WordPress security best practices to follow in 2026

Key takeaways:

• WordPress is a common target because it’s widely used. Most attacks are automated, so one weak spot, like an outdated plugin or weak password, can cause downtime and data loss.
• Start with the highest-impact WordPress security best practices. Use strong passwords, enable 2FA, limit login attempts, and keep WordPress core, themes, and plugins updated.
• Choose a reputable WordPress hosting provider to strengthen your security. The right host supports a safer setup with robust security measures, regular backups, malware scanning, and a WordPress-optimized environment

WordPress powers around 43% of websites worldwide. With thousands of themes, plugins, and integrations that let you build fast and scale confidently—it’s no surprise people love it.

But that flexibility comes with a trade-off. More moving parts mean more chances for security gaps if maintenance slips. Because WordPress is everywhere, hackers run automated scans that sweep across millions of sites, looking for the same common weak spots. They usually watch for outdated plugins, reused passwords, misconfigured settings, and unsecured login pages.

These attacks are rarely personal, but yours is an easy target the moment it exposes weaknesses. Fallout hits fast—downtime, stolen data, spam injections, SEO damage, and a blow to your credibility.

Good thing these attacks are preventable. In this guide, we’ll walk you through 15 WordPress security best practices for 2026. These are clear, proven steps you can act on today to strengthen your site and keep your data safe.

1. Use strong passwords 
2. Enable two-factor authentication (2FA) 
3. Limit login attempts 
4. Keep WordPress core, themes, and plugins updated 
5. Enable a web application firewall (WAF)
6. Restrict file editing from the dashboard 
7. Set proper folder or file permissions 
8. Change the default WordPress database prefix
9. Assign the right user roles (limit access) 
10. Monitor site activity 
11. Limit the use of third-party plugins and themes 
12. Change the default WordPress login URL 
13. Automatically log out idle users 
14. Add CAPTCHA to forms 
15. Disable XML-RPC if you don’t need it 

Use strong passwords 

Your password is your website’s first line of defense. It might be tempting to choose something easy, but having a strong password really helps keep your WordPress site secure.

For example, a weak password like Password1234 is pretty easy to guess. On the other hand, something like P@ssW0rD!!1#2#3$4$ is way tougher to crack.

Here are three simple tips to help you create strong passwords:

• Mix uppercase and lowercase letters, numbers, and special characters.
• Avoid obvious choices like names or birthdays, and don’t reuse passwords across accounts.
• Use a password manager to make creating and storing complex passwords a breeze.

Keep your login credentials to yourself. If you jot down passwords in your phone’s note app, make sure the app has proper security measures, such as a password or biometric lock.

Strong passwords protect more than just your WordPress dashboard. They also secure your hosting account, database access, SFTP credentials, and any connected services. If attackers gain access to your hosting provider login, they can bypass WordPress entirely and modify files directly on the web server. Use a unique password for every access point tied to your WordPress installation.

Enable two-factor authentication (2FA) 

Add a second lock to your WordPress site login through two-factor authentication. After entering your password, you’ll also confirm if it’s really you—usually with a one-time code from an authenticator app, a text message, or a security key.

This extra step stops most unauthorized logins in their tracks. It makes a stolen password useless because they still can’t access your site without the second verification.

Make it mandatory for WordPress admins, editors, and shop managers to enable 2FA to block the most common way attackers breach WordPress sites.

Limit login attempts 

Limit login attempts on your WordPress site to stop brute-force attacks. This is when hackers repeatedly guess passwords until something works. Capping failed login attempts protects user accounts and quickly cuts off automated bots.

An easy way to do this is with Limit Login Attempts Reloaded from the official WordPress Plugin Directory. Install it, activate it, and set your limits. It then automatically blocks further login tries after a set number of failed login attempts.

This one change can dramatically reduce unauthorized access attempts and strengthen your overall WordPress security.

Keep WordPress core, themes, and plugins updated 

Update WordPress core, your theme, and your plugins regularly. Many WordPress security issues stem from third-party software—like plugins, so closing this gap pays off fast.

Keep all three layers current so you get security patches, bug fixes, and compatibility improvements:

• WordPress core: Core releases include security and maintenance fixes. WordPress also supports automatic background updates to help your site stay patched.
• Plugins and themes: Since plugins are the biggest source of disclosed vulnerabilities, keeping them updated has a positive security impact.

To update securely without breaking your site, use this process as it prioritizes security and stability:

• Back up first, especially before major changes: WordPress’s own upgrade guide calls out backing up as a key step before upgrades.
• Use auto-updates where they make sense: WordPress supports configuring automatic updates so trusted components stay trusted by default.
• Remove what you don’t use: Delete inactive plugins and themes rather than leaving them installed and unpatched.

If you’re on a managed WordPress hosting account, core updates are often handled automatically. For example, WP Engine rolls out minor security releases as soon as they’re vetted, and deploys major version updates after additional testing.

They also offer automated plugin and theme updates via WP Engine’s Smart Plugin Manager. This checks for errors and visual changes after updates and can roll back if issues are detected.

Together, these steps are foundational WordPress security best practices that reduce risk without slowing you down. For a fast companion checklist, check out this guide.

Enable a web application firewall (WAF) 

Turn on a web application firewall (WAF) to block attacks before they ever reach your WordPress site. WAF sits between the internet and your WordPress site and inspects every brute-force login attempt, bot scan, malicious payload, and malware probe.

So instead of letting bad traffic hit WordPress, it blocks threats or suspicious activity at the door. This ongoing protection makes WAF highly effective at keeping your site safe from attacks and easily one of the highest‑impact WordPress security best practices you can enable.

Most WordPress security guides break firewalls into two categories:

• DNS-level (cloud/proxy) firewall: This routes your traffic through the firewall provider’s network before it reaches your server software. Only clean requests get forwarded to your site. This is best at defending against large bot waves, repeated brute-force attempts, and junk traffic that can slow down or overwhelm your server, as it gets blocked before it reaches your hosting.
• Application-level firewall: This filters requests after they reach your server, but before WordPress fully loads. It inspects traffic more deeply and blocks known malicious behavior and exploit patterns. This type best defends against attacks aimed at WordPress itself, especially attempts to exploit vulnerable plugins or themes, or to abuse suspicious request behavior.

Some managed WP hosting providers include firewall protection at the hosting environment level. This means malicious requests are filtered before they reach your web server or WordPress core software. When security features operate at both the server and application level, your site benefits from layered defense.

Restrict file editing from the dashboard 

By default, WordPress admins can edit theme and plugin files directly from the dashboard. It’s convenient, but also a problem. An attacker can drop malicious code in seconds if that access falls into the wrong hands.

Lock it down. Disable dashboard file editing and remove that path entirely. It removes a high-risk shortcut and forces changes to happen through proper access (FTP/hosting file manager), where you have more control.

How to disable file editing in WordPress 

1. Open your site files using FTP or your host’s File Manager.
2. Find wp-config.php in your WordPress root directory.
3. Open wp-config.php in a text editor.
4. Search for this line: /* That’s all, stop editing! Happy blogging. */
5. Add this directly above it: define(‘DISALLOW_FILE_EDIT’, true);
6. Save the file and upload it back to your server (if needed).

Once this is in place, WordPress will remove the built‑in Theme and Plugin File Editor screens from the dashboard, so even admin accounts can’t make code changes from the backend.

Set proper folder or file permissions 

As the WordPress admin, set your WordPress files to 644 and folders to 755 using FTP or your hosting File Manager. This keeps permissions tight. Other WordPress users will have read-only access—they can view but not change files or folders. Only the right accounts can change them.

Apply these settings to each file and folder you want to protect from unwanted edits.

Why do you need to do this? 

Not everyone who touches your site should be able to change how it runs. Writers, designers, contractors, and internal team members often need access—but not full control over your WordPress files. Proper permissions enforce that boundary.

When permissions are too loose, one mistake (or one compromised account) can turn into a bigger problem: overwritten files, broken layouts, failed updates, or malicious code added where you won’t notice it right away.

Review permissions regularly, especially after adding new plugins/themes, migrating hosts, or giving a developer access. You’ll reduce the risk of both accidental damage and unauthorized changes while keeping your site stable.

Assign the right user roles (limit access) 

Give people only the access they need. WordPress user roles determine what each person can do once they log in—what menus they see, what actions they can take, and what parts of your dashboard they can touch.

Here’s how the core roles differ:

• Administrator: has full control over the site: users, settings, plugins, themes, content, and more
• Editor: manages all content and comments but can’t change site settings or install plugins
• Author: creates, edits, and publishes their own posts only
• Contributor: writes and edits drafts but can’t publish or upload files
• Subscriber/Viewer: profile or content viewing only

Assign these roles based on responsibility. For example, reserve Administrator access for one or two trusted owners or developers; Editor access for content leads; and Contributor access for writers who need review. This way, you avoid over-permissioned accounts that introduce risks such as accidental or malicious changes.

It also keeps your workflow efficient and your site secure by limiting who can install plugins, adjust settings, or access sensitive areas of the dashboard. For full security, you need to manage file permissions separately.

Monitor site activity 

Know what’s changing—and by whom, so you can catch suspicious behavior early and roll it back fast. Track WordPress site activities, including logins, role changes, content edits, plugin installs, and theme changes.

No need for technical skills. These plugins record and display these activity logs for you:

• WP Activity Log: tracks logins, content edits, plugin/theme changes, and more, with real-time alerts and detailed reports
• Activity Log: logs key site actions so you can quickly spot unusual behavior
• Simple History: keeps a clean, easy-to-scan history of updates, logins, and installs

Choose one to enable and review it regularly. When you monitor activity, you can confirm that only trusted WordPress users are making changes and detect attempts to gain unauthorized access. Sudden spikes in failed login attempts, unexpected role changes, or unknown file edits can signal a security issue before serious damage occurs. The earlier you detect abnormal behavior, the easier it is to contain.

Limit the use of third-party plugins and themes 

Most WordPress plugins and themes are third-party add-ons. They expand what WordPress can do, but every add-on you install becomes another piece of code you’re choosing to trust.

Keep your site lean. Install only what you actively use and delete the rest. Too many plugins can slow down your site and increase security vulnerabilities, especially if they are outdated or come from unreliable sources.

If you do need extra protection, choose a reputable security plugin that is actively maintained and widely used. Do the same for design by picking a secure WordPress theme from a trusted source. Fewer, better tools reduce what can be exploited in your hosting environment.

Keep these in mind before you add anything:

• Use a built-in WordPress feature if it already solves the problem.
• Pick a well-maintained plugin or theme from a reputable source.
• If the feature is critical and highly specific, consider a custom solution rather than stacking additional add-ons.

Fewer, actively maintained extensions mean faster pages, fewer security gaps, and smoother updates.

Change the default WordPress login URL 

By default, all WordPress users share the same WP login URL (like yourwebsite.com/wp-login.php or yourwebsite.com/wp-admin). Attackers know that, so bots routinely hammer those URLs with automated login attempts.

Changing your login URL won’t break your site. You’ll still log in the same way—just through the new link. It simply makes your login page harder to find for anyone who shouldn’t be there.

Here’s how you can change your default WordPress login URL:

• Install the WPS Hide Login plugin from the WordPress plugin directory.
• In your dashboard, go to Settings.
• Select WPS Hide Login and enter a new login URL (for example: yourwebsite.com/myaccesspage)
• Click Save.

Store this new link in a password manager (or a private notes app) so you don’t lose or accidentally share it.

Automatically log out idle users 

Leaving a session open on a shared or public device can be risky. Automatically logging out inactive user accounts prevents unauthorized access when someone forgets to log out.

Here’s how you can set it up:

1. Install the Inactive Logout plugin from the WordPress plugin directory.
2. In your dashboard, go to Settings > Inactive Logout.
3. Set the Idle Timeout duration (e.g., 15 minutes).
4. Customize the Logout Message if desired.
5. Save your changes.

This logs users out after a period of inactivity to protect their accounts.

Add CAPTCHA to forms 

CAPTCHA is the small checkbox (“I’m not a robot”) or simple puzzle that helps confirm a real person is submitting a form.

Without it, automated bots can spam comments, flood contact forms with junk messages, and repeatedly try passwords on your login page.

Add CAPTCHA to contact forms, comments, login, and registration. It adds an extra step for users, but they get a safer, more reliable experience. For you, it means fewer spam messages, fewer automated attacks, and less time cleaning up junk.

Disable XML-RPC if you don’t need it 

WordPress enables XML-RPC by default. This built-in feature lets you manage your site from mobile devices and remote apps like the WordPress mobile app. It makes remote publishing and management easier.

However, attackers exploit XML-RPC. They abuse it to fire off rapid login attempts and send large volumes of fake requests that strain your server.

If you don’t use tools that rely on XML-RPC, disable it. Do this by installing a plugin like Disable XML-RPC, or by blocking the file in your .htaccess:

<Files xmlrpc.php>

  Order Deny,Allow

  Deny from all

</Files>

If you rely on the WordPress mobile app or remote publishing tools, confirm whether they require XML-RPC before disabling it. Otherwise, blocking this feature removes a common attack vector that bots use to trigger large-scale login attempts against WordPress admin accounts.

How to choose a reputable hosting provider for your WordPress website 

Not all hosting is built for WordPress. Choosing a WordPress hosting provider is your first line of defense against potential cyber threats. It is designed to work smoothly with essentials like the wp-admin directory and your WordPress database, helping keep your site stable and secure.

A reputable provider should actively protect your site with built-in safeguards like malware scanning, backups, and SSL. We offer WordPress hosting with strong security measures, automatic backups, malware scanning, and expert support to help you stay protected.

Here’s what a solid hosting provider should handle:

• Scan regularly for malware
• Set up regular back-ups
• Activate SSL (HTTPS) 

Scan regularly for malware 

Choose a host that includes automatic malware scanning to detect threats early, before they affect your visitors or compromise your data. Malware can hide in your files and quietly damage your site through redirects, spam links, slowdowns, or data theft.

Turn on these automatic malware scans with alerts. Use both external scans to see what visitors and search engines see and server‑side scans to detect hidden files or database infections.

Schedule scans daily and review alerts weekly.

Set up regular backups 

Choose a hosting plan that includes automatic backups and one-click restore. If your site breaks, gets hacked, or an update fails, you can restore it fast instead of rebuilding from scratch.

Back up your website files and your database. Your files contain themes, plugins, and uploads. Your database stores posts, pages, users, and settings. You need both to fully restore your site.

Regularly schedule automatic backups to an off-site location to ensure recovery is always possible. Set them daily for active sites and weekly for low traffic sites, and always create a backup before major updates or design changes. The more recent the backup is, the less likely you are to lose critical information if something goes wrong.

Keep at least three to five recent copies and store one off-site in secure cloud storage. It’s important to store backups in a separate location from your live website. Using a plugin that stores backups off-site is safer than relying only on hosting backups. If your server fails, you will still have a clean copy.

Periodically test a restore on staging to confirm your backups actually work. Tools like Jetpack VaultPress Backup automatically create a new backup every time you make a change, which reduces the risk of losing recent updates.

Activate SSL (HTTPS) 

Enable SSL (HTTPS) to encrypt traffic between your site and visitors and to align with Google’s page‑experience expectations. This protects logins, form submissions, and payment details from interception.

Choose a host that includes SSL certificates and makes HTTPS easy to turn on, often through the hosting control panel. Many reputable hosting providers use cloud proxy servers and offer free SSL certificates to keep your site secure. After enabling it, switch your WordPress site URL to HTTPS so the whole site runs securely.

Besides website security, having an SSL is important for search engines like Google. Sites with SSL often rank better because search engines flag unsecured sites. An active SSL certificate ensures that sensitive data security standards are met when handling user logins, payment forms, and personal information.

What to do if your site is hacked? 

Act quickly if you suspect your site has been hacked. These steps combine recommended actions and WordPress security best practices:

1. Take the site offline (maintenance mode): Protect visitors first. Temporarily take the site offline or enable maintenance mode to prevent further harm while you investigate. Many hosting providers can temporarily suspend public access while allowing you to work in the backend.
2. Back up the current state: Even if it’s infected, create a full backup of your files and database. This preserves evidence and helps security professionals analyze how the attack occurred. And if cleanup efforts accidentally remove important files, you still have a fallback copy.
3. Change every credential and remove unknown users: Assume all credentials are compromised. Reset passwords for WordPress admin accounts, hosting control panel, SFTP or SSH, database, and email accounts linked to the site. Remove any unknown users. Rotate API keys if your site uses them. Even if attackers did not visibly create new users, they may have harvested login details for later use. For added protection, require two-factor authentication (2FA) for all admin accounts immediately.
4. Check activity and monitoring logs, then scan for malware: Review recent logins and run both an external scan (what visitors and search engines see) and a server-side scan (to detect hidden files, backdoors, or database injections). Use your hosting provider’s tools or a trusted security plugin.
5. Identify the entry point and clean the site: Look for outdated plugins, themes, or weak credentials that may have been exploited. Then:

• Replace WordPress core files with fresh copies
• Reinstall trusted themes and plugins
• Delete unknown files
• Remove malicious code from infected files and the database. In some cases, attackers plant hidden backdoors that allow them to regain access later. Carefully check wp-content, uploads, and database tables for unfamiliar entries.

6. If available, restore from a clean backup: If you have a verified backup from before the hack, restoring it is often the fastest way to recover safely. After restoring, immediately update everything and change all passwords again to prevent reinfection.
7. Update everything: Update WordPress core, themes, and plugins to the latest versions to close known vulnerabilities. Many attacks target outdated components. Applying updates ensures known security holes are patched.
8. Harden your site before going live: Enable two-factor authentication, disable file editing, set safe file permissions, install or activate a wall application firewall, and limit login attempts. Also, review user roles and remove unnecessary admin privileges. Limiting access reduces future risk. These are standard WordPress hardening moves.
9. Fix search warnings and request review: If Google flagged or blacklisted your site, review the issue under Security and Manual Actions, fix it, and request a review. Until you request reconsideration, security warnings may continue to appear in search results.
10. Reopen and monitor closely: Bring the site back online. Monitor activity logs, login attempts, and malware scans daily for the next several days. Keep daily backups and scheduled scans running.

What are common WordPress attacks? 

Knowing what you’re protecting your WordPress website from makes security feel less abstract. It also helps you spot security risks faster and understand how bots and hackers can spam your site, disrupt service, or compromise your visitors’ data.

Your WordPress website faces several common threats, including:

• Brute force attacks
• Malware and malicious code
• Distributed denial of service (DDoS) attacks 
• Phishing attacks 

Brute force attacks 

This is when hackers forcefully try to guess your login credentials. They try thousands of username/password combinations, often from other data breaches, to force a login. Even when they fail, repeated login attempts strain your server and WP-Admin. 

Malware and malicious code  

Malware can slip into your WordPress files or database without obvious signs. It can trigger strange redirects, slow performance, corrupt files, steal data, or even use your site to send spam.

Common examples include:

• SQL injection: attackers push harmful commands into your database to steal, modify, or delete data.
• Cross-site scripting (XSS): attackers inject scripts that run in a visitor’s browser to steal information or hijack sessions.

Distributed denial of service (DDoS) attacks 

DDoS attacks flood your server with excessive traffic, slowing your site or causing it to crash. The goal is disruption, but it can also be a distraction while attackers probe for security weak points in WordPress core, plugins, themes, or server settings.

Phishing attacks 

Phishing attacks trick users into giving away sensitive information through fake emails, login pages, or lookalike websites. To reduce the risk, secure your brand signals. Buy and register common domain misspellings and redirect them to your real site. Lock down similar email addresses as well to prevent scammers from impersonating your business. An SSL certificate also shows that your site is secure and reinforces trust.

Why is WordPress security important? 

Because WordPress is a big target. It constantly attracts attention from hackers, so an improved WordPress security isn’t optional if you want a site that’s trusted, reliable, and future-proof.

Below are concrete reasons WordPress security work pays for itself:

• Protects visitor data: Your site may collect user data—names, emails, payment details, account info, and more. Strong WordPress security reduces the risk of leaks, account takeovers, and data loss. Data breaches can also create legal and compliance issues, especially if your site handles customer transactions or personal information.
• Prevents security warnings and loss of traffic: Browsers and search engines flag your site as unsafe if it is hacked or infected with malware. These warnings reduce clicks and hurt search visibility until the issue is fixed. Even temporary warnings can damage trust and cause long-term traffic decline.
• Reduces recovery time and costs: Regular backups let you restore your site quickly instead of rebuilding from scratch. Without backups, recovery can involve manual file cleanup, database repairs, lost content, and extended downtime.
• Blocks common attacks early: A web application firewall and edge protection stop many exploit attempts and traffic floods before they strain your server. This improves security and keeps your site stable during traffic spikes or malicious bot activity.
• Lowers security risk from plugins and themes: Most WordPress hacks exploit outdated plugins, weak passwords, or over-permissioned users. Updates and least-privilege access close the most common gaps. Regularly auditing installed plugins also reduces your attack surface.
• Protect your reputation and business: A hacked site can be defaced, filled with spam, or redirected to malicious pages. Security keeps your site credible, protects conversions, and helps you maintain trust. Customers and clients are more likely to return to a secure site than one that has previously displayed security warnings.

Frequently asked questions 

Take charge of your WordPress security today 

Remember that most attacks are automated. They’re not targeting you personally, but they will take advantage of any weak spot they find. Prevention matters because it protects your uptime, your data, and your reputation. It’s far easier than cleaning up a hack later.

Every small step you take makes your site stronger. Start with the basics, then build security into your routine so updates, backups, and monitoring become second nature.

We make it easier to stay protected from day one. Our managed WordPress hosting plans include automated core updates, so your site stays on a current, secure WordPress version. It also has on-demand cloud backups with quick restore options, so you can recover faster if an update fails or something goes wrong.

With these, you can secure and optimize your site with confidence. Take control of your site’s security today.