The Problem: WordPress Sites Get Hacked — and It’s Usually Preventable
We manage hundreds of WordPress sites. When a customer calls in a panic because their site has been defaced or blacklisted by Google, the cause is almost always the same: basic security measures were skipped. Outdated plugins. Weak passwords. No backups. No HTTPS.
The frustrating part? Most WordPress security failures are preventable. A systematic approach to hardening eliminates 90% of the attack surface. This guide covers the 15 steps we use when securing WordPress sites for our managed hosting customers.
What WordPress Hardening Actually Means
Hardening is not a single plugin or setting. It’s a defense-in-depth strategy that addresses:
- Access control: Who can log in, how they authenticate, what they can do
- File integrity: Preventing unauthorized changes to core files and content
- Network security: HTTPS, firewalls, intrusion detection
- Monitoring and response: Detecting attacks and recovering quickly
- Backup and recovery: Ensuring you can restore after any incident
Each layer protects against different threats. Skip one, and you leave an open door.
The 15-Point WordPress Hardening Checklist
1. Update Everything — Core, Themes, and Plugins
Outdated software is the #1 WordPress vulnerability. Enable automatic updates for:
- WordPress core (minor and security releases)
- All active plugins
- All active themes
Verification: Dashboard ? Updates should show “You have the latest version of WordPress.”
2. Use Strong, Unique Admin Passwords
Brute force attacks try common passwords. Use a password manager to generate 20+ character random passwords for all admin accounts.
Verification: Test admin passwords with a password strength checker — should be “very strong” or equivalent.
3. Limit Login Attempts
WordPress allows unlimited login attempts by default. Install a plugin like Wordfence or Limit Login Attempts Reloaded to block IPs after 3-5 failed attempts.
Verification: Try wrong passwords 5 times — your IP should be temporarily blocked.
4. Enable Two-Factor Authentication
Even strong passwords can be phished. 2FA adds a second factor (usually an authenticator app) that attackers can’t easily bypass.
Verification: Log out, log back in — you should be prompted for a 2FA code.
5. Change the Default Admin Username
“admin” is the first username attackers try. Create a new admin account with a unique username, then delete the default one.
Verification: SELECT user_login FROM wp_users WHERE ID = 1; should not return “admin”.
6. Disable File Editing in the Dashboard
WordPress lets admins edit PHP files directly. If an attacker gains admin access, they can inject malware. Disable this in wp-config.php:
define('DISALLOW_FILE_EDIT', true);Verification: Appearance ? Theme Editor should show “You are not allowed to edit files.”
7. Disable XML-RPC
XML-RPC is a legacy API used for pingbacks and remote publishing — and brute force attacks. Most sites don’t need it.
Verification: curl -d "<methodCall><methodName>system.listMethods</methodName></methodCall>" https://yoursite.com/xmlrpc.php should return 403 or 404.
8. Hide the WordPress Version
Attackers scan for specific versions with known vulnerabilities. Remove the generator meta tag:
remove_action('wp_head', 'wp_generator');Verification: View page source — should not see <meta name="generator" content="WordPress ...">.
9. Secure wp-config.php
This file contains database credentials and authentication keys. Move it one directory above web root if possible, and restrict access:
<Files wp-config.php>
order allow,deny
deny from all
</Files>Verification: curl https://yoursite.com/wp-config.php should return 403 or 404.
10. Set Proper File Permissions
Default permissions are often too permissive. Set:
- Directories: 755
- Files: 644
- wp-config.php: 600 or 400
Verification: stat -c "%a %n" wp-config.php should show 600 or 400.
11. Enable HTTPS Everywhere
Mixed content (HTTP resources on HTTPS pages) breaks security. Use a plugin like Really Simple SSL to enforce HTTPS.
Verification: All pages should load with the padlock icon — no mixed content warnings.
12. Install a Web Application Firewall (WAF)
A WAF blocks malicious requests before they reach WordPress. Options include:
- Wordfence (plugin-level WAF — good for most sites)
- Sucuri CloudProxy (cloud WAF — better for high-traffic sites)
- CWH Managed WAF (enterprise-grade, SOC 2 compliant)
Verification: WAF dashboard should show blocked attacks in the last 24 hours.
13. Set Up Automated Backups
Backups are your last line of defense. Configure:
- Daily database backups (retained 30 days)
- Weekly full-site backups (retained 90 days)
- Off-site storage (different server or cloud)
Verification: Download and restore a backup to a test site — it should work.
14. Enable Security Monitoring and Alerts
You need to know when something goes wrong. Monitor for:
- Failed login attempts
- File changes (new, modified, deleted)
- Suspicious IP addresses
- Malware signatures
Verification: Test by modifying a core file — you should receive an alert.
15. Schedule Regular Security Audits
Security is not set-and-forget. Quarterly audits catch:
- Forgotten test accounts
- Outdated plugins that slipped through
- New vulnerabilities disclosed since last check
Verification: Document audit date, findings, and remediation actions.
WordPress Security by Hosting Type
Hosting environment affects security options. Here’s what you can and can’t do on each:
| Hosting Type | Access Level | Security Features Available |
|---|---|---|
| Shared Hosting | Plugin level only | Updates, passwords, 2FA, security plugins |
| Managed WordPress | Plugin + server config | Shared features + WAF, automatic backups, malware scanning |
| Cloud VPS | Full root access | Everything + firewall rules, fail2ban, custom configurations |
| Dedicated Server | Full root + hardware access | Everything + hardware firewall, dedicated scanning |
When Your Site Handles Sensitive Data
For e-commerce, membership sites, healthcare, or legal sites, basic hardening isn’t enough. You need compliance-ready security:
| Site Type | Risk Level | Recommended Hardening |
|---|---|---|
| Simple blog or brochure site | Low | Checklist steps 1-13 |
| E-commerce (WooCommerce) | High | Full checklist + PCI compliance + dedicated scanning |
| Membership site with PII | High | Full checklist + WAF + intrusion detection + access logging |
| Healthcare, legal, finance | Critical | Full checklist + Managed Security + dedicated server + audit trail |
If your site collects personal information from Canadian residents, you also need to consider PIPEDA, PHIPA, and Quebec Law 25 compliance. Canadian Web Hosting offers Managed Security packages designed for regulated industries.
Why Canadian Hosting Matters for WordPress Security
Where your WordPress site is hosted affects both security and compliance:
- Canadian data centres (Vancouver, Toronto) for data sovereignty compliance — see our Canadian Hosting Compliance Checklist
- SOC 2 Type II certification — audited security controls, not just claims
- 24/7 expert support — real humans who know WordPress security
- Free SSL certificates on all hosting plans — HTTPS everywhere by default
- Automatic backups with 30-day retention — included on managed plans
Getting Started: Your First 30 Minutes
If you haven’t hardened your WordPress site before, start here:
- Update everything: Dashboard ? Updates ? Update All
- Install a security plugin: Wordfence Security is a good free option. Enable the firewall and malware scanner.
- Change admin passwords: Generate new 20+ character passwords for all admin accounts.
- Enable 2FA: Add two-factor authentication to all admin accounts.
- Set up backups: Configure daily database backups and weekly full backups.
These five steps take about 30 minutes and eliminate 80% of common attack vectors.
When You Need Help
If your WordPress site has already been compromised, or if you need help implementing these hardening steps, contact our support team. We offer:
- Malware removal — clean infected sites
- Security audits — identify vulnerabilities before attackers do
- Managed WordPress hosting — we handle updates, backups, and security monitoring
Don’t wait for a breach. Start hardening today.
Be First to Comment