Security_Intel

WordPress Security Tips

WordPress gets attacked because it is everywhere. Over 40% of the web runs on it, making every installation a target for automated exploitation. These tips cover the essentials that keep WordPress sites secure and available.

01 Update Everything. Always.

Most successful WordPress compromises exploit known vulnerabilities in outdated plugins, themes, or core files. Attackers do not need to find new bugs when thousands of sites still run code with published security fixes. Automated scanners test for these known flaws constantly.

WordPress core now supports automatic background updates for minor releases. Plugins and themes surface update notices in the admin dashboard, but these only work if someone acts on them. Unattended sites fall behind fast.

Actions
  • Enable automatic updates for WordPress core, plugins, and themes where possible.
  • Set a weekly calendar reminder to check for updates if you manage updates manually.
  • Delete unused plugins and themes entirely. Deactivating is not enough. Code sitting in /wp-content/plugins/ or /wp-content/themes/ can still be exploited even when inactive.
  • Before updating, ensure you have a working backup you have tested restoring from.

02 Use Strong, Unique Passwords

In 2013, a botnet of over 90,000 compromised web servers was built entirely by brute-forcing weak WordPress admin passwords. The attack used a list of just 1,000 common passwords. In testing, a single small VPS can absorb 700,000 login attempts per day without noticeable performance impact, meaning the attack often goes undetected.

Weak passwords remain one of the easiest attack vectors. Automated credential-stuffing tools run 24/7, cycling through leaked password databases against every WordPress login page they find.

Actions
  • Use a password manager to generate and store passwords of 16+ random characters.
  • Never reuse passwords across sites. A breach on one service should not compromise your WordPress admin.
  • Enforce strong passwords for all user accounts, not just administrators. A compromised editor account can still do significant damage.
  • Consider adding two-factor authentication (2FA) to all admin and editor accounts.

03 Secure Your Login Page

The default WordPress login at /wp-login.php and /wp-admin/ is the primary target for brute-force attacks. Every bot on the internet knows where it is. Reducing exposure at this entry point blocks a significant volume of automated attacks.

Actions
  • Add two-factor authentication. This single step defeats automated password attacks entirely.
  • Limit login attempts using a plugin or server-level rate limiting. Five failed attempts followed by a lockout period stops brute-force attacks cold.
  • Restrict access to /wp-admin/ by IP address if your team works from known locations.
  • Change the default admin username to something non-obvious. Automated attacks target admin first.

04 Harden the Server

WordPress security extends beyond the application itself. The server running your site includes a web server (Nginx or Apache), PHP, MySQL, and often remote access services like SSH or cPanel. A misconfiguration or unpatched vulnerability in any of these components can give an attacker full control, making WordPress-level protections irrelevant.

Shared hosting environments carry additional risk. A compromised neighbor on the same server can lead to cross-account attacks. Even well-known hosting providers have experienced mass WordPress compromises through server-level vulnerabilities.

Actions
  • Keep all server software updated: OS packages, web server, PHP, and database.
  • Disable directory listing and remove default server information headers.
  • Set correct file permissions: 644 for files, 755 for directories. The wp-config.php file should be 400 or 440.
  • Disable PHP execution in directories that should only contain uploads: add rules to block PHP in /wp-content/uploads/.
  • If you manage your own server, run regular vulnerability scans and subscribe to security advisories for your stack.

05 Use Encrypted Connections Only

Transferring files over FTP sends your username and password in plain text. Anyone on the same network can capture these credentials with basic packet sniffing. The same applies to accessing /wp-admin/ over HTTP instead of HTTPS: your login credentials and session cookies are transmitted unencrypted.

On any public network (coffee shops, airports, hotels), an unencrypted connection means anyone nearby can gain full admin access to your site without sending a single packet to your server.

Actions
  • Enable HTTPS site-wide. Free TLS certificates from Let's Encrypt remove any cost barrier. There is no reason to run HTTP in 2026.
  • Force HTTPS for the admin dashboard by adding define('FORCE_SSL_ADMIN', true); to wp-config.php.
  • Never use FTP. Use SFTP (SSH File Transfer Protocol) or SCP for all file transfers.
  • Set the Strict-Transport-Security HTTP header to prevent browsers from falling back to HTTP.

06 Maintain Reliable Backups

Backups are your last line of defense. When a site gets compromised, a clean backup is often the fastest and most reliable path to recovery. Without one, you may face rebuilding from scratch or paying an attacker's ransom.

A backup that has never been tested is not a backup. Restoration failures are common, especially with large databases or complex plugin configurations. The time to discover a problem with your backup is not during an incident.

Actions
  • Automate daily backups of both the database and filesystem.
  • Store backups off-site, not on the same server as the WordPress installation. If the server is compromised, local backups are likely compromised too.
  • Test restoration regularly. Spin up a staging environment and verify the backup actually produces a working site.
  • Retain multiple backup versions. A compromise may go undetected for days or weeks, and you need to restore from before the breach.

07 Monitor for Threats

Without monitoring, attacks go unnoticed. Brute-force attempts, unauthorized file changes, and successful compromises can all happen silently. By the time you notice something is wrong through normal site usage, the attacker may have been inside for weeks.

Actions
  • Install a WordPress security plugin that provides file integrity monitoring and login attempt logging.
  • Set up alerts for failed login attempts that exceed a threshold.
  • For self-managed servers, consider a host-based intrusion detection system like OSSEC. It detects file changes, brute-force attacks, and can provide immediate compromise alerts.
  • Review server access logs periodically. Look for unusual request patterns, unexpected 404 spikes, or requests to paths that should not exist.

08 Be Selective with Plugins and Themes

Every plugin and theme you install increases your attack surface. Poorly maintained plugins with known vulnerabilities are one of the most common entry points for attackers. The WordPress ecosystem has over 60,000 plugins, and code quality varies enormously.

Actions
  • Only install plugins and themes from reputable sources. Check the last update date, number of active installations, and support forum activity.
  • Avoid nulled (pirated) themes and plugins. They frequently contain backdoors.
  • Audit your installed plugins quarterly. Remove anything you no longer use or that has been abandoned by its developer.
  • Fewer plugins means fewer vulnerabilities. If core WordPress or a simple code snippet can do the job, skip the plugin.

09 Apply the Principle of Least Privilege

Not every user needs to be an administrator. WordPress has a built-in role system for a reason. Granting excess permissions means a compromised account or a careless user can cause far more damage than necessary.

Actions
  • Assign the minimum role required for each user: Subscriber, Contributor, Author, Editor, or Administrator.
  • Audit user accounts regularly. Remove inactive accounts and downgrade roles that were temporarily elevated.
  • Use a separate, limited-privilege account for day-to-day content editing. Reserve administrator access for when you actually need it.
  • Restrict database user permissions. The MySQL user for WordPress should only have the privileges WordPress actually requires, not full database admin rights.

10 Test Your Own Security

You cannot fix what you do not know is broken. Regular security testing reveals misconfigurations, outdated components, and vulnerabilities before an attacker finds them. The same tools and techniques used by attackers are available for defensive testing.

Actions
  • Scan your WordPress installation with WPScan to identify plugin, theme, and core vulnerabilities.
  • Test your web server with Nikto for common misconfigurations.
  • Run a port scan with Nmap against your server to verify only expected services are exposed.
  • Check your HTTP security headers using online tools. Missing headers like Content-Security-Policy and X-Frame-Options leave your site open to client-side attacks.
  • Make security testing part of your regular maintenance cycle, not a one-time exercise.