Every WordPress site gets attacked. Not “might get” — does. Automated bots scan the entire IPv4 space looking for exposed login pages, exploitable plugins, and misconfigured servers. Your site is being probed right now. In 2026, security plugins alone aren’t enough. Here’s the actual hardening checklist I apply to every client site.
The Reality of WordPress Attacks in 2026
The three attack types that account for 90% of successful WordPress compromises:
- Credential stuffing on
wp-login.php— attackers try leaked email/password combos from other breaches. - Vulnerable plugin exploits — a plugin ships a security patch, sites don’t update, bots weaponize the CVE within days.
- Weak or reused admin passwords — often on abandoned accounts that were never removed.
Everything below addresses one of these three vectors.
The Non-Negotiable Baseline
1. Change the login URL
Move wp-login.php to something obscure. WPS Hide Login (free) does it in one setting. This blocks 95% of automated login attacks — bots hit /wp-login.php, get a 404, move on.
2. Enforce strong passwords and 2FA on all admin accounts
Two-Factor Authentication is not optional in 2026. Wordfence Login Security (free) or the built-in Google Authenticator plugin. Require it for administrator, editor, and shop_manager roles at minimum.
3. Limit login attempts
Limit Login Attempts Reloaded (free). Ban an IP after 4 failed attempts for 20 minutes. Combined with hidden login URL, brute force becomes computationally impractical.
4. Disable file editing from the admin
Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
If an admin account gets compromised, the attacker can’t inject PHP through the theme editor.
5. Keep everything updated
Core, plugins, themes, PHP version. Every serious breach I’ve cleaned up in the last three years traces back to an outdated component. Enable auto-updates for minor releases at minimum.
Server-Level Hardening
6. Force HTTPS everywhere
Let’s Encrypt is free and every decent host installs it in one click. Add HSTS header once you’re confident nothing loads over HTTP.
7. Disable XML-RPC (unless you actually use it)
XML-RPC is used by the WordPress mobile app and Jetpack. If you don’t use either, disable it. It’s a common vector for amplified brute force attacks.
8. Protect wp-config.php
Add to your .htaccess:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
9. Disable directory browsing
Add Options -Indexes to .htaccess. Prevents attackers from listing your /uploads/ or /plugins/ directories.
10. Change the database prefix
New installs — set a custom prefix in wp-config.php (e.g. wp_a3k9x_). Existing sites — leave it, the migration risk isn’t worth the marginal security benefit.
Plugin and User Hygiene
11. Audit installed plugins quarterly
Every plugin is attack surface. Deactivate and delete anything not actively used. “Deactivated but installed” plugins can still be exploited — WordPress serves their files.
12. Only install plugins from wp.org or known vendors
Nulled plugins from Google search results almost always contain backdoors. I’ve cleaned up dozens of sites where “free premium plugin” was the entry point.
13. Remove unused user accounts
Old developer accounts, ex-employees, “test” accounts created two years ago. Delete them. Rotate the passwords of accounts you keep.
14. Rename the default admin username
If your admin account is literally “admin”, change it. Bots try this username first.
Web Application Firewall
15. Put Cloudflare in front
Cloudflare’s free plan blocks the vast majority of known bad traffic before it reaches your server. Turn on Bot Fight Mode. Set the security level to Medium at minimum.
16. Add a WordPress-specific WAF
Wordfence (free tier), Sucuri, or Patchstack. They know the WordPress-specific attack patterns Cloudflare doesn’t.
17. Rate-limit sensitive endpoints
Cloudflare rules to limit requests to /wp-login.php, /xmlrpc.php, and /wp-json/wp/v2/users. Even if bots find them, they can’t hammer them.
Backups Are a Security Control
18. Automated off-site backups
UpdraftPlus (free) to Google Drive, or your host’s built-in backup to their remote storage. Test restores quarterly — an untested backup is not a backup.
19. Version your wp-content in Git
For serious sites — put your theme and mu-plugins in Git. If a compromise injects PHP, a git diff shows exactly what changed.
Monitoring
20. Set up file integrity monitoring
Wordfence’s free scan runs weekly. Sucuri Sitecheck. If a core file changes, you get an alert. Most malware injections modify existing PHP files — integrity monitoring catches them.
21. Log admin actions
WP Activity Log (free tier) records who logged in, who changed what. Essential for figuring out what happened if something goes wrong.
What to Do If You’re Compromised
Don’t try to clean it yourself unless you know exactly what you’re doing. The steps:
- Take the site offline (maintenance mode).
- Change all admin passwords, wp-config.php salts, database password.
- Restore from a clean backup (before the compromise).
- Update everything — core, plugins, themes, PHP.
- Scan with Wordfence + Sucuri Sitecheck to confirm clean.
- Investigate how they got in and close that vector.
The 30-Minute Emergency Hardening
If you’re reading this and your site is unprotected, do these five things right now — takes 30 minutes total:
- Install WPS Hide Login and set a custom login URL.
- Install Limit Login Attempts Reloaded — set to 4 attempts.
- Install Wordfence Login Security — enable 2FA on your admin account.
- Update all plugins, themes, and core.
- Add
DISALLOW_FILE_EDITto wp-config.php.
That’s not comprehensive but it puts you ahead of 90% of WordPress sites.
Need a full security audit and hardening for your site? I do this for a living. Get in touch.









