WordPress powers over 43% of the web, which makes it the most popular platform on the internet, and, inevitably, the most targeted one. Hackers do not wait for your site to become successful before they start probing it for weaknesses. An unprotected WordPress site can be compromised within hours of going live. The good news is that protecting your WordPress site does not require technical expertise or expensive services. With the right habits and the right plugins, you can secure your site in an afternoon, and keep it secure with minimal ongoing effort. This guide covers everything a beginner needs to know about WordPress security in 2026, written in plain language with no command-line instructions required.
Why WordPress Sites Get Hacked
Understanding why WordPress sites get hacked is the first step to preventing it. The answer is almost always one of three things: outdated software, weak credentials, or poorly coded plugins and themes. Let us break each one down.
Outdated WordPress core, plugins, or themes are the leading cause of compromised sites. Every piece of software has vulnerabilities, bugs that can be exploited to gain unauthorized access. When these vulnerabilities are discovered, the developer releases an update to patch them. If you do not apply the update, your site remains vulnerable even after the fix is publicly available. And once a vulnerability is publicly known, automated bots scan millions of sites looking for unpatched installations.
Weak or reused passwords are the second most common cause. Brute-force attacks use bots to try thousands of username and password combinations per minute against your login page. If your password is “password123” or your username is “admin”, you are a target. If you reuse passwords across multiple services and one of those services is breached, attackers will try those same credentials on your WordPress site.
Nulled plugins and themes, pirated copies of premium products distributed for free on shady websites, are another common attack vector. These files are often modified to include malicious code that creates backdoors into your site. No premium plugin is worth downloading from a source that is not the official developer.
If you are just getting started with WordPress, our complete WordPress beginner guide walks through the proper setup process, including choosing reputable plugins and themes from trusted sources.
Step 1: Keep Everything Updated
WordPress core, plugins, and themes must be updated promptly. This is not optional, it is the single most important thing you can do for your site’s security. According to Wordfence’s 2025 Security Report, over 60% of hacked WordPress sites were running outdated software at the time of the breach.
How to Update WordPress Core
When a WordPress update is available, you will see a notification in your dashboard. Go to Dashboard > Updates to apply it. Major updates (5.x to 6.x) occasionally require compatibility testing if you use heavily customized themes or plugins. Minor updates (6.7.1 to 6.7.2) are security and maintenance releases that are always safe to apply immediately.
Enable Automatic Updates
WordPress allows you to enable automatic background updates for minor core releases, plugins, and themes. For most beginners, enabling automatic updates for minor core releases and trusted plugins is a smart default. Go to Dashboard > Updates and look for the automatic updates options. Alternatively, in your plugin list, find the “Auto-updates” column and enable it for security-critical plugins like your security plugin and SEO plugin.
Test Before Major Updates (Optional but Smart)
For major WordPress version updates or updates to complex plugins like WooCommerce or your page builder, it is worth testing on a staging environment first. Many managed WordPress hosts include one-click staging environments. If your host does not, a plugin like WP Staging creates a local copy of your site to test updates before applying them to the live site. This step is optional for simple blogs but important for business sites with complex functionality.
Step 2: Use Strong, Unique Passwords
Every WordPress account, administrator, editor, author, should use a strong, unique password. “Strong” means at least 16 characters, mixing uppercase and lowercase letters, numbers, and symbols. “Unique” means you do not use the same password for any other account, anywhere.
Managing unique passwords for every account sounds daunting, but a password manager makes it effortless. Tools like Bitwarden (free and open source), 1Password, or Dashlane generate and store passwords for you. You only need to remember one master password. This is not optional good practice, it is essential digital hygiene in 2026.
Change the Default Admin Username
WordPress used to default to “admin” as the username for the first account. Many older sites still use it. Attackers specifically target “admin” in brute-force attacks because they already know half the credentials. If your main account username is “admin”, create a new administrator account with a different username, log in as that new account, and delete the old admin account. This takes 10 minutes and eliminates a significant vulnerability.
Limit User Roles
Each user on your WordPress site should have only the permissions they need and no more. Editors do not need administrator access. Guest contributors do not need editor access. Audit your user list periodically and revoke access for accounts that are no longer active. Go to Users > All Users to review who has access to your site and at what permission level.
Step 3: Enable Two-Factor Authentication
Two-factor authentication (2FA) adds a second verification step after your password. Even if an attacker obtains your password, they cannot log in without also having access to your second factor, typically a time-sensitive code generated by an app on your phone.
In 2026, 2FA is table stakes for any account that controls significant data or functionality. Your WordPress admin account qualifies. Enabling 2FA is one of the most effective single steps you can take to prevent unauthorized access.
How to Enable 2FA on WordPress
Two-factor authentication is not built into WordPress core. You need a plugin to add it. The most popular options:
- Wordfence: Includes 2FA in its free version for administrator accounts. Uses authenticator apps like Google Authenticator, Microsoft Authenticator, or Authy.
- Solid Security (formerly iThemes Security): Includes 2FA with support for authenticator apps and email-based codes.
- WP 2FA: A dedicated 2FA plugin with support for authenticator apps, email, and SMS (via third-party services).
The authenticator app method is more secure than email-based codes. Install Google Authenticator or Authy on your phone, scan the QR code from your WordPress 2FA plugin, and you are set up in under two minutes.
Step 4: Install a WordPress Security Plugin
A dedicated security plugin acts as a firewall, intrusion detection system, and security scanner for your WordPress site. It blocks suspicious traffic before it reaches WordPress, monitors for file changes that might indicate a compromise, and alerts you to known vulnerabilities in your installed plugins and themes.
Our detailed roundup of best WordPress security plugins covers the options in depth. For beginners, the two most widely used and most capable free options are Wordfence and Solid Security.
Wordfence Security
Wordfence is the most popular WordPress security plugin with over 5 million active installations. The free version includes:
- Web Application Firewall (WAF) that filters malicious requests.
- Malware scanner that checks core files, plugins, and themes against a known-clean database.
- Login security including 2FA, login attempt limiting, and CAPTCHA protection.
- Live traffic monitoring showing you who is visiting your site and whether suspicious bots are being blocked.
- Email alerts for critical security events.
The only limitation of the free version is that firewall rules are updated 30 days behind the Wordfence Premium subscription. Premium customers get the latest firewall rules in real time. For a new site, the free version is more than adequate.
Solid Security (formerly iThemes Security)
Solid Security takes a different approach, focusing on hardening your WordPress configuration rather than active traffic filtering. Key free features include:
- Site Scan that checks for known vulnerabilities in your plugins and themes.
- Login protection with brute-force lockouts and 2FA.
- User action logging so you can see what changes are made and by whom.
- File change detection.
- Database backups.
Solid Security is a good choice if you prefer a configuration-first approach. Run through the Security Check Wizard after activation, it automatically applies the most important hardening settings for your site.
Step 5: Set Up Automated Backups
Backups are your last line of defense. If everything else fails, if your site is hacked, a plugin update breaks something, or your host experiences a catastrophic failure, a recent backup means you can restore your site to a working state. Without backups, a serious incident can mean losing everything you have built.
What Needs to Be Backed Up
A complete WordPress backup consists of two parts:
- The database: Contains all your content, posts, pages, comments, users, settings, and plugin data. This is the most critical part.
- The files: Your WordPress installation files, theme files, plugin files, and the uploads directory (your images and media).
A backup of just the database is not sufficient to fully restore your site. A backup of just the files is not sufficient either. You need both.
Using UpdraftPlus
UpdraftPlus is the most popular WordPress backup plugin with over 3 million active installations. The free version lets you:
- Schedule automated backups on daily, weekly, or fortnightly schedules.
- Store backups remotely in Google Drive, Dropbox, Amazon S3, or other cloud storage services.
- Restore your entire site with a single click from the UpdraftPlus admin page.
- Keep multiple backup copies (configure how many to retain).
After installing UpdraftPlus, go to Settings > UpdraftPlus Backups and configure: your backup schedule (daily is recommended), your remote storage destination, and how many backups to keep (7 is a reasonable number for daily backups). Then run your first manual backup immediately to confirm everything is working.
Do Not Rely on Host Backups Alone
Many hosting providers include backup features in their plans, and these are useful. But they are not a substitute for your own backup system. Host backups are controlled by the hosting company, if your hosting account is compromised, your backups might be too. Off-site backups stored in Google Drive or Dropbox under your own account are independent of your hosting environment and therefore safer in catastrophic scenarios.
Step 6: Protect Your Login Page
The WordPress login page at /wp-login.php and /wp-admin/ is the most attacked part of any WordPress site. Brute-force bots probe these URLs constantly, trying to guess admin credentials. Several defenses work in combination:
Limit Login Attempts
By default, WordPress allows unlimited login attempts. A security plugin like Wordfence or Solid Security limits failed login attempts and temporarily blocks IP addresses that exceed the threshold. This stops brute-force attacks dead. Configure your security plugin to lock out an IP after 5–10 failed attempts and to permanently block IPs with a high number of lockouts.
Add CAPTCHA to the Login Form
A CAPTCHA challenge on the login form stops bots before they even attempt to guess credentials. Both Wordfence and Solid Security support Google reCAPTCHA or hCaptcha on the login page. Enabling this requires getting a free API key from Google or hCaptcha, but the setup takes about five minutes.
Consider Changing the Login URL
The default WordPress login URL is well-known. A plugin like WPS Hide Login lets you change it to anything you choose (e.g., yoursite.com/my-private-login). This is security through obscurity and does not replace other measures, but it does significantly reduce the volume of automated login attempts because most bots scan for the default URL.
Step 7: Install SSL and Force HTTPS
SSL (Secure Sockets Layer) encrypts the connection between your website and your visitors’ browsers. An SSL certificate makes your site accessible via https:// instead of http://, and displays the padlock icon in the browser address bar. Google has used HTTPS as a ranking signal since 2014 and marks HTTP sites as “Not Secure” in Chrome.
In 2026, every reputable hosting provider includes a free SSL certificate via Let’s Encrypt. If your host offers a one-click SSL install in your control panel, use it. If your site is already on HTTPS, verify that all traffic is redirected from HTTP to HTTPS, your SEO plugin (Rank Math or Yoast) can check for mixed content issues that arise from internal links or images still using HTTP URLs.
Step 8: Harden Your WordPress Configuration
WordPress has several configuration options that are set to convenient defaults for development but should be hardened for production sites. These are set-it-and-forget-it changes that significantly reduce your attack surface.
- Disable the file editor: WordPress includes a built-in editor for theme and plugin files in the dashboard. If an attacker gains admin access, they can use this editor to inject malicious code. Disable it by adding
define('DISALLOW_FILE_EDIT', true);to your wp-config.php file, or use Solid Security’s one-click hardening to do this automatically. - Hide the WordPress version number: The WordPress version number is included in your site’s HTML head section by default. Attackers can use this to target sites running vulnerable versions. Your SEO or security plugin can remove this.
- Protect wp-config.php: The wp-config.php file contains your database credentials and security keys. Add rules to your .htaccess file to prevent direct access, or use Solid Security’s file permission tools to handle this automatically.
- Disable XML-RPC if not needed: XML-RPC is a remote access protocol included in WordPress that is rarely needed by most sites but is a common brute-force attack target. Disable it in your security plugin settings unless you use the Jetpack plugin or a mobile app that requires it.
What to Do If Your Site Gets Hacked
Despite best efforts, hacks do happen. Knowing what to do in the immediate aftermath reduces the damage and gets your site back online faster.
Signs Your Site May Be Compromised
- Your site redirects visitors to a different website.
- Google Search Console shows a “This site may harm your computer” warning or deindexes your pages.
- Your hosting company suspends your account for malicious activity.
- Visitors report seeing strange content or ads they did not expect.
- Your security plugin alerts you to unauthorized file changes or new admin accounts.
- Your site is loading abnormally slowly or crashing frequently.
Immediate Response Steps
- Put your site in maintenance mode to prevent visitors from encountering the malicious content while you clean up.
- Restore from a clean backup if you have a recent one. This is the fastest path to a clean site. Change all passwords immediately after restoring.
- Scan with Wordfence: Run a full scan to identify modified files and malicious code. Wordfence can automatically repair core WordPress files and flag suspicious additions.
- Change all passwords: WordPress admin accounts, FTP/SFTP access, database access, and your hosting control panel. All of them.
- Update everything: Apply all available updates to WordPress core, plugins, and themes. Remove any plugins or themes you do not actively use.
- Request a Google review: If Google flagged your site, submit a review request in Search Console after cleaning the site to have the warning removed.
If you cannot identify and clean the infection yourself, professional malware removal services like Sucuri or Malcare can clean a compromised site for $199–$299. This is often worthwhile for business sites where every hour of downtime has direct revenue implications.
WordPress Security Checklist for Beginners
Use this checklist when setting up a new WordPress site or auditing an existing one:
- ☐ WordPress core is updated to the latest version.
- ☐ All plugins and themes are updated.
- ☐ Admin username is not “admin”.
- ☐ Admin password is strong and unique (16+ characters).
- ☐ Two-factor authentication is enabled for admin accounts.
- ☐ Security plugin (Wordfence or Solid Security) is installed and configured.
- ☐ Login attempt limiting is enabled.
- ☐ Automated backups are configured and stored off-site.
- ☐ SSL certificate is active and HTTPS is forced.
- ☐ File editor is disabled in wp-config.php.
- ☐ Unused plugins and themes are deleted (not just deactivated).
- ☐ User accounts are audited, no unnecessary admin access.
Frequently Asked Questions About WordPress Security
Do I really need a security plugin?
Yes. WordPress does not include firewall protection, brute-force defense, or malware scanning out of the box. A security plugin like Wordfence or Solid Security adds all of these critical protections. Both have robust free versions that are more than sufficient for most sites. The time investment to install and configure one is around 30 minutes, it is one of the highest-value things you can do for a new WordPress site.
How often should I back up my WordPress site?
For a site with regular content updates (daily or multiple times per week), back up daily. For sites updated less frequently (once a week or less), weekly backups are generally sufficient. Always back up manually before applying major updates or making significant changes to your site.
Is free WordPress hosting safe?
Free hosting typically means shared servers with minimal security controls, no guaranteed backups, and limited support if something goes wrong. For a serious site, even a personal blog you care about, investing $5–15/month in reputable hosting is worth it for the security, performance, and reliability improvements.
Can I use two security plugins at once?
No. Running two security plugins simultaneously often causes conflicts, duplicate processing, and false positives. Pick one and configure it properly. Wordfence is the most comprehensive all-in-one option. Solid Security is better for users who prefer a configuration checklist approach.
What is the difference between security and backups?
Security tools prevent and detect attacks. Backups allow you to recover if an attack succeeds despite your security measures. You need both. Security without backups leaves you vulnerable to unrecoverable loss. Backups without security mean more frequent incidents requiring restoration. They are complementary, not alternatives.
Final Thoughts: Security Is Ongoing, Not One-Time
Setting up WordPress security correctly is a meaningful investment that pays dividends for as long as your site exists. The steps in this guide, keeping software updated, using strong passwords with 2FA, installing a security plugin, backing up regularly, and hardening your configuration, cover the vast majority of real-world attack vectors.
Most security incidents on WordPress sites are not the result of sophisticated targeted attacks. They are the result of preventable negligence: an unpatched plugin, a reused password, no backups. Fix those first, and you have already outpaced the security posture of most WordPress sites on the internet.
Many WordPress mistakes, including security oversights, stem from not knowing what to prioritize when you are starting out. Our guide to common WordPress mistakes and how to avoid them covers the broader picture of site management decisions that beginners often get wrong, and is worth reading alongside this security guide.
Security is not a destination. It is a habit. Check your updates weekly, review your security plugin alerts regularly, and test your backup restoration process every few months to confirm it works. These small, consistent habits are what separate sites that stay secure from those that end up compromised.
Beginner WordPress Tips Core Web Vitals First steps after WordPress install Optimize WordPress performance WordPress beginner guide
Last modified: March 21, 2026
