WordPress powers a huge share of the web, which makes it a constant target. The good news is that the overwhelming majority of WordPress compromises exploit a small, predictable set of weaknesses, and almost all of them are preventable. This WordPress security hardening checklist walks through the steps that actually move the needle in 2026, roughly in priority order.

TL;DR

  • Vulnerable and outdated plugins and themes are the single biggest WordPress attack vector; disciplined updates and removing unused code matter more than anything else
  • Strong authentication (unique admin usernames, strong passwords, two-factor, login rate limiting) closes the second most common door
  • Harden wp-config.php, file permissions, and the REST API / XML-RPC surface, and put a WAF in front of the site
  • Back up regularly and test restores; a good backup is what turns a breach into an inconvenience rather than a disaster

1. Keep Core, Plugins and Themes Updated

Outdated plugins and themes are the number one way WordPress sites get hacked. Every plugin is third-party code running with access to your site.

  • Enable automatic updates for WordPress core (minor releases at minimum).
  • Update plugins and themes promptly, ideally on a schedule with a staging test.
  • Remove plugins and themes you do not use. Deactivated is not enough; deleted is safe.
  • Only install plugins from reputable sources with an active maintenance history.
  • Watch for abandoned plugins; unmaintained code is a liability even if it still works.

2. Lock Down Authentication

Brute-force and credential attacks against wp-login.php are relentless.

  • Never use admin as a username. Use a unique administrator name.
  • Enforce strong, unique passwords for every account.
  • Enable two-factor authentication (2FA) for all admin and editor accounts.
  • Limit login attempts and add rate limiting to block brute-force attempts.
  • Consider changing or protecting the login URL and adding a CAPTCHA challenge.

3. Apply Least-Privilege User Roles

  • Give each user the lowest role that lets them do their job. Not everyone needs to be an administrator.
  • Audit user accounts regularly and remove ex-staff and unused logins.
  • Review roles after installing plugins that add custom capabilities.

4. Harden wp-config.php

wp-config.php holds your database credentials and secret keys, so it deserves special attention.

  • Set unique authentication keys and salts.
  • Disable the built-in file editor: define('DISALLOW_FILE_EDIT', true); so an attacker who gains admin access cannot edit theme and plugin code from the dashboard.
  • Move wp-config.php one level above the web root where the hosting setup allows it, and restrict its file permissions.
  • Keep WP_DEBUG disabled in production so errors do not leak information.

5. Set Correct File and Directory Permissions

  • Directories 755, files 644 as a standard baseline; never use 777.
  • Ensure the web server user owns the files but cannot write where it does not need to.
  • Protect sensitive files and disable directory browsing.

6. Reduce the Attack Surface: XML-RPC and REST API

  • Disable XML-RPC if you do not use it; it is a common brute-force and DDoS amplification vector.
  • Restrict or authenticate the REST API where it exposes data you do not want public.
  • Remove the WordPress version number and other unnecessary information disclosure from page output.

7. Put a WAF and HTTPS in Front

  • Serve the entire site over HTTPS and redirect all HTTP traffic.
  • Add security headers (HSTS, X-Content-Type-Options, X-Frame-Options or a frame-ancestors Content-Security-Policy, and a CSP where practical).
  • Use a Web Application Firewall. A CDN-level WAF such as Cloudflare filters malicious traffic before it reaches WordPress and absorbs bot and DDoS pressure.

8. Database and Hosting Hardening

  • Use a non-default database table prefix on new installs.
  • Use a dedicated database user with only the privileges WordPress needs.
  • Keep PHP on a supported, current version; end-of-life PHP is a silent risk.
  • Choose hosting that isolates sites and patches the server stack.

9. Monitoring, Backups and Recovery

  • Run malware and file-integrity scanning so unexpected changes are detected quickly.
  • Enable security logging so you can see login attempts and changes.
  • Take regular, automated backups stored off the server, and test restoring them. An untested backup is a hope, not a plan.

Key Takeaways

  • The biggest wins are unglamorous: update everything, remove unused plugins and themes, and enforce strong authentication with 2FA.
  • Harden wp-config.php, file permissions, and the XML-RPC / REST API surface to shrink the attack surface.
  • Put HTTPS, security headers, and a WAF in front of the site.
  • Back up regularly and test restores so a breach is recoverable.

Professional WordPress Security Hardening

A checklist gets you most of the way, but WordPress security hardening still benefits from expert eyes. A WordPress security audit reviews every plugin and theme, tests authentication and access, and checks wp-config.php, the database, and the REST API and XML-RPC surface, producing a prioritised hardening plan. For the wider picture across your whole site and stack, see the website security audit guide for UK businesses . If your site needs ongoing development and maintenance alongside hardening, a WordPress developer for hire can keep it secure over time.

Frequently Asked Questions (FAQ)

What is the most common way WordPress sites get hacked? Vulnerable and outdated plugins and themes. Third-party plugin code is the single biggest attack vector, which is why prompt updates and removing unused plugins matter more than almost anything else.

Do I really need a security plugin? A reputable security plugin helps with malware scanning, login limiting, and monitoring, but it is not a substitute for the fundamentals: updates, strong authentication, least-privilege roles, and a WAF. Layer it on top of good hygiene, not instead of it.

Should I disable XML-RPC? If you do not use it (for example for the mobile app or certain integrations), yes. XML-RPC is frequently abused for brute-force and DDoS amplification, so disabling it removes a common attack surface.

How often should I back up my WordPress site? Frequently enough that you could not lose meaningful data, typically daily for active sites, stored off the server. Crucially, test your restores; a backup you have never restored is unproven.

Is Cloudflare enough to secure WordPress? A CDN-level WAF like Cloudflare filters a lot of malicious traffic and absorbs bot and DDoS pressure, but it does not fix vulnerable plugins, weak passwords, or misconfiguration. Use it as one layer alongside on-site hardening.