WordPress Security Best Practices 2026: 15 Essential Steps

Weak passwords are the #1 cause of WordPress breaches. Use passwords that are truly unguessable.

• Minimum 16 characters - Length beats complexity
• Use a password manager - 1Password, Bitwarden, or LastPass
• Unique password per site - Never reuse passwords
• Include all character types - Uppercase, lowercase, numbers, symbols

Action: Generate a new 20+ character password for your WordPress admin account today using a password manager.

2FA blocks 99.9% of automated attacks. Even if your password is compromised, attackers cannot access your account without the second factor.

• Authenticator apps - Google Authenticator, Authy, or Microsoft Authenticator
• Hardware security keys - YubiKey or similar FIDO2 devices (most secure)
• Avoid SMS-based 2FA - Vulnerable to SIM swapping attacks
• Enable for all admin users - Not just the primary account

Recommended plugins: WP 2FA, Two-Factor, or Wordfence (includes 2FA)

Outdated software is responsible for 56% of WordPress hacks. Updates patch known security vulnerabilities.

• WordPress core - Enable automatic minor updates (security patches)
• Plugins - Update within 24-48 hours of release
• Themes - Keep your active theme and one default theme updated
• PHP version - Use PHP 8.2 or higher for security and performance

Your hosting provider is your first line of defense. Cheap shared hosting puts your site at risk from other compromised sites on the same server.

• Container isolation - Each site runs in its own isolated environment
• Web Application Firewall (WAF) - Blocks malicious requests before they reach WordPress
• Automatic malware scanning - Daily scans for malicious code
• DDoS protection - Absorbs attack traffic before it impacts your site
• Automatic security updates - Patches applied without manual intervention

Action: Evaluate your current host's security features. If they don't offer container isolation and automatic updates, consider migrating.

HTTPS encrypts data between your visitors and your server, preventing eavesdropping and man-in-the-middle attacks.

• Install an SSL certificate - Free from Let's Encrypt or included with quality hosts
• Force HTTPS - Redirect all HTTP traffic to HTTPS
• Use HSTS - Tell browsers to always use HTTPS
• Check for mixed content - Ensure all resources load over HTTPS

# Add to .htaccess to force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Backups are your insurance policy. When everything else fails, a clean backup lets you recover quickly.

• Daily backups minimum - Hourly for e-commerce or high-traffic sites
• Offsite storage - Don't store backups on the same server
• Test restores regularly - A backup that doesn't restore is worthless
• 30-day retention - Keep enough history to recover from slow-spreading malware
• Include everything - Database, files, uploads, and configuration

Recommended: UpdraftPlus, BackupBuddy, or rely on your managed host's automated backups.

Brute force attacks try thousands of password combinations. Limiting login attempts blocks these automated attacks.

• Lock out after 3-5 failures - Temporary lockout for 15-30 minutes
• Permanent ban for repeat offenders - IP ban after multiple lockouts
• Whitelist your IP - Prevent locking yourself out
• Log all login attempts - Review for patterns of attack

Plugins: Limit Login Attempts Reloaded, Wordfence, or iThemes Security

Bots automatically target /wp-admin and /wp-login.php. Changing your login URL stops most automated attacks cold.

• Use a unique URL - Something only you know
• Avoid obvious alternatives - Don't use /login, /admin, or /backend
• Hide wp-admin completely - Return 404 for unauthorized access

Plugins: WPS Hide Login or iThemes Security

XML-RPC is an old protocol that allows external applications to interact with WordPress. It's also a common attack vector for brute force and DDoS attacks.

• Disable completely - Unless you need Jetpack or the WordPress mobile app
• Block via .htaccess - More effective than plugins
• Use REST API instead - Modern, more secure alternative

# Add to .htaccess to block XML-RPC

    Order Deny,Allow
    Deny from all

wp-config.php contains your database credentials and security keys. Protect it at all costs.

• Move above web root - WordPress will find it one directory up
• Set strict permissions - 400 or 440 (read-only)
• Regenerate security keys - Use the WordPress salt generator
• Disable file editing - Add define('DISALLOW_FILE_EDIT', true);

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true); // Also prevents plugin/theme installs

A WAF inspects incoming traffic and blocks malicious requests before they reach your WordPress installation.

• Block SQL injection - Prevents database manipulation
• Stop XSS attacks - Filters malicious scripts
• Prevent file inclusion - Blocks attempts to include malicious files
• Rate limiting - Stops brute force and DDoS attacks

Options: Cloudflare (free tier available), Sucuri Firewall, or built-in with managed hosting

Every plugin is a potential attack vector. Minimize your attack surface by using only what you need.

• Audit quarterly - Remove plugins you no longer use
• Delete, don't just deactivate - Inactive plugins can still be exploited
• Check last update date - Avoid plugins not updated in 12+ months
• Review active installs - Prefer plugins with 10,000+ active users
• Monitor vulnerability databases - WPScan, Patchstack for alerts

Your database contains everything - posts, users, settings, and potentially sensitive data.

• Change the table prefix - Don't use wp_, use something random like x7kp_
• Use a dedicated database user - With minimal necessary privileges
• Strong database password - 32+ random characters
• Disable remote database access - Only allow localhost connections

For new installs: Change the prefix during installation. For existing sites, use a plugin like Brozzme DB Prefix.

HTTP security headers tell browsers how to handle your content securely.

• Content-Security-Policy - Prevents XSS by controlling resource loading
• X-Frame-Options - Prevents clickjacking attacks
• X-Content-Type-Options - Prevents MIME-type sniffing
• Strict-Transport-Security - Forces HTTPS connections
• Permissions-Policy - Controls browser features access

# Add to .htaccess or nginx config
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Security isn't set-and-forget. Active monitoring catches threats before they cause damage.

• File integrity monitoring - Detect unauthorized file changes
• Login activity logs - Track who accesses your site and when
• Uptime monitoring - Get alerted if your site goes down
• Malware scanning - Daily automated scans for malicious code
• Security audit logs - Track all administrative actions

Tools: Wordfence, Sucuri, WP Activity Log, or rely on your managed host's monitoring