WordPress Security Hardening: 12 Practical Tips for 2026
Practical WordPress security hardening tips that do not require a security expert. Protect your WordPress site from common attacks with these actionable steps.
WordPress powers over 40% of all websites, making it the most targeted CMS by attackers. Most WordPress compromises are not sophisticated hacks—they exploit common misconfigurations that are easy to fix.
1. Keep Everything Updated
WordPress core, themes, and plugins must be kept updated. Most updates include security patches for known vulnerabilities. Enable auto-updates for minor core releases and plugins where possible.
2. Use Strong Admin Credentials
Never use "admin" as your username. Use a strong, unique password for every WordPress account. Enable two-factor authentication (2FA) using a plugin like Wordfence or a service like Cloudflare Zero Trust.
3. Limit Login Attempts
Brute force attacks try thousands of password combinations. A limit-login-attempts plugin blocks IPs after repeated failures. Also rename or protect your wp-login.php page from automated attacks.
4. Disable XML-RPC If Not Needed
XML-RPC is a legacy API that enables brute force amplification and DDoS attacks. If you do not use the WordPress mobile app or remote publishing, disable XML-RPC entirely.
5. Hide WP Version and Generator Tags
WordPress outputs version information in meta tags, RSS feeds, and HTTP headers. Attackers use this to target version-specific vulnerabilities. Remove generator tags and suppress version headers.
6. Secure wp-config.php
Move wp-config.php one directory above your web root, or block direct access via .htaccess. This file contains your database credentials—if exposed, your entire site is compromised.
7. Set Correct File Permissions
Directories should be 755 and files should be 644. Never use 777 permissions. wp-config.php should be 600 or 640.
8. Disable File Editing in Admin
Add `define('DISALLOW_FILE_EDIT', true);` to wp-config.php. This prevents attackers who gain admin access from editing theme and plugin files through the WordPress dashboard.
9. Install a Security Plugin
Wordfence, Sucuri, or iThemes Security provide firewall protection, malware scanning, and brute force prevention. The free versions cover the most important protections.
10. Regular Backups
Automated daily backups stored off-site (not on your web server) are your last line of defense. UpdraftPlus, BackWPup, or your hosting provider's backup solution are good options.
11. Use HTTPS
Free SSL certificates from Let's Encrypt work with WordPress. Force HTTPS for all pages. Update your WordPress Address and Site Address URLs to use https://.
12. Monitor Public Exposure
Use our free WordPress Security Check to see what attackers can discover about your WordPress site from the outside.