in an external location is your insurance against a break-in or a bad update. The 3-2-1 rule applies to small sites too. An untested backup is just an assumption.

9. Restrict permissions and file execution. Editors don’t need admin rights. Disable the panel’s file editor (DISALLOW_FILE_EDIT) and block PHP execution in the uploads directory — this closes the typical web shell after a malicious file upload.

10. Choose plugins deliberately. Before installing, check: when it was last updated, how many active installs it has, whether the author responds to reports. An abandoned plugin with thousands of installs is a time bomb.

How to recognise a hacked site

Typical symptoms: unknown admin accounts, redirects to foreign sites, spam in content, browser or Google warnings (“this site may be dangerous”), a sudden performance drop, new PHP files in directories. If you see this — treat it as an incident: preserve a copy for analysis, change all passwords (WordPress, hosting, database, FTP), review accounts and files, and after cleaning rotate the keys and salts in wp-config.php to invalidate existing sessions.

When a security test is worth it

The steps above are hygiene you can do yourself. But if your site processes customer data, handles payments or matters to the business, it’s worth going further: a web application penetration test checks not just known plugin flaws but also logic, access control and configuration — the things an automated scanner won’t find. That matters especially for shops and sites with user logins.

Frequently asked questions (FAQ)

Is a security plugin alone enough? No. A WAF plugin is a very helpful layer, but it won’t replace updates, strong passwords and backups. Many hacked sites had a security plugin installed — and an outdated theme with a critical flaw. Security is a set of habits, not one tool.

How often should I update WordPress? Security fixes — as fast as possible (ideally automatically). Larger plugin updates are worth deploying after a quick test on a copy, especially for shops. The key rule: don’t leave a critical flaw open for weeks, because that’s exactly what bots hunt for.

I have a small brochure site. Would anyone really attack me? Yes — attacks are automated and don’t check how big your company is. Scanners comb the internet and exploit every vulnerable install, often to send spam, host phishing or inject malicious redirects. A small site gets attacked just like a large one.

What if my host suspended my site for “malicious activity”? That usually means the site was hacked and abused (e.g. for spam). Don’t hastily delete files — preserve a copy, identify the malicious code and entry point, clean up, then change all passwords and keys. For a serious break-in it’s worth commissioning a specialist analysis.

I run a WooCommerce shop. What do I need beyond this list? A shop processes data and payments, so add: regular security testing, GDPR technical measures compliance and special care with payment plugins. We’ll help review your shop for real risks. Get in touch.

Summary

WordPress security doesn’t require coding knowledge — it requires consistency. Update everything, remove unused plugins, protect login with a strong password and MFA, enforce HTTPS, keep tested backups and choose plugins wisely. These ten steps close the paths bots really use. And if the site matters to the business, add a professional test — before someone unauthorised does it for you.


Sources and further reading: WordPress Security, OWASP.

Share this article

Services Book a consultation