Most WordPress hacks are opportunistic, not targeted. Automated scanners probe millions of sites looking for known vulnerabilities: outdated plugins, default admin usernames, weak passwords, exposed login pages. Closing these gaps doesn't require deep technical knowledge, just time and the right order of operations. Work through this checklist from top to bottom and your attack surface shrinks dramatically.
1. Keep everything updated. The majority of WordPress compromises exploit known vulnerabilities in outdated plugins, vulnerabilities that have been publicly disclosed and have patches available. Attackers scan for sites running the vulnerable version and strike before site owners update. Enable automatic updates for minor versions at minimum. Review and apply major plugin updates within a week of release, ideally after testing on a staging environment first.
2. Delete unused plugins and themes. Deactivated plugins and themes still exist on disk and can be exploited even when inactive. Delete anything you don't actively use. For themes, WordPress requires one non-active theme as a fallback, keep one, delete the rest. If you have a page builder, old migration plugins, or tools from past projects sitting deactivated, remove them now.
3. Only install plugins from reputable sources. Use the official WordPress.org repository or established commercial vendors with active support. Avoid nulled (pirated) premium plugins, they are a leading malware delivery vector. A plugin offered for free that normally costs money has almost certainly been modified to include a backdoor. The "free" version costs you your site.
4. Check plugin vulnerability status. Visit wpscan.com/plugins or patchstack.com periodically and check your installed plugins for known vulnerabilities. Plugins that haven't been updated in over a year and have open vulnerability reports should be replaced with actively maintained alternatives.
5. Change the admin username. Don't use "admin" as your username. WordPress created a user with this name by default for years. Automated attacks try it first, every time. Create a new administrator account with a non-obvious username, log in with it, then delete the original "admin" account. When prompted, reassign its content to the new account.
6. Use a strong, unique password. Your WordPress admin password should be unique to WordPress, not reused from any other service. A password manager (Bitwarden, 1Password) makes this practical. Use WordPress's built-in strong password generator if you don't have a manager. A 20-character random password cannot be brute-forced in any practical timeframe regardless of what other protections you have in place.
7. Enable two-factor authentication. Install WP 2FA (free, well-maintained). After setup, every login requires your password plus a 6-digit code from your authenticator app. Even if an attacker obtains your password through a data breach, they cannot log in without your phone. Require 2FA for Administrator and Editor roles at minimum. Save the backup codes in your password manager, you'll need them if you lose your phone.
8. Limit login attempts. Install Limit Login Attempts Reloaded and configure it: 5 allowed retries, 20-minute lockout, 24-hour lockout after 4 consecutive lockouts. This converts an unlimited brute-force attack surface into a rate-limited one. The plugin also logs lockout activity, so you can see the volume and source of attack traffic against your site.
9. Change the login URL. Install WPS Hide Login to move wp-login.php to a custom URL. Set it to something non-obvious and not guessable (not /login or /wp). This doesn't replace strong passwords and 2FA, a determined attacker can find the login URL. But it eliminates the high volume of generic automated traffic targeting the default location, and your access logs become dramatically cleaner.
10. Set correct file permissions. Files should be 644, directories 755. wp-config.php should be 440 or 400 if your server allows it. In cPanel, you can check and set permissions via File Manager. Overly permissive settings (777) allow any process on the server to write to your files, a significant risk on shared hosting.
11. Disable file editing from the dashboard. Add define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php. This removes the theme and plugin file editors from wp-admin. If an attacker gains admin access (for instance, via a credential stuffing attack), this single line prevents them from injecting malicious PHP into your theme or plugin files without needing server access.
12. Block PHP execution in the uploads directory. Create a file at wp-content/uploads/.htaccess containing: <Files *.php> deny from all </Files>. PHP files in the uploads directory are a classic malware hiding spot, legitimate uploads are images and documents, never PHP. This rule prevents uploaded backdoors from being executed even if they get past the uploader.
13. Disable XML-RPC if not needed. XML-RPC is a legacy remote access endpoint that's frequently abused for amplified brute-force attacks and DDoS. Most sites don't use it. Disable it via your security plugin, or add this to .htaccess: <Files xmlrpc.php> deny from all </Files>. Check first that your theme, plugins, or Jetpack don't depend on it.
14. Set up automated daily backups. A backup that's one day old is a recovery option. A backup that's six months old is nearly useless, your content has changed, new vulnerabilities may have been introduced, and you'd lose months of work restoring to it. Automate daily backups with UpdraftPlus sending to Google Drive or Amazon S3. Verify the backup completed by checking the timestamp in UpdraftPlus > Settings > Existing Backups after the first scheduled run.
15. Install a security scanner and enable alerts. Wordfence (free tier) scans for malware, known vulnerabilities, and suspicious file changes. Configure email alerts: go to Wordfence > All Options > Email Alert Preferences and enable alerts for new Administrator accounts, malware detected, and core file changes. These alerts turn passive protection into active notification, you find out about a problem before Google or your visitors do.
HTTPS encrypts traffic between your site and visitors, login credentials, form submissions, session cookies. It's a Google ranking signal, a browser trust indicator, and basic protection for any site that handles user data. Your host should provide free SSL via Let's Encrypt. If they charge extra for SSL or require a support ticket to enable it, that's a red flag about the quality of the hosting. Once SSL is active, update your WordPress Address and Site Address to https:// in Settings > General, then add a server-level redirect from HTTP to HTTPS in .htaccess.
HostBible includes automated daily backups, free SSL, and server-level malware protection as standard. Items 14 and 15 checked off before you log in for the first time.
View Hosting Plans