WordPress powers more than 40% of all websites on the internet — a statistic that explains both its popularity and why it's the most heavily targeted platform by automated attack tools. Most compromised WordPress sites weren't victims of some sophisticated exploit. They were running outdated software, using pirated plugins with backdoors baked in, or securing admin accounts with weak passwords. These are problems you can fix before anything goes wrong. Security isn't a one-time setup task — it's an ongoing maintenance habit. The ten steps below are ordered by priority. For a new site, work through them in sequence. For an existing site, start wherever makes sense.
Step One: Stay Updated — the Cheapest Security You Can Buy
The WordPress core team, along with theme and plugin developers, continuously discovers and patches security vulnerabilities in new releases — but those fixes only protect you if you actually install them. A lot of compromised sites, when examined after the fact, are found running software that was months or even years out of date.
Build a fixed update routine: log into your dashboard once a week, check for updates, and run them. Before updating, do a full backup (see Step Seven) — if a plugin conflict causes a white screen, you can restore immediately. WordPress 5.6 and later supports automatic background updates for the core, which you can enable in wp-config.php:
define( 'WP_AUTO_UPDATE_CORE', true );
Plugin auto-updates can be enabled individually from the Plugins page in your dashboard. That said, if your site has custom development or depends on specific plugin versions, manual update control is safer — when auto-updates cause something to break, troubleshooting gets harder.
Step Two: Account Security — Passwords, Usernames, and Two-Factor Authentication
Brute-force attacks are among the most common attack vectors, and the defense is straightforward: make guessing credentials difficult enough that automated tools give up.
Username: Don't use admin or administrator as your admin account name — these are the first words any attack tool tries. If your site was built with that username, create a new admin account with a different name, reassign your content to it, and delete the original admin account.
Password: At least 16 characters, mixing uppercase, lowercase, numbers, and special characters. Let WordPress's built-in password generator create one, save it in a password manager (1Password or Bitwarden both work), and avoid anything connected to your brand name, domain, or dates.
Two-factor authentication (2FA): This is currently the most effective account protection available — even if a password is compromised, an attacker can't get in without the verification code on your phone. Wordfence Login Security or the Two-Factor plugin both handle this well, with setup taking about 10 minutes. Strongly recommended for every admin account on the site.
Step Three: HTTPS — Enable It Across the Entire Site, No Exceptions
Let's Encrypt certificates are free, and most major hosting providers (Cloudways, Hostinger, Bluehost, and others) support one-click installation. If your site is still running on HTTP, go install it now.
After installing the SSL certificate, check two things: first, update both the WordPress Address and Site Address in your WordPress settings to use https://. Second, once you're connected to Cloudflare (Step Eight), enable Always Use HTTPS and Automatic HTTPS Rewrites to force all traffic through an encrypted connection and eliminate mixed content warnings.
Step Four: Install a Security Plugin — One Is Enough
Don't install multiple security plugins. Feature overlap aside, they'll conflict with each other and slow down your site. Pick one based on your situation:
Wordfence Security is the default choice for most WordPress sites. The free version includes a Web Application Firewall (WAF), brute-force login protection, malware file scanning, and real-time attack monitoring — solid coverage from personal blogs up to mid-size WooCommerce stores. Worth noting: Wordfence's free version firewall rules have a 30-day delay before updates reach you (the paid version gets them in real time), but for most sites this is acceptable.
Solid Security (formerly iThemes Security, rebranded in 2023) has a more user-friendly configuration interface and offers file integrity checking, database prefix modification, and login protection. It's a good fit for beginners. Its free tier includes a genuinely useful Site Scanner feature that periodically checks for known malware signatures.
Sucuri Security's free version focuses mainly on monitoring and logging. If you need stronger WAF protection, Sucuri's paid WAF service has a solid industry reputation — but the monthly cost is relatively high, making it more suitable for higher-traffic business sites.
Step Five: Limit Login Attempts
WordPress allows unlimited password attempts by default, which leaves the door open for brute-force tools. Most security plugins (Wordfence, Solid Security) have this built in — enable it and set it to lock an IP for 15–30 minutes after 5 consecutive failures. This is effective at shutting down automated attacks.
If you'd rather not install a full security plugin, Limit Login Attempts Reloaded is a lightweight plugin that handles this specific function on its own.
Step Six: Change the Default Login URL (Optional, but Worth Doing)
WordPress's default admin access points are /wp-admin and /wp-login.php — these are the first paths attack tools check when scanning a target. Changing to a non-standard path won't fix security at its root, but it filters out a large volume of automated scanning and reduces unnecessary server load.
WPS Hide Login is the most widely used plugin for this. After installing, specify a new login path in the settings — something like /my-secure-login-2026. Critical note: write down the new address immediately after changing it. If you forget the new path and don't have a fallback access method (SSH or FTP), you'll lock yourself out of your own site.
Step Seven: Backups — the Last Line of Defense Behind Everything Else
Every other security step in this list is about reducing the probability of something going wrong. Backups answer a different question: if something does go wrong, how much can you recover? These are two separate problems, and both matter.
Aim for at least three retention tiers: daily backups for the past 7 days, weekly backups for the past 4 weeks, and monthly backups for the past 3 months. Backups must include both site files and the database — database-only backups can't restore your theme or uploaded media; file-only backups can't restore orders or user data.
UpdraftPlus is the most widely used WordPress backup plugin. The free version supports scheduled automatic backups pushed to Google Drive, Dropbox, S3, and other cloud storage destinations — set it up once and it mostly runs itself. If your hosting provider already offers automatic backups (Cloudways does), it's still worth maintaining a separate UpdraftPlus backup stored in a different location. When a host has a problem, you don't want both copies going down together.
Step Eight: Connect Cloudflare
For cross-border independent stores, Cloudflare's free tier is close to a baseline requirement: global CDN, basic DDoS protection, DNS hosting, and HTTPS support — all with a real impact on both site speed and security.
After switching your domain nameservers to Cloudflare, enable these settings in the security section: Bot Fight Mode (blocks known crawlers and malicious bots), Browser Integrity Check (validates the source of incoming requests), and set the Security Level to Medium or higher. If your site encounters a DDoS attack or a sudden spike in malicious traffic, temporarily switching to Under Attack Mode tightens the filtering.
One thing worth being clear about: Cloudflare and your security plugin are complementary, not interchangeable. Cloudflare filters traffic at the network layer, blocking obvious malicious requests before they reach your server. The security plugin handles requests at the application layer, after they've entered WordPress. They operate at different levels — you need both for complete coverage.
Step Nine: Clean Up Unused Plugins and Themes
A lot of site owners underestimate the security impact here. Even a deactivated plugin still has its files sitting on the server — if there's an unpatched vulnerability in those files, an attacker can potentially exploit it by accessing the file path directly.
Every few months, go through your installed plugin list: anything you're not actively using should be fully removed (deactivate and delete — not just deactivate). For plugins you are using, check whether the developer is still maintaining them. The WordPress plugin directory shows the last update date and whether the plugin has been tested with the current version of WordPress. A plugin that hasn't been updated in two or three years and is flagged as "untested" is a risk worth eliminating.
Never use nulled (pirated) themes or plugins. Injected backdoor code is extremely common in these resources — installing them is essentially handing attackers an open door into your site, rendering every other security measure you've put in place meaningless.
Step Ten: Extra Considerations for WooCommerce Stores
If your WordPress site runs WooCommerce, everything above applies, plus a few additional areas that deserve specific attention:
Periodically review your administrator role list to confirm only the right people have admin or shop manager access. Payment plugins (Stripe, PayPal) should stay updated alongside everything else — vulnerabilities in payment-related code carry a higher risk level. Enable email notifications for orders and admin logins so anomalous activity is visible immediately. For stores with meaningful order volume, periodically check for unusual refund requests — these can sometimes be a sign that an account is being misused.
Cost Reference
| Item | Cost |
|---|---|
| WordPress core | Free |
| Domain name | ~$10–20/year |
| Hosting / VPS | ~$8–20/month (small to mid-size sites) |
| Cloudflare basic protection | Free |
| SSL (Let's Encrypt) | Free |
| Wordfence / Solid Security free tier | Free |
| UpdraftPlus basic backup | Free |
For most export-focused business sites and small to mid-size WooCommerce stores, the security configuration itself costs essentially nothing. The real investment is time — the first full setup takes roughly half a day, and once maintenance becomes routine, it's a few minutes per week checking updates and reviewing logs.
One final note: if your site does get compromised, the first move is to take the frontend offline, restore from the most recent clean backup, update all plugins and passwords, and then check your server files for any unfamiliar PHP files — pay particular attention to the wp-content/uploads directory, which is a common target for webshell injection. If your site handles payment data or user information, notifying affected users promptly isn't just the ethical thing to do — in many jurisdictions it's a legal requirement.