WordPress Security in 2026: Real Tips That Actually Keep Your Site Safe

If you manage a WordPress site and security is still sitting on your “I’ll sort it properly later” list — read this before that later turns into a phone call you really don’t want to make.

I’ve been building and maintaining WordPress sites for years. Cleaning up hacked ones too. The same weak points show up every single time — outdated plugins, exposed login pages, passwords reused across every account, critical files left completely unprotected. Nearly every incident I’ve dealt with was preventable.

This is what I actually run through on every client site I manage.

How Sites Actually Get Hacked

WordPress runs something like 43% of the entire web. That’s why it’s a target. Nobody is sitting there picking your specific site. Bots crawl the internet looking for known holes in popular plugins. They find a vulnerability, they scan a few million sites, they get into a few thousand. Yours might be one of them. That’s really all there is to it.

From what I’ve seen firsthand cleaning up sites:

• Old plugins with known security holes — this is the big one, by far
• Passwords that are either weak or the same ones used on other accounts that already got breached somewhere
• Plugins sitting there deactivated that nobody’s touched in two years
• Hosting where your site shares space with hundreds of others and there’s barely any isolation between them
• And more recently, supply chain stuff — a plugin developer’s account gets compromised and a bad update gets pushed to everyone running that plugin

Once you understand how these attacks work, protecting against them isn’t complicated. It’s just about being consistent with a few things.

1. Updates — Yeah, I Know. But Hear Me Out

Everyone knows you should update WordPress and your plugins. That’s not news. The problem is how people actually handle it in practice. They see 12 plugin updates pending, get nervous one might break something, and close the tab. Come back three months later, same thing. Now some of those plugins have had vulnerabilities disclosed and patched — but you’re still running the old version.

What I do: before touching anything, I make sure there’s a backup from that day. Then I update maybe two or three plugins at a time. Check the site. Update a few more. Check again. If something goes sideways I know exactly which update did it. Takes an extra 15 minutes but saves you from the “I updated everything and now the whole site is broken and I don’t know why” situation.

Auto-updates for WordPress core minor versions — I turn those on. Those are security patches, they’re small, they almost never cause issues. Major WordPress versions I test on staging first when I can.

Here’s something a lot of people miss though: your PHP version. PHP 8.0 hit end of life back in 2023. If you’re still on it — or worse, something older — you’re running software that doesn’t get security fixes anymore. You want 8.2 or 8.3 in 2026. Some hosts like Kinsta, WP Engine, Cloudways keep this current automatically. Cheaper shared hosts? Often don’t.

Keep an eye on Patchstack and the Wordfence vulnerability feed. When something critical pops up for a plugin you use — don’t wait. Handle it same day.

2. Your Login Page Is Getting Attacked Right Now

Not exaggerating. Go look at your server logs if you don’t believe me. Bots hit /wp-login.php constantly, trying username/password combinations from leaked databases. Small personal blog with 50 visitors a month? Doesn’t matter. The bots don’t check your traffic stats before attacking.

First thing I do on any site — install WPS Hide Login and change that login URL to something random. The reduction in bot traffic after doing this is honestly kind of dramatic. Your server will thank you too.

Then two-factor authentication. I don’t care how strong you think your password is. 2FA means even if someone gets your password — phishing, data breach, whatever — they still can’t get in without the code from your phone. On most sites I set up Wordfence which handles 2FA along with a bunch of other stuff. If you just want the 2FA part and nothing else, WP 2FA does the job. Works with Google Authenticator, Authy, all the usual apps.

Add a CAPTCHA to your login page too. This is something I started doing more recently and honestly wish I’d done sooner. Bots that get past the hidden login URL — and some do — still have to deal with a challenge before they can even attempt a password. SecureGate Captcha Lite is what I’ve been using on newer client sites. It’s lightweight, doesn’t slow anything down, and adds a real layer of friction that stops automated scripts cold. Works on login, registration, password reset, and comment forms — so it covers multiple entry points at once without needing separate plugins for each.

Limit Login Attempts Reloaded is worth adding too — locks out IPs after failed attempts. Though if you’ve got Wordfence running, it already does this. Don’t double up.

And please, use a password manager. I don’t care which one — I use Bitwarden personally because it’s free and open source, but the tool isn’t the point. The point is your WordPress password shouldn’t also be your email password, your hosting password, and your Netflix password. One breach and they’ve got everything.

3. Get a Security Plugin — But Set It Up Right

Throwing a security plugin on your site and never looking at the settings is… well, it’s something. Better than nothing I guess. But you’re leaving a lot on the table.

Three options I trust:

• Wordfence — this is what I put on most sites. Firewall, scanner, 2FA, login stuff, traffic logs. All in one. Free version is solid. Paid version gives you real-time firewall rules which matters more for high-value sites
• Sucuri — their cloud-based firewall is a different approach. Traffic gets filtered before it even reaches your server. The paid WAF product is genuinely good for sites that need that level of protection
• Solid Security — used to be called iThemes Security. More guided, good if you’re newer to this and want something that walks you through setup

One thing though — back up your site before you configure any of these. I’ve seen firewall rules conflict with WooCommerce checkout, with page builders, with random third-party stuff. You want to be able to roll back if something breaks.

And don’t install two security plugins thinking more is better. It’s not. They fight each other. Pick one.

4. Block xmlrpc.php

This is one of those things that takes 30 seconds to fix and most people have never heard of it. xmlrpc.php is an old WordPress feature for remote connections. Almost nobody needs it anymore. But it’s enabled by default, and here’s the fun part — it lets attackers try hundreds of password combinations in a single request. Your login attempt limiter doesn’t even see it because it’s not going through the normal login page.

Unless you specifically need it for the WordPress mobile app or some legacy Jetpack setup, just block it. Drop this in .htaccess:

apache<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Done. Kills the request before PHP even loads.

5. Kill the Built-in File Editor and Lock Down wp-config

WordPress has this code editor built into the dashboard. Lets anyone with admin access edit PHP files for themes and plugins right there in the browser. Which sounds convenient until you realize that if someone breaks into an admin account, they can inject whatever code they want through it.

Put this in your wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

That editor is gone. Use a real code editor if you need to edit files.

While you’re at it, block direct access to your most sensitive files. Add to .htaccess:

apache<Files wp-config.php>
    Order Allow,Deny
    Deny from all
</Files>

<Files .htaccess>
    Order Allow,Deny
    Deny from all
</Files>

6. Nulled Themes and Plugins Will Wreck Your Site

I still run into this. Someone downloads a “free” version of a $59 premium theme from some sketchy site, installs it, and six months later their site is full of malware and they have no idea where it came from.

That’s where it came from.

Nulled software — cracked premium plugins and themes — is one of the most reliable ways to get your WordPress site infected. The malware is baked into the files before you install them. You’re literally putting it there yourself.

I wrote a whole thing on this because I’ve cleaned up enough of these: Why You Should Never Use Nulled WordPress Themes and Plugins. Short version — the $59 you saved on that theme is going to cost you $500+ in cleanup. Every time.

7. SSL Isn’t Enough — You Need Security Headers Too

Having an SSL certificate in 2026 is like having a front door on your house. It’s the bare minimum. Every host worth using gives you one free through Let’s Encrypt. If you somehow still don’t have HTTPS set up, go do that before anything else on this list.

But here’s what nobody talks about — HTTP security headers. Run your site through SecurityHeaders.com right now. Bet you’re missing most of them.

Add these to .htaccess:

apacheHeader always set X-Content-Type-Options "nosniff"Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

Also worth running your domain through SSL Labs to check your actual TLS configuration. If you’re getting a B or lower, something’s off — usually on the hosting side.

8. Cloudflare — Free and Extremely Useful

I’m honestly surprised how many WordPress site owners aren’t using Cloudflare. The free plan gives you a CDN, DDoS protection, and bot filtering. All sitting between the internet and your server, catching garbage traffic before your site has to deal with it.

They’ve got WordPress-specific rulesets too — blocks known attack patterns targeting login pages, plugin exploits, injection attempts. Free plan covers the essentials. Pro at $20/month unlocks the full managed rules, which I’d recommend for anything processing payments.

One thing to actually configure properly after setup: make sure your real server only accepts traffic from Cloudflare’s IP ranges. If you skip this step, someone can find your origin IP and go around Cloudflare entirely. Your hosting support can usually set this up with a quick firewall rule.

9. Backups — Real Ones, Not the Kind You’ve Never Tested

Here’s a thing that happens more than you’d think. Someone tells me “yeah I have backups” and when we actually need them, turns out the backups are stored on the same server that got hacked, or they’re three months old, or the backup file is corrupted and nobody ever checked. That’s not a backup. That’s a comfort blanket.

What you actually need:

• Your host should be running daily automated backups and storing them separately. Confirm this — don’t just assume it’s happening
• Run UpdraftPlus and point it at Google Drive or Dropbox or S3. Somewhere that is NOT the same server as your site. Free version does this fine
• Test a restore at least once. Seriously. Download a backup, spin up a local environment, restore it. If you’ve never done this, you have no idea whether your backups actually work
• Keep at least 30 days worth. I’ve seen malware that sits quiet for weeks before doing anything visible. If your oldest backup is from three days ago and the infection started a month ago, you’re stuck

10. Watch What’s Happening on Your Site

When you’ve got multiple people with access to a WordPress site — content writers, other developers, the client themselves — you need a record of who did what and when. Not because you’re paranoid. Because when something weird happens, “I don’t know who changed that” isn’t helpful.

WP Activity Log is the best option for this. Tracks logins, content edits, plugin changes, settings modifications, everything. Free version does plenty. Simple History is lighter if you just want basics without the extra weight.

And while you’re thinking about users — clean up the list. Old accounts for people who left a project two years ago? Delete them. Someone who just writes blog posts but has admin access for some reason? Drop them to Editor. If you’re still using “admin” as a username, make a new admin account and get rid of that one. Attackers try “admin” first. Always.

11. If You’re Not Using It, Get Rid of It

Deactivated plugins are still sitting on your server as files. A vulnerability in a deactivated plugin can still be exploited. Same goes for themes.

Go to your plugins list. Anything you’re not actively using — don’t just deactivate. Delete. Check your themes too. WordPress makes you keep at least one default theme as a fallback, but you don’t need four of them sitting there.

Fewer files on your server means fewer things that can go wrong. Simple as that.