WordPress Security Best Practices for 2026
Security

WordPress Security Best Practices for 2026

9 min read·15 January 2026

Why WordPress Security Deserves Your Attention

WordPress powers 42.8% of all websites (W3Techs, February 2026) on the internet. That kind of market share makes it the single biggest target for automated attacks, brute-force bots, and opportunistic hackers scanning for low-hanging fruit. I've seen sites compromised within hours of a vulnerability being publicly disclosed — not because WordPress itself is insecure, but because site owners didn't follow basic hardening steps.

The good news: most WordPress attacks are preventable. They exploit known vulnerabilities in outdated software, weak credentials, or misconfigured servers. Following a structured set of security best practices eliminates the vast majority of risk.

Here's what I recommend to every client, based on years of maintaining WordPress sites professionally.

Start With TLS and HTTPS Everywhere

If your site isn't running HTTPS in 2026, you're already behind. TLS certificates (Transport Layer Security — the modern encryption protocol that enables HTTPS) encrypt the data flowing between your server and your visitors' browsers, protecting login credentials, form submissions, and session cookies from interception.

Most quality hosts include free TLS certificates via Let's Encrypt. Once installed:

  • Force HTTPS redirects: Configure redirects at the server level (not just via a plugin)
  • Update site URLs: Change your WordPress Address and Site Address in Settings to use https://
  • Eliminate mixed content: Check for images or scripts still loading over HTTP

Google has used HTTPS as a ranking signal for years. Beyond SEO, browsers now actively warn users about non-HTTPS sites, which destroys trust instantly.

Key Takeaway: HTTPS isn't optional in 2026 — browsers warn users about non-HTTPS sites, Google uses it as a ranking signal, and unencrypted connections expose login credentials to interception. Get a free Let's Encrypt certificate and force HTTPS redirects at the server level.

Enforce Strong Passwords and Two-Factor Authentication

Brute-force attacks against WordPress login pages are relentless. Automated bots cycle through common username/password combinations thousands of times per day. Weak credentials are the number one reason sites get compromised.

Password Policy

Every user account on your WordPress site should use a password that is:

  • Length: At least 16 characters long
  • Complexity: A mix of uppercase, lowercase, numbers, and symbols
  • Uniqueness: Never reused from another service
  • Generation: Created by a password manager, not a human

Two-Factor Authentication

2FA adds a second verification step after the password. Even if an attacker obtains your password through a data breach on another service, they can't get in without the second factor. Use a time-based one-time password (TOTP -- a temporary code that refreshes every 30 seconds) app like Authy or Google Authenticator — avoid SMS-based 2FA, which is vulnerable to SIM swapping.

Sites with two-factor authentication enabled experience dramatically fewer successful brute-force compromises than those without it.

Key Takeaway: Strong passwords stop most attacks, but two-factor authentication is what actually prevents account compromise when passwords leak. Every admin account needs 2FA enabled — no exceptions.

Harden Your wp-config.php

The wp-config.php file is the most sensitive file in your WordPress installation. It contains your database credentials, authentication keys, and core configuration. Hardening it properly is one of the highest-impact security steps you can take.

// Move wp-config.php one directory above your web root
// (Your host must support this)
 
// Disable file editing from the WordPress admin
define('DISALLOW_FILE_EDIT', true);
 
// Force SSL for admin pages
define('FORCE_SSL_ADMIN', true);
 
// Limit post revisions to reduce database bloat
define('WP_POST_REVISIONS', 5);
 
// Set custom authentication keys and salts
// Generate fresh ones at: https://api.wordpress.org/secret-key/1.1/salt/
define('AUTH_KEY',         'your-unique-phrase-here');
define('SECURE_AUTH_KEY',  'your-unique-phrase-here');
define('LOGGED_IN_KEY',    'your-unique-phrase-here');
define('NONCE_KEY',        'your-unique-phrase-here');
 
// Disable WordPress debug mode in production
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);

File Permissions

Set correct file permissions to prevent unauthorized modifications:

  • Directories: 755 (owner can read/write/execute, others read/execute only)
  • Files: 644 (owner can read/write, others read only)
  • wp-config.php: 440 or 400 (owner read only, no write access)

Change the Default Login URL

WordPress login lives at /wp-login.php and /wp-admin by default — and every bot on the internet knows this. Changing your login URL won't stop a determined attacker, but it eliminates the vast majority of automated brute-force traffic hitting your server.

Use a plugin like WPS Hide Login to move your login URL to something custom, like /my-secure-login. This single change can reduce failed login attempts by 90% or more, which also reduces server load from bot traffic.

Combine With Login Limiting

Even with a custom login URL, implement login attempt limiting:

  • Lockout threshold: Lock out IP addresses after 5 failed attempts
  • Lockout duration: Set a minimum of 30 minutes
  • Progressive delays: Each failed attempt increases the wait time
  • IP whitelisting: Protect your own IP address to avoid lockouts

Use a Web Application Firewall

A Web Application Firewall (WAF -- a security layer that filters HTTP traffic before it reaches your site) sits between your visitors and your WordPress site, filtering out malicious requests before they reach your server. Think of it as a bouncer checking IDs at the door.

Plugin-Level WAF

Security plugins like Wordfence and Sucuri include built-in firewalls that run within WordPress. They're effective at blocking known attack patterns, malicious IPs, and suspicious request signatures. The trade-off is that they consume server resources since they run inside PHP.

DNS-Level WAF

Services like Cloudflare operate at the DNS level, filtering traffic before it ever reaches your server. This is more efficient and can also absorb DDoS attacks. The free tier includes basic WAF rules; the Pro tier adds managed rulesets specifically for WordPress.

For most sites, I recommend a DNS-level WAF (Cloudflare) combined with a lightweight security plugin for WordPress-specific monitoring.

Key Takeaway: DNS-level firewalls filter attacks before they reach your server, which is more efficient than plugin-based WAFs that consume server resources. For the sites I manage, Cloudflare's free tier handles the vast majority of threats without performance overhead.

Change the Default Database Prefix

WordPress uses wp_ as the default database table prefix. Every SQL injection tutorial on the internet assumes this prefix. Changing it to something unique — like b7r_ or xk9_ — adds a layer of obscurity that makes automated SQL injection attacks less likely to succeed.

For new installations, set the prefix during setup. For existing sites, you can change it manually by:

  1. Updating $table_prefix in wp-config.php
  2. Renaming all tables in your database
  3. Updating the usermeta and options tables that reference the old prefix

This is a one-time change that permanently reduces your attack surface against automated SQL injection tools.

Key Takeaway: Changing your database prefix from the default wp_ to something unique takes 10 minutes during setup or 30 minutes on an existing site, and it permanently blocks automated SQL injection attacks that assume the default prefix.

Implement Security Headers

HTTP security headers instruct browsers on how to handle your site's content, preventing entire categories of attacks. Add these to your server configuration or via a plugin:

Essential Headers

  • Content-Security-Policy (CSP): Controls which resources can load on your pages, preventing XSS (cross-site scripting) attacks
  • X-Content-Type-Options: Prevents MIME type sniffing (nosniff)
  • X-Frame-Options: Prevents your site from being embedded in iframes (SAMEORIGIN), blocking clickjacking
  • Strict-Transport-Security (HSTS): Forces HTTPS connections for a specified duration
  • Referrer-Policy: Controls how much referrer information is sent with requests
  • Permissions-Policy: Restricts which browser features your site can use (camera, microphone, geolocation)

Check your headers at securityheaders.com — aim for an A or A+ rating.

Run Regular Security Audits

Security isn't a one-time setup. It's an ongoing process. Schedule regular audits to catch issues before attackers do.

Monthly Audit Checklist

  • User accounts: Review all user accounts and remove any that are no longer needed
  • Software updates: Check that all plugins and themes are updated to the latest versions
  • Cleanup: Verify that unused plugins and themes are deleted (not just deactivated)
  • Malware scan: Scan for malware using your security plugin
  • Access logs: Review your access logs for suspicious activity patterns
  • Backup test: Test your backup and restore process
  • SSL certificate: Verify your SSL certificate is valid and not expiring soon
  • File permissions: Check file permissions haven't been modified

Quarterly Deep Audit

  • Security headers: Review your security headers and CSP policy
  • WAF testing: Test your WAF rules against current attack patterns
  • Hosting audit: Audit your hosting provider's security posture
  • Credential rotation: Review and rotate all passwords and API keys
  • Vulnerability scan: Check for known vulnerabilities in your specific plugin/theme stack

Key Takeaway: Security audits aren't about finding problems after they happen — they're about catching issues before attackers do. I've caught compromised user accounts, outdated plugins with known exploits, and misconfigured permissions weeks before they would have become incidents.

Keep Everything Updated

This one is so important it deserves its own article — and I wrote one: Why WordPress Updates Matter More Than You Think. The short version: outdated software is the primary attack vector for WordPress compromises. Core updates, plugin updates, and theme updates all include security patches for known vulnerabilities.

Enable automatic updates for minor WordPress releases and security patches. For major updates and plugin updates, use a staging environment to test compatibility before pushing to production.

What To Do If You've Been Hacked

Despite best efforts, breaches happen. If you suspect your site has been compromised:

  1. Don't panic — but act quickly
  2. Take the site offline to prevent further damage
  3. Restore from a clean backup — this is the fastest and most reliable fix
  4. Change all passwords — WordPress admin, database, FTP, hosting panel
  5. Scan and clean the restored site before going live
  6. Audit how the breach occurred and patch the vulnerability
  7. Submit a reconsideration request to Google if your site was flagged

Having a solid backup strategy is what separates a minor inconvenience from a catastrophic loss.

Wrapping Up

WordPress security isn't about any single tool or trick. It's about layering defenses so that no single failure point can compromise your entire site. SSL, strong authentication, wp-config hardening, firewalls, security headers, regular updates, and ongoing audits — each layer reduces your risk surface.

If managing all of this sounds overwhelming, that's exactly why managed WordPress maintenance exists. I handle security hardening, updates, monitoring, and incident response for every site I maintain, so you can focus on running your business instead of fighting bots.

Need help with WordPress?

Let us handle the updates, security, and performance so you can focus on your business.

Related Articles

Security

WooCommerce Bot Attacks: The 3-Step Defense That Actually Works

68% of European websites lack bot protection. Most WooCommerce stores have the tools to stop attacks—WooCommerce Store API protection, CAPTCHA plugins, and rate limiting. Learn the exact configuration I use.

20 min readSecurity

WordPress Plugin Vulnerabilities: What 333 Weekly Exploits Mean for Your Sites

WordPress plugin vulnerabilities jumped to 333 per week in January 2026. Here's what agencies managing client sites need to know about monitoring, triage, and response.

20 min readSecurity

WordPress Multisite Security: Hardening Shared User Environments

Multisite security for agencies: database isolation, super admin controls, and multi-tenant hardening to reduce client blast radius and protect margins.

19 min read

Ready to get started?

Let's Talk About Your WordPress Maintenance Needs

Get In Touch

Townsville

WordPress Maintenance

© Ben Ryan