WordPress Security: Complete Guide 2026

WordPress powers over 43% of all websites worldwide. This popularity makes it the number one target for cybercriminals: according to the latest Sucuri annual report, more than 90% of compromised CMS platforms were running WordPress. WordPress security is not a luxury -- it is an operational imperative for any business with an online presence.

This guide is structured as a progressive action plan. We will start with a diagnostic of your installation, then apply foundational security measures, advanced technical hardening, and finally an incident response strategy.

Quick Diagnostic: Is Your WordPress Already Compromised?

Before applying protective measures, the first step of any website security audit involves verifying that your site is not already infected. A website hack can remain invisible for weeks, even months, by exploiting flaws like an SQL injection through unsecured forms or a Cross-Site Scripting (XSS) attack in an outdated plugin.

Our diagnostic follows two phases: first, identifying symptoms of an active infection, then detecting security vulnerabilities before they are exploited.

The 7 Telltale Signs of a Hacked WordPress Site

If your site is already compromised, you will observe one or more of these symptoms:

Suspicious redirects: your visitors are sent to third-party sites (casinos, online pharmacies, phishing pages). These redirects are often obfuscated in .js files or injected directly into the database via the wp_options table.
Injected spam content: pages or posts in foreign languages appear in your Google indexation, especially Japanese keyword spam.
Sudden slowdown: abnormal CPU consumption may indicate a cryptomining script or a malicious bot injected through a backdoor.
Browser warnings: Chrome or Firefox display a "This site is dangerous" warning to your visitors.
Unknown administrator accounts: new users with elevated privileges appear in wp-admin without your authorization. Also check the database (wp_users table), as some accounts can be hidden from the admin interface.
Organic traffic drop: Google progressively deindexes pages identified as dangerous or flagged as a malicious site.
Blocked emails: your domain is placed on blacklists by email providers.

If you observe one or more of these signs, immediately consult our WordPress post-hack cleanup guide.

How to Detect a "Malicious Site" Alert in Google Search Console

Google Search Console is your first free diagnostic tool to check whether your domain has been flagged as a malicious site. Here is the procedure:

Log in to Google Search Console.
Navigate to Security & Manual Actions > Security Issues.
Check the Manual Actions section for any penalty related to hacked or dangerous content.
Review the Coverage report to identify unknown indexed pages (a sign of content injection).

If Google has flagged your site, follow our guide to remove your site from Google's blacklist.

How Do I Know if My WordPress Site Has a Security Vulnerability?

A site can be vulnerable without being actively attacked. Unlike the hacking signs above, this section focuses on detecting flaws before they are exploited by brute force attacks, SQL injection attempts, or exploits targeting your plugins and themes.

For a first free website security audit, use these tools:

Sucuri SiteCheck: a quick external scan detecting malware, blacklists, and configuration errors. Note: an external scan only detects surface-level threats. A well-hidden infection in the database or through a modified backdoor will often go undetected.
WP-CLI (the official WordPress command-line interface): the verify-checksums command compares your installation's core files with the originals from the WordPress.org repository. However, it does not detect malware injected into /wp-content/uploads/.
WPScan: identifies known vulnerabilities in your plugins, themes, and WordPress version. These are precisely the flaws that a WordPress security plugin like Wordfence, Sucuri, or SecuPress can fix or block.

WP-CLI requires SSH access to your server. If you do not have this access, a WordPress security plugin provides equivalent scanning functions from the admin interface.

# Verify WordPress core file integrity
wp core verify-checksums
 
# Verify plugin integrity
wp plugin verify-checksums --all
 
# List plugins with available security updates
wp plugin list --update=available

A deeper manual audit includes inspecting critical files frequently targeted by hackers (wp-config.php, .htaccess), analyzing server activity logs, verifying file permissions, and examining the database. For a complete professional diagnosis, discover our WordPress security audit service.

The Foundation: 9 Essential Security Measures

These measures form the bedrock of any WordPress security strategy. They apply to all sites, from personal blogs to e-commerce platforms.

1. Choose Secure WordPress Hosting

Web hosting is your number one defense. A misconfigured server renders all other measures useless.

Secure host criteria:

Account isolation (each site in its own environment).
Network firewall and server-level Web Application Firewall (WAF).
Automatic updates for PHP, MySQL, and the operating system.
Free SSL/TLS certificate (Let's Encrypt) with automatic renewal.
Daily backups with 30-day minimum retention.
Support for recent PHP versions (8.2+ recommended).

Specialized WordPress hosts like Kinsta, WP Engine, or Cloudways integrate these protections natively. Budget shared hosting shares resources and risks with hundreds of other sites.

2. Enforce Strong Passwords

Brute force attacks account for 16% of WordPress compromises. A weak password is an open invitation.

Strong password criteria:

Minimum 16 characters mixing uppercase, lowercase, numbers, and symbols.
Unique for each service (never reuse a password).
Generated by a password manager (1Password, Bitwarden, KeePass).

Apply this policy to every access point: wp-admin account, FTP/SFTP, MySQL database, and hosting panel.

3. Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds a layer of protection even if the password is compromised. It is the most effective measure against brute force.

The official Two-Factor plugin supports TOTP methods (Google Authenticator, Authy), U2F/FIDO2 security keys, and backup codes. Enable it for all administrator and editor accounts.

# Install the Two-Factor plugin
wp plugin install two-factor --activate

4. Set Up Automated Backups

Backups are your last line of defense. Without a functional backup, a hack or error can mean the total loss of your site.

The 3-2-1 rule:

3 copies of your data.
2 different media (server + cloud).
1 offsite copy.

Recommended frequency:

E-commerce sites: daily backup (database) + weekly (files).
Blogs and business sites: weekly full backup.
Test restoration at least once per quarter.

# Complete backup via WP-CLI
wp db export /backups/db-$(date +%Y%m%d).sql
tar -czf /backups/files-$(date +%Y%m%d).tar.gz /var/www/html/wp-content/

5. Update WordPress Core, Themes, and Plugins

Every update patches known and documented vulnerabilities in CVE databases. An unpatched site is a site whose flaws are publicly accessible.

Enable automatic core updates for minor versions (enabled by default).
Test major updates on a staging environment before deployment.
Remove inactive plugins and themes: even deactivated, they remain exploitable.
Keep your PHP version up to date (8.2+ recommended).

97% of WordPress vulnerabilities come from third-party plugins and themes (WPScan). Updating is your first line of defense. For a structured approach, consult our WordPress maintenance guide.

# Check and apply updates
wp core check-update
wp plugin update --all
wp theme update --all

6. Limit User Roles and Permissions

Apply the principle of least privilege: each user should only have access to the features strictly necessary for their role.

Administrator: reserved for the site owner and webmaster.
Editor: for content management without access to settings.
Author: for regular contributors, limited to their own posts.
Contributor: for occasional writers, without publishing rights.

Regularly audit the user list and delete inactive accounts. Every dormant account is a potential attack surface.

7. Install an SSL/TLS Certificate

HTTPS is no longer optional. Google considers it a ranking signal, and browsers display a warning for non-secure sites. An SSL/TLS certificate encrypts all communications between the server and the browser.

# Force HTTPS in WordPress
wp option update siteurl 'https://your-site.com'
wp option update home 'https://your-site.com'
 
# Search and replace HTTP URLs
wp search-replace 'http://your-site.com' 'https://your-site.com'

# HTTP to HTTPS redirect via .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

8. What Is the Best Free WordPress Security Plugin in 2026?

Choosing a WordPress security plugin depends on your budget and technical needs. Here are the three most reliable solutions:

Feature	Wordfence	Sucuri	SecuPress
WAF	Endpoint (PHP)	Cloud (DNS)	Endpoint (PHP)
Malware scanner	Excellent	Good	Good
Built-in 2FA	Yes	No	Yes
Cleanup included	No (paid)	Yes (Pro)	No
Performance impact	Medium-high	Low	Low
Free version	Very complete	Basic	Decent

Wordfence free version offers the best feature-to-cost ratio. It includes a Web Application Firewall (WAF), a malware scanner, and brute force protection. Free version firewall rules are delayed by 30 days compared to premium, but protection remains solid for the majority of sites.

Sucuri is recommended for e-commerce or high-traffic sites thanks to its cloud WAF that does not load your server and includes a CDN.

9. Remove Unused Themes and Plugins

Every installed plugin or theme, even if deactivated, remains a potential entry point. Extensions abandoned by their developers no longer receive security patches and become prime targets.

Delete (not just deactivate) every unused plugin and theme.
Keep only one default theme in addition to your active theme.
Before installing a new plugin, check its last update date, number of active installations, and reviews.

Technical Hardening: Locking Down Entry Points

These measures target administrators looking to strengthen the technical configuration of their WordPress installation. They operate at the configuration file, server, and database levels.

Securing wp-config.php

The wp-config.php file contains your site's most critical information: database credentials, security keys, and configuration constants. Its protection is a top priority.

<?php
// Force HTTPS for administration
define('FORCE_SSL_ADMIN', true);
 
// Disable the built-in file editor
define('DISALLOW_FILE_EDIT', true);
 
// Prevent plugin/theme installation from wp-admin
define('DISALLOW_FILE_MODS', true);
 
// Limit post revisions
define('WP_POST_REVISIONS', 5);
 
// Disable debug in production
define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);
define('WP_DEBUG_LOG', false);
 
// Custom table prefix (set during installation)
$table_prefix = 'wp_x7k2_';

# Regenerate security keys via WP-CLI
wp config shuffle-salts

Move wp-config.php one level above the web root (/var/www/ instead of /var/www/html/) if your host allows it. WordPress detects it automatically.

Setting Proper File Permissions (CHMOD)

Incorrect file permissions allow attackers to modify critical files or inject malicious code.

Element	Permission	Meaning
Directories	755	Read/execute for all, write for owner
Files	644	Read for all, write for owner
`wp-config.php`	400	Read-only for owner
`.htaccess`	444	Read-only for all

# Apply recommended permissions
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
 
# Critical files: restrictive permissions
chmod 400 /var/www/html/wp-config.php
chmod 444 /var/www/html/.htaccess

Hiding the WordPress Version

By default, WordPress exposes its version number in the HTML source code, RSS feed, and readme.html file. This information facilitates targeted attacks by allowing hackers to identify vulnerabilities specific to your version.

// Remove WordPress version from head and RSS feeds
remove_action('wp_head', 'wp_generator');

# Block access to readme.html via .htaccess
<Files readme.html>
  Order Allow,Deny
  Deny from all
</Files>

Disabling the File Editor and XML-RPC

The built-in WordPress file editor allows modifying PHP code for themes and plugins directly from wp-admin. If an attacker gains administrator access, they can inject malicious code within seconds.

XML-RPC is a legacy protocol that enables remote publishing but constitutes a major attack vector for amplified brute force and DDoS amplification attacks. Disable it unless you use Jetpack or the WordPress mobile app.

# Block XML-RPC via .htaccess
<Files xmlrpc.php>
  Order Allow,Deny
  Deny from all
</Files>

How to Block Brute Force Attacks on WordPress

Brute force attacks test thousands of username/password combinations per minute on your login page. Here are the most effective measures to block them:

Limit login attempts: the Limit Login Attempts Reloaded plugin automatically blocks IP addresses after a configured number of failures (recommended: 3 attempts, 20-minute lockout).
Change the login URL: replace /wp-login.php with a custom URL using the WPS Hide Login plugin. Automated bots exclusively target the default URL.
Add a CAPTCHA: integrate a CAPTCHA on the login page to filter bots.
Block malicious IP addresses: configure your Web Application Firewall (WAF) to automatically block IPs after repeated attempts.
Log out idle users: force automatic logout after 15 to 30 minutes of inactivity to limit session hijacking risks.

# Install Limit Login Attempts Reloaded
wp plugin install limit-login-attempts-reloaded --activate

Changing the Database Prefix

The default wp_ prefix facilitates targeted SQL injections. An attacker knowing the standard WordPress structure can exploit a flaw to directly access the wp_users or wp_options tables.

Change the prefix during initial installation. For an existing site, use a dedicated plugin or make the modification manually in wp-config.php and in the database (rename all tables and update references in wp_options and wp_usermeta).

Advanced Protection and Active Prevention

These measures target experienced administrators or technical teams looking to maximize the protection surface of their WordPress installation.

Setting Up a Web Application Firewall (WAF)

A Web Application Firewall (WAF) filters HTTP/HTTPS traffic and blocks malicious requests before they reach your WordPress application. It protects against:

SQL injections (SQLi) through forms or URL parameters.
Reflected and stored Cross-Site Scripting (XSS).
Directory traversal (path traversal).
Malicious file upload attempts.
Zero-day attacks through behavioral rules.

Two approaches exist:

Endpoint WAF (Wordfence, SecuPress): runs at the PHP level, on your server. Precise detection but performance impact.
Cloud WAF (Sucuri, Cloudflare): filters traffic before it reaches your server. Zero server load, DDoS protection included, but requires a DNS modification.

For e-commerce or high-traffic sites, a cloud WAF like Cloudflare (free tier available) combines protection and performance through its integrated CDN.

Deploying HTTP Security Headers

HTTP security headers instruct the browser on which security policies to enforce. They protect against clickjacking, MIME sniffing, and content injection.

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;"
</IfModule>

Verify your headers with securityheaders.com. Aim for an A or A+ score.

Setting Up File Integrity Monitoring

Continuous file monitoring detects any unauthorized modification: backdoor injection, core file modification, or addition of malicious scripts.

Wordfence automatically compares your installation files against official versions from the WordPress.org repository.
WP Activity Log records all activities: logins, content modifications, configuration changes, plugin installations.
Server activity logs (access.log, error.log) reveal suspicious requests and exploitation attempts.

# Install WP Activity Log for activity tracking
wp plugin install wp-security-audit-log --activate

Metrics to monitor:

Failed login attempts (alert threshold: more than 50/hour).
Unexpected file modifications in /wp-includes/ or /wp-admin/.
New user accounts created without authorization.
Suspicious HTTP requests in server logs (path traversal attempts, SQL injection).
Abnormal CPU/memory consumption (sign of cryptomining).

Action Plan: From Crisis to Peace of Mind

Despite all precautions, a security incident can occur. Response speed is critical to limiting damage.

I Have Been Hacked: What Should I Do?

Here is the 6-step response protocol, in order:

Isolate: put the site in maintenance mode immediately to protect your visitors.
Backup: capture the current state (files + database) for forensic analysis. Do not delete anything before this step.
Analyze: identify the attack vector. Examine recently modified files, backdoors in /wp-content/uploads/, database injections, and server activity logs.
Clean: remove malicious code and backdoors. For the specific case of Japanese keyword hacking, a dedicated cleanup procedure is required. Consult our complete cleanup guide.
Harden: fix the exploited vulnerability, apply all updates, regenerate security keys (wp config shuffle-salts), change all passwords, and verify file permissions.
Notify: if personal data was compromised, inform affected users and the relevant data protection authority within 72 hours (GDPR obligation).

For further reading, consult our guides on common WordPress malware, malicious redirects, and infected WordPress files.

Your Roadmap for Continuous Security Maintenance

Security is not a state -- it is a process. Here is the WordPress maintenance calendar focused on security:

Weekly:

Check and apply updates (core, plugins, themes).
Review WordPress security plugin reports (scans, blocks, alerts).
Audit user accounts and remove inactive ones.

Monthly:

Run a full malware scan with your security plugin.
Analyze activity logs to spot anomalies.
Test restoring a recent backup.

Quarterly:

Perform a complete website security audit (the 10-point checklist).
Regenerate WordPress security keys.
Review file and directory permissions.
Update the PHP version.

Does WordPress Security Impact My Site Speed?

This is a legitimate concern. Some security measures impact performance, while others improve it. Here is the breakdown:

Potential negative impact:

An endpoint WAF (Wordfence) adds PHP processing to every request, which can slow down high-traffic sites.
Real-time malware scans consume server resources.
A poorly configured security plugin with many active rules increases load time.

Positive impact:

A cloud WAF (Cloudflare, Sucuri) includes a CDN that accelerates static content delivery.
Blocking malicious bots frees server resources for legitimate visitors.
Security headers (HSTS, preload) eliminate unnecessary HTTP redirects.

The key is choosing the right tools: a cloud WAF combines security and performance, while an endpoint WAF requires a sufficiently powerful server. In all cases, security should never be sacrificed for speed.

Outsourcing Your Security: When to Call an Expert

Do you manage an e-commerce site, a site handling sensitive data, or a high-traffic site? Managing WordPress security in-house has its limits:

Zero-day vulnerabilities require permanent monitoring and immediate response capability.
Cleaning a compromised site demands specific forensic expertise.
GDPR compliance and notification obligations require rigorous processes.

For a professional security audit tailored to your site, or for urgent intervention on a compromised site, our team responds within 24 hours. We combine technical auditing, malware cleanup, hardening, and continuous monitoring setup.

FAQ

Is WordPress Less Secure Than Other CMS Platforms?

No. WordPress is not inherently less secure. The core is maintained by a dedicated security team and regularly audited. Its popularity (43% of the web) simply makes it a more frequent target. 97% of vulnerabilities come from third-party plugins and themes, not the core. A properly configured, updated, and monitored WordPress site is as secure as any other CMS.

How Often Should I Perform a Security Audit?

Quarterly for a standard site, monthly for e-commerce or sites handling sensitive data. Automated malware scans should run daily. A thorough professional website security audit is recommended annually. Consult our security audit service for personalized support.

Should I Disable XML-RPC?

Yes, unless you use services that depend on it (Jetpack, WordPress mobile app). XML-RPC is a known attack vector for amplified brute force (a single API call can test hundreds of passwords) and DDoS amplification through pingback. If you must keep it, restrict access to the concerned services' IP addresses via .htaccess.

How Much Does WordPress Hack Remediation Cost?

The average cost of cleaning a hacked WordPress site ranges between $2,000 and $15,000 depending on the infection complexity. This amount includes file cleanup, database disinfection, post-incident hardening, and the Google reconsideration request. Not counting revenue loss and reputation impact during the incident. Prevention always costs less than remediation.