How to secure your WordPress site: a practical checklist

WordPress runs a huge share of the web, which makes it a constant target — not usually because anyone is after you specifically, but because automated bots probe every WordPress site they can find. The good news: a handful of basics stops the overwhelming majority of attacks. Here’s the checklist, in the order that actually matters.

1. Keep WordPress, plugins, and themes updated

The single biggest cause of hacked WordPress sites is out-of-date software with known vulnerabilities. Bots scan for sites running old versions of popular plugins and walk straight in.

• Turn on automatic updates for minor WordPress core releases (these are almost always safe).
• Update plugins and themes promptly — and delete ones you don’t use. An inactive plugin is still a doorway.
• Major core updates (e.g. a whole-number jump) can occasionally break things, so do those after a backup.

On our plans, WordPress core security updates apply automatically, and daily backups (on Business and above) mean a bad update is a quick rollback rather than a crisis.

2. Use strong passwords and turn on two-factor authentication

Brute-force bots guess weak admin passwords thousands of times a minute. Two defences end this:

• A strong, unique password for every admin account (use a password manager).
• Two-factor authentication (2FA) on the WordPress login and on your hosting and billing accounts. With 2FA on, a stolen password alone isn’t enough to get in.

Set up 2FA on your WHC accounts too — see billing portal login for how.

3. Make sure HTTPS is on and forced

Every WordPress site should load over https, not http, and visitors arriving at the insecure version should be redirected automatically. If you’re not sure yours is, our guide on forcing HTTPS on WordPress walks through it, and do you need an SSL certificate? explains why it matters. SSL is free and included on every WHC plan.

4. Limit login attempts and hide the obvious targets

• Rate-limit logins so bots can’t make unlimited guesses. We apply login rate-limiting at the server level, but a plugin like Limit Login Attempts adds a layer.
• Don’t use admin as your username. It’s the first thing bots try.
• Consider changing the default /wp-admin login path with a plugin if you’re getting hammered.

5. Choose plugins and themes carefully

Most WordPress compromises arrive through a plugin. Reduce your exposure:

• Install from the official WordPress directory or reputable developers only.
• Avoid “nulled” (pirated) premium plugins and themes entirely — they’re a classic malware delivery method.
• Fewer plugins means a smaller attack surface and a faster site. If you’re not using it, remove it.

6. Keep current backups you actually control

If everything else fails, a clean recent backup turns a disaster into an inconvenience. We keep daily backups (with 30-day retention on E-commerce plans), but you should also keep your own copy on storage you control — using UpdraftPlus or similar — especially before big changes.

7. Run on a current PHP version

Old PHP versions stop getting security fixes. Run a current release where your plugins support it — in the Enhance control panel you can switch any site’s PHP version, from 7.x up to the latest 8.5. (Older versions are available when a legacy plugin genuinely needs one, but they’re not where you want to sit long-term.)

8. Lock down file permissions and wp-config.php

This one’s more technical, but worth knowing: your wp-config.php holds your database credentials and should never be world-readable. Sensible file permissions (typically 644 for files, 755 for folders, and tighter on wp-config.php) close off a common path. If you’re unsure, open a ticket and we’ll check it for you.

What you don’t need

You don’t need ten overlapping security plugins — they slow your site and often duplicate what your host already does at the server level. One reputable security plugin plus the basics above beats a pile of them.

If your site is already compromised

Signs include unexpected redirects, spam pages you didn’t create, or a Google “this site may be hacked” warning. Don’t panic, and don’t just delete things at random:

1. Take the site offline or into maintenance mode if you can.
2. Restore from a known-clean backup if you have one.
3. Change all passwords (WordPress, hosting, database, FTP).
4. Open a ticket — our sysadmins can help identify and clean the infection, and on managed plans we’ll walk you through it rather than leave you guessing.

Security isn’t one big thing; it’s a few small habits done consistently. Get the basics above in place and you’re ahead of the vast majority of sites the bots are looking for. If you’d rather host somewhere that handles the server-side hardening for you, that’s exactly what our WordPress hosting is built to do.