WordPress Security Hardening: 15 Steps to Protect Your Website From Hackers

WordPress powers 43% of the internet, which makes it the number one target for hackers. In 2025, Wordfence blocked over 100 billion malicious requests targeting WordPress sites. The good news: 99% of successful WordPress hacks exploit known vulnerabilities that are entirely preventable with basic security hygiene.

This guide provides 15 actionable security hardening steps, ordered from most impactful to least. Implementing even the first 5 will protect you from the vast majority of attacks.

The Threat Landscape

Attack Type	% of Attacks	Prevention
Vulnerable plugins	55%	Keep plugins updated
Brute force (password guessing)	16%	Strong passwords + 2FA
Vulnerable themes	11%	Keep themes updated
WordPress core vulnerabilities	8%	Enable auto-updates
Hosting/server vulnerabilities	6%	Choose reputable hosting

The 15 Security Steps

Step 1: Keep Everything Updated (Prevents 74% of attacks)

The single most effective security measure. Enable automatic updates for WordPress core, and update plugins and themes within 48 hours of new releases. Most hacks exploit vulnerabilities that were patched weeks or months earlier — the site owner simply never applied the update.

Step 2: Use Strong, Unique Passwords

Every admin account must use a password that is at least 16 characters, contains uppercase, lowercase, numbers, and symbols, and is not used anywhere else. Use a password manager (Bitwarden is free). Never use “admin” as a username.

Step 3: Enable Two-Factor Authentication (2FA)

Even if a hacker obtains your password, 2FA stops them. Install the “WP 2FA” or “Two Factor” plugin and require all admin users to authenticate with a code from their phone. This single step eliminates brute force attacks entirely.

Step 4: Limit Login Attempts

By default, WordPress allows unlimited login attempts. Hackers use automated tools to try thousands of password combinations per minute. Install “Limit Login Attempts Reloaded” (free) to block IP addresses after 3-5 failed attempts.

Step 5: Install a Security Plugin

A security plugin provides firewall protection, malware scanning, and real-time threat blocking. Recommended: Wordfence (free tier is excellent) or Sucuri Security. These block malicious requests before they reach your WordPress installation.

Step 6: Use SSL/HTTPS Everywhere

Ensure your entire site loads over HTTPS, not just the login page. In WordPress Settings, set both WordPress Address and Site Address to https://. Add a redirect rule to force all HTTP traffic to HTTPS.

Step 7: Disable XML-RPC

XML-RPC is an old WordPress feature that allows remote connections. It is exploited in DDoS amplification attacks and brute force attempts. Unless you specifically use it (Jetpack or mobile app), disable it by adding a rule to .htaccess or using a security plugin.

Step 8: Hide WordPress Version

WordPress broadcasts its version number in the page source code. Hackers use this to identify sites running outdated versions with known vulnerabilities. Remove the version meta tag from your theme’s functions.php.

Step 9: Change the Login URL

Every hacker knows WordPress login is at /wp-admin or /wp-login.php. Use the “WPS Hide Login” plugin to change it to something custom (e.g., /my-secret-login). This stops automated bots from even finding your login page.

Step 10: Disable File Editing in Dashboard

WordPress allows editing theme and plugin files directly from the admin dashboard. If a hacker gains admin access, they can inject malicious code through this editor. Disable it by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php.

Steps 11-15: Advanced Hardening

Downloadable Checklist

Published by the Rhixo team. All Rhixo hosting plans include server-level DDoS protection, WAF, and daily malware scanning as standard.