I manage WordPress security for over a dozen client sites. In the last 12 months, Wordfence blocked more than 40,000 malicious login attempts across those sites combined. WordPress powers 43% of the web, which makes it the single biggest target for automated attacks. These eight steps are what I implement on every site I touch.
1. Keep WordPress Core, Themes, and Plugins Updated
90% of hacked WordPress sites run outdated software. That stat comes directly from Sucuri’s annual hacked website report. I run updates weekly on every client site, and I test on a staging environment first. One outdated plugin is all it takes.
A solid maintenance plan catches these updates before they become vulnerabilities.
2. Use a Security Plugin
I install Wordfence on every WordPress site. The free version includes a firewall, malware scanner, and login security features. For high-traffic sites, Wordfence Premium adds real-time firewall rules and country blocking. Sucuri is another strong option, especially for its server-side scanning.
3. Enforce Two-Factor Authentication
Brute force attacks are the most common WordPress threat. 2FA stops them cold. I use the Wordfence 2FA module for all admin and editor accounts. It takes two minutes to set up and eliminates password-only logins entirely.
4. Lock Down Login Attempts
I limit failed login attempts to five per IP address with a 30-minute lockout. This is built into Wordfence, but plugins like Limit Login Attempts Reloaded work too. Pair this with renaming the default /wp-admin login URL using WPS Hide Login.
5. Run Automated Daily Backups
Security without backups is incomplete. I configure UpdraftPlus to run daily database backups and weekly full-site backups to a remote location (Google Drive or Amazon S3). If something breaks, I can restore a clean version in under 15 minutes.
6. Use SSL and Force HTTPS
Google has flagged non-HTTPS sites as “Not Secure” since 2018. Every site I build runs on a valid SSL certificate with forced HTTPS redirects. This encrypts data in transit and directly affects Core Web Vitals and search rankings.
7. Set Correct File Permissions
WordPress files should be set to 644 and directories to 755. The wp-config.php file gets 440 or 400. I also disable file editing from the dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php. If an attacker gets in, they cannot modify theme or plugin files from the admin panel.
8. Remove Unused Themes and Plugins
Every inactive plugin is an attack surface. I delete anything that is not active. That includes the default Twenty Twenty-Three and Twenty Twenty-Four themes if they are not in use. Fewer files means fewer potential entry points.
Frequently Asked Questions
How often should I scan my WordPress site for malware?
I run automated scans daily through Wordfence. Manual deep scans happen weekly. Sucuri’s SiteCheck tool is a good free option for quick external scans between scheduled checks.
Is free Wordfence enough for WordPress security?
For most small business sites, yes. The free version includes the firewall, malware scanner, and 2FA. Premium adds real-time threat intelligence and priority support, which I recommend for ecommerce or membership sites handling sensitive data.
What should I do if my WordPress site gets hacked?
Take the site offline immediately. Restore from your most recent clean backup. Change every password (WordPress admin, hosting, FTP, database). Run a full malware scan, then review server access logs to find the entry point. If you do not have backups or logging in place, that is exactly the kind of gap a managed WordPress security plan prevents.
WordPress security is not a one-time setup. It is ongoing monitoring, patching, and response. I handle all eight of these steps as part of my WordPress maintenance plans so business owners can stop worrying about breaches and focus on revenue. Get in touch to lock your site down.