Why is WordPress targeted by hackers so often?

WordPress powers over 43% of all websites on the internet, making it the largest target by volume. Most attacks are automated bots scanning for known vulnerabilities in outdated plugins and themes, weak passwords, and default admin usernames. The platform itself is secure when properly maintained.

Do I need a WordPress security plugin?

A security plugin can help with login protection, malware scanning, and firewall rules. However, most critical WordPress hardening is done through configuration changes: strong passwords, updated plugins, proper file permissions, disabled file editing, and security headers. A plugin complements these basics but does not replace them.

How often should I update WordPress plugins and themes?

Check for updates at least once a week. Enable automatic updates for minor core releases and plugin patches where possible. Update immediately when a security patch is released. Most WordPress compromises happen through outdated plugins, not the core software.

What should I do if my WordPress site has been hacked?

First, change all passwords (admin, FTP, database, hosting). Then restore from a clean backup if you have one. If not, scan all files for malicious code, remove unfamiliar plugins and users, update everything to the latest version, and check your database for injected content. Consider running a security scan to identify how the breach occurred.

WordPress Security: How to Harden Your Site in 30 Minutes

WordPress powers over 43% of all websites on the internet. That dominance makes it the single biggest target for automated attacks. Bots scan millions of WordPress sites every day, looking for outdated plugins, weak passwords, default admin usernames, and misconfigured servers. The vast majority of WordPress hacks are not sophisticated. The NCSC provides specific guidance for securing WordPress sites. They exploit known problems that have easy fixes.

The good news is that most WordPress hardening takes about 30 minutes. Here is a practical walkthrough of every step that matters.

Harden the admin login

The WordPress login page at /wp-login.php is the most attacked URL on any WordPress site. Start here.

Change the default admin username. During installation, WordPress asks for an admin username. Many people leave it as "admin". Automated bots try "admin" as the username with thousands of common passwords. If your username is "admin", create a new administrator account with a different name, log in as that user, and delete the old one.

Use a strong password. A strong password means at least 16 characters, mixing uppercase, lowercase, numbers, and symbols. Use a password manager to generate and store it. Do not reuse passwords from other services.

Limit login attempts. By default, WordPress allows unlimited login attempts. Install a plugin like Limit Login Attempts Reloaded or Wordfence to block IP addresses after a few failed attempts. This stops brute-force attacks dead.

Keep everything updated

Outdated plugins and themes are the number one way WordPress sites get compromised. Vulnerabilities in popular plugins like Elementor, WooCommerce, and Contact Form 7 are discovered regularly — the OWASP project tracks common vulnerability patterns and patched quickly, but only sites running the latest version are protected.

Enable automatic updates for minor core releases. For plugins, enable auto-updates for everything you actively use. Delete any plugin or theme you are not using. Deactivated plugins still have their files on your server and can still be exploited if they contain vulnerabilities.

Set correct file permissions

File permissions control who can read, write, and execute files on your server. Incorrect permissions are a common way attackers gain access.

The correct settings for most WordPress installations are:

Directories: 755 (owner can read, write, and execute; others can read and execute)
Files: 644 (owner can read and write; others can read only)
wp-config.php: 440 or 400 (owner can read only; this file contains your database credentials)

You can set these via SSH or through your hosting control panel's file manager. If you are unsure, ask your hosting provider. This takes two minutes.

Disable XML-RPC and file editing

XML-RPC is an older WordPress feature that allows remote procedure calls. It is rarely needed today but is frequently used by attackers to brute-force logins and launch DDoS attacks. Disable it unless you specifically need it for a remote publishing tool.

Add this to your theme's functions.php or a site-specific plugin:

add_filter('xmlrpc_enabled', '__return_false');

WordPress also has a built-in file editor in the admin dashboard that lets anyone with administrator access edit theme and plugin files directly. If an attacker gets admin access, they can use this to inject malicious code into your site. Disable it by adding this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Add security headers

Security headers are HTTP response headers that tell browsers to enforce security policies. The OWASP Secure Headers Project provides a comprehensive reference. WordPress does not set most of these by default. You can add them through your .htaccess file (Apache) or nginx.conf (Nginx).

The headers that matter most for WordPress sites:

X-Frame-Options set to SAMEORIGIN prevents your site from being embedded in iframes on other domains, stopping clickjacking attacks.
X-Content-Type-Options set to nosniff stops browsers from guessing file types, which prevents uploaded files from being executed as scripts.
Strict-Transport-Security forces browsers to always use HTTPS, preventing downgrade attacks.
Content-Security-Policy controls which sources your site can load content from, providing strong protection against cross-site scripting. See our full guide to HTTP security headers for details.

Enforce SSL everywhere

Your WordPress site must load over HTTPS. This means having a valid SSL certificate and forcing all HTTP traffic to redirect to HTTPS. Most hosting providers now offer free Let's Encrypt certificates.

In WordPress, go to Settings and make sure both the WordPress Address and Site Address URLs start with https://. Then enforce the redirect at the server level so no page ever loads over plain HTTP.

Set up a proper backup strategy

Backups are your safety net. If your site gets compromised, a clean backup lets you restore everything in minutes rather than spending days cleaning up.

A proper backup strategy means:

Automated daily backups of both files and database.
Off-site storage so backups are not on the same server as your website.
Tested restoration at least once. A backup you have never restored from is a backup you cannot trust.

UpdraftPlus is a reliable free option that handles scheduled backups to cloud storage. Your hosting provider may also offer built-in backups, but verify they cover both files and database.

Run a security scanner

Once you have hardened your WordPress site, run an external security scan to verify everything is configured correctly. An external scanner checks what attackers actually see when they probe your site, including SSL configuration, security headers, exposed files, open ports, and cookie settings.

Internal WordPress scanners only see what happens inside WordPress. An external scan catches server-level misconfigurations that internal tools miss. PulseShield's free scan checks all of these and generates a detailed report with specific remediation steps.

Checklist summary

Here is the full list in order. Most steps take under five minutes:

Change the default "admin" username
Set a strong password (16+ characters, use a password manager)
Install a login attempt limiter
Update WordPress core, all plugins, and all themes
Delete unused plugins and themes
Set file permissions (directories 755, files 644, wp-config 440)
Disable XML-RPC
Disable the file editor in wp-config.php
Add security headers (X-Frame-Options, X-Content-Type-Options, HSTS, CSP)
Enforce HTTPS across the entire site
Set up automated daily backups stored off-site
Run an external security scan to verify your setup

None of these steps require developer skills. Most can be done through the WordPress admin panel, your hosting control panel, or by adding a few lines to configuration files. If your hosting provider offers server-level support, ask them to handle the file permissions and security headers for you.

For a comprehensive check of your WordPress site's external security posture, run a free PulseShield scan. It covers SSL, headers, cookies, exposed files, open ports, and email authentication in a single report.