TL;DR
- WordPress powers over 43% of all websites, making it the largest single target for automated attacks — bots scan for vulnerable installations 24 hours a day
- The vast majority of WordPress compromises are preventable: Wordfence's threat intelligence consistently shows outdated plugins as the leading attack vector
- The highest-impact items are: 2FA on admin accounts, prompt plugin updates, offsite backups, and a server-level WAF — everything else is incremental
- Managed WordPress hosting handles most of this checklist at the infrastructure level; self-managed installs require deliberate effort
WordPress powers over 43% of the web, which makes it the single largest target for automated attacks. The bots scanning for vulnerable WordPress installations run 24 hours a day, every day. If you run a WordPress site, security is not optional — it is maintenance.
The good news is that the vast majority of WordPress hacks are preventable. They succeed because of outdated software, weak credentials, or misconfigured servers. None of these are complicated to address.
This checklist covers what actually matters. We skip the security theater and focus on the changes with the highest impact.
Authentication & Access
The most common WordPress attack vector is credential compromise — weak passwords, reused passwords, and brute-force attacks against wp-login.php. These are among the easiest threats to eliminate.
Use strong, unique passwords for every account. Use a password manager. Do not reuse passwords across services.
Enable two-factor authentication (2FA) on all admin accounts. Plugins like WP 2FA or the built-in 2FA in managed hosting control panels make this straightforward. With 2FA enabled, a leaked password alone is not enough to gain access.
Limit login attempts. Brute-force attacks hammer the wp-login.php endpoint with thousands of password guesses per minute. Rate-limit login attempts at either the plugin level (Limit Login Attempts Reloaded) or, better, at the server/WAF level.
Change the default admin username. If your admin account is named "admin," you have already given attackers half of what they need. Create a new admin account with a non-obvious username, then delete the "admin" account.
Use application passwords for API integrations. WordPress core supports application-specific passwords for REST API access. Use these instead of your main admin credentials for any third-party integrations.
Updates
Outdated plugins are the leading cause of WordPress compromises. Wordfence researchers track thousands of plugin vulnerabilities annually — the majority of real-world attacks exploit vulnerabilities that were already patched in available updates.
Keep WordPress core up to date. Security releases come out regularly and patch known vulnerabilities. On managed hosting, these should happen automatically. On self-managed installs, check your update cadence.
Update plugins promptly. Running outdated plugins is the most common cause of WordPress hacks — not because attackers are sophisticated, but because exploit code for known vulnerabilities is freely available and automated.
Remove plugins and themes you are not using. Inactive plugins still represent an attack surface. If you are not using it, delete it — do not just deactivate it.
Audit your plugins annually. Review every plugin in your install. Is it still maintained? Does it have recent security issues? Is there a better alternative? Plugin audits catch problems before attackers do.
File Permissions & Server Configuration
Overly permissive file permissions allow attackers who gain limited access to escalate their privileges. These settings take minutes to verify.
Set correct file permissions. WordPress files should be 644 and directories should be 755. The wp-config.php file should be 600.
Protect wp-config.php. This file contains your database credentials and secret keys. Move it one directory above your web root if your server configuration allows it, or restrict access via server rules.
Disable file editing in the admin. Add define('DISALLOW_FILE_EDIT', true) to wp-config.php. This removes the built-in theme and plugin editor from the WordPress admin, preventing an attacker who gains admin access from editing PHP files directly through the UI.
Disable XML-RPC if you do not use it. XML-RPC is a legacy WordPress API frequently exploited for brute-force attacks and DDoS amplification. Unless you specifically need it, block it at the server level.
Monitoring
Security incidents are most damaging when they go undetected. Monitoring provides the early warning that limits damage.
Install a security scanner. Wordfence or Sucuri — or server-level malware scanning available on managed hosts — will alert you if malware is detected. Early detection limits damage significantly.
Monitor file changes. Unexpected changes to core WordPress files, theme files, or plugin files are a sign of compromise. File integrity monitoring alerts you when changes occur outside of your normal update workflow.
Check your access logs. Periodic review of your server's access logs catches reconnaissance activity, scanning, and unusual traffic patterns before they escalate.
Set up uptime monitoring. Downtime is sometimes the first visible sign of an attack. Uptime monitoring alerts you within minutes of an outage.
Backups
A backup stored on the same server as your website is not a backup — it will be lost or encrypted in the same attack that compromises your site.
Maintain automated, offsite backups. Use a managed host with automatic offsite backups, or replicate to a separate provider like Backblaze B2.
Test your restore process. A backup you have never tested is not a backup. Periodically restore your site to a staging environment and verify it comes back cleanly.
Keep multiple restore points. Daily backups for at least 30 days, plus weekly backups going back 3 months. If you discover a compromise that started weeks ago, you need old restore points.
The Managed Hosting Advantage
The single most effective thing most WordPress site owners can do for security is move to managed WordPress hosting. Most of what is on this checklist — server-level WAF, automatic updates with staging verification, continuous malware scanning, DDoS mitigation, offsite backups — is either included by default or dramatically easier to implement on a managed platform.
Frequently Asked Questions
Does managed WordPress hosting handle security for me? Most of the infrastructure-level items on this checklist — WAF, automatic updates, malware scanning, DDoS mitigation, offsite backups — are included or built-in on reputable managed WordPress hosts like Nexcess and WP Engine. You still need to handle authentication best practices (strong passwords, 2FA) and plugin hygiene, but the hosting layer removes the hardest parts.
How often do WordPress sites get hacked? Frequently — WordPress is the most targeted CMS on the internet precisely because it powers such a large share of the web. Wordfence blocks billions of attacks per month across its user base. The good news is that properly maintained sites — current software, 2FA, a WAF — rarely get compromised. The sites that do get hacked are almost always running outdated software.
Is Wordfence or Sucuri better for WordPress security? Both are solid. Wordfence runs as a WordPress plugin and is easier to install and configure; it's the right choice for most self-managed sites. Sucuri offers a cloud-based WAF that filters traffic before it reaches your server, which provides better protection if your server is underpowered or already compromised. On managed hosting with a server-level WAF already in place, a dedicated security plugin may be redundant.
What's the minimum security setup for a WordPress site? At minimum: strong unique password for admin accounts, 2FA enabled, automatic updates for core and plugins, and a daily offsite backup. That covers the majority of attack surface for most sites. Everything else on this list adds incremental protection.
How do I know if my site has already been compromised? Common signs: unexpected admin accounts, spam links or pages you didn't create, your site is being flagged by Google Safe Browsing, hosting provider warnings about malware, or your IP appearing on email blacklists. Run a scan with Wordfence or Sucuri's free site scanner if you suspect a problem.
How long does it take to clean a hacked WordPress site? Typically 4–20 hours of professional time, depending on the scope of the compromise. Partial infections (a few injected files) can be cleaned in a few hours. Full compromises where the database and file system have been modified extensively take longer. Rebuilding from a clean backup is often faster than remediation when the infection is widespread.
If managing your own security feels like too much overhead, talk to us about our managed WordPress hosting plans. Security is our job so you can focus on yours.