Being the most popular CMS on the internet comes with a downside: WordPress is also the most attacked CMS on the internet. Automated bots probe WordPress installations millions of times per day, testing for known plugin vulnerabilities, weak passwords, and misconfigured security settings. The vast majority of these attacks are unsophisticated and easy to block, but they succeed with alarming frequency because so many WordPress sites run with default security settings that might as well be an open invitation.

The good news is that hardening a WordPress site against the most common attacks is straightforward and does not require advanced technical knowledge. The measures I am about to describe block roughly ninety-five percent of automated attacks, which means your site goes from being easy prey to being more trouble than it is worth for opportunistic bots.

Authentication Hardening

Change the default admin username. Every automated attack starts by trying admin as the username. Use a unique username that is not publicly visible on the site, and consider hiding the author archive URLs that expose usernames by default.

Implement two-factor authentication for all administrator and editor accounts. Even if credentials are compromised through a phishing attack or a password breach on another service, the attacker cannot log in without the second factor. This single measure eliminates account compromise as an attack vector almost entirely.

Limit login attempts to prevent brute force attacks. After five failed attempts from the same IP address, block further attempts for a reasonable period. This turns a brute force attack that might try thousands of password combinations per minute into one that can try five before being locked out.

Plugin and Theme Hygiene

Delete inactive themes and plugins. Do not just deactivate them, delete them entirely. Deactivated code still exists on your server and can still contain exploitable vulnerabilities. If you are not using it, it should not be on your site.

Update everything promptly. When a security patch is released for WordPress core, a plugin, or a theme, apply it as soon as possible. The window between vulnerability disclosure and active exploitation has shrunk to hours in some cases. Automated updates for minor WordPress releases and security patches reduce this risk significantly.

Server-Level Protection

Use a web application firewall that filters requests before they reach WordPress. Cloudflare’s free tier provides substantial protection, and their paid plans add WordPress-specific rules that block known attack patterns. Sucuri offers similar protection with a focus on malware prevention and cleanup.

Disable file editing through the WordPress dashboard by adding a single line to your configuration file. If an attacker gains admin access, this prevents them from injecting malicious code directly through the theme or plugin editors.

Making Security Sustainable

Security hardening is not a one-time setup. It is an ongoing practice that a dedicated maintenance team handles systematically. Regular security scans, update management, access log reviews, and backup verification ensure that your WordPress site stays protected as new threats emerge and your site evolves over time. For more on maintaining secure WordPress sites, explore our blog.