Most WordPress sites don’t get hacked because someone targeted them personally. They get hacked because an automated bot crawled the web, found a known weakness — an outdated plugin, a weak password, a setting left at its default — and walked right in. The good news is that this also makes most attacks preventable. The 12 steps below close the doors that bots check first, and together they stop the vast majority of break-ins. You don’t need to be a developer to work through them.
The 12-Step WordPress Hardening Checklist
1. Keep core, themes & plugins updated
Outdated software is the single most common way WordPress sites get compromised. When a vulnerability is discovered, the fix usually ships within days — but bots immediately start scanning for sites that haven’t applied it. Update WordPress core, your theme, and every plugin promptly. Turn on automatic updates for minor releases and trusted plugins, and check your dashboard at least weekly for anything waiting.
2. Remove unused themes and plugins
Every plugin and theme installed on your site is code that can contain a vulnerability — even if it’s deactivated. If you’re not using something, don’t just switch it off; delete it entirely. A lean site is a smaller target and easier to keep patched.
3. Only install reputable plugins
Stick to plugins from the official WordPress repository or well-known commercial developers. Before installing, check the number of active installations, the date of the last update, and recent reviews. Avoid “nulled” or pirated premium plugins entirely — they’re a notorious source of hidden malware. A plugin that hasn’t been updated in a year or two is a warning sign, no matter how useful it looks.
4. Use strong, unique admin passwords and a password manager
Reused or guessable passwords are how a surprising number of sites fall. Every administrator account should have a long, random, unique password — and the easiest way to manage those is a password manager, which generates and remembers them for you. You only have to remember one master password; the tool handles the rest.
5. Turn on two-factor authentication
Two-factor authentication (2FA) adds a second check at login — usually a code from an app on your phone — so a stolen password alone isn’t enough to get in. Several free plugins add 2FA to your WordPress login in a few minutes. Enable it for every admin and editor account, not just your own.
6. Change the default “admin” username and limit login attempts
Bots overwhelmingly guess the username “admin” first, which means half their work is done if you’re still using it. Create a new administrator account with a different username, then remove the old one. Pair that with a plugin that limits failed login attempts, so repeated guessing locks the attacker out instead of letting them try forever.
7. Give users the least privilege they need
WordPress has built-in roles — Administrator, Editor, Author, Contributor, Subscriber — for a reason. Not everyone needs the keys to the whole site. Give each person only the access their job requires, and review your user list periodically to remove accounts that are no longer needed. Fewer admin accounts means fewer ways in.
8. Force HTTPS/SSL everywhere
An SSL certificate encrypts the connection between your visitors and your site, protecting passwords and form submissions from being intercepted. Most hosts provide free certificates today, so there’s no reason to skip it. Once SSL is in place, make sure your whole site redirects from http to https so no page loads unencrypted.
9. Run regular automated backups stored off-server — and test them
Backups won’t prevent a hack, but they’re what turns a disaster into an inconvenience. Schedule automatic backups of both your files and your database, and store copies somewhere other than the server your site lives on — if the server is compromised, a backup sitting next to it may be too. Just as important: actually test a restore now and then, so you know it works before you need it.
10. Add a security plugin / firewall and malware scanning
A reputable security plugin gives you a web application firewall (WAF) that filters out malicious traffic, plus malware scanning that flags suspicious files and changes. Set it to scan on a schedule and alert you to anything unusual. Think of it as a smoke detector for your site — it won’t stop every problem, but it’ll tell you early.
11. Lock down files and settings
A few server-side tweaks remove easy targets. Set correct file permissions (typically 644 for files and 755 for folders). Disable the built-in file editor in wp-admin so an attacker who gets in can’t edit your code through the dashboard — add define('DISALLOW_FILE_EDIT', true); to your wp-config.php file. Protect wp-config.php itself, since it holds your database credentials. And if you don’t use XML-RPC (many sites don’t), disable it — it’s a common brute-force and spam vector.
12. Choose a secure, well-maintained host
Everything above happens inside your WordPress install — but a good host stops a lot of trouble before it ever reaches your site. Server-level hardening, account isolation so one compromised site can’t affect its neighbors, technologies like LiteSpeed and ModSecurity, brute-force protection, and daily backups all add a layer you don’t have to manage yourself. Cheap, oversold, or neglected hosting can quietly undermine every other step on this list.
What to Do If You’re Already Hacked
If you suspect your site is already compromised, don’t panic — work through it methodically:
- Take a backup first. Even an infected copy is useful for investigating what happened and recovering content.
- Scan the site with a security plugin or your host’s malware scanner to find affected files.
- Restore from a known-clean backup taken before the infection, if you have one.
- Change every password — WordPress admins, hosting control panel, FTP/SFTP, and database.
- Update everything — core, themes, and plugins — so the original hole is closed before you go back online.
- Ask your host for help. A good provider can often spot the entry point and help you clean up.
Hosting Matters More Than People Think
You can do everything right inside WordPress and still be let down by weak hosting — or you can give yourself a real head start by choosing a host that blocks a great deal at the server level before it ever reaches your dashboard. That’s the philosophy behind our secure cloud hosting: every plan includes server-level hardening, brute-force protection, and daily backups, with account isolation so a problem on one site stays contained. It’s the foundation the other 11 steps build on.
Radiant Solutions has been hosting Southern California businesses since 1997, and our team can help whether you’re hardening a healthy site or cleaning up one that’s already been hit. If you’d like a hand securing your WordPress site — or you just want a second opinion on where you stand — contact us and we’ll walk through it with you.