HomeKnowledgebase

How to Secure WordPress and Stop Getting Hacked

Back to Knowledgebase
Security 3 min read 2 views Updated Jun 2026

WordPress runs a huge share of the web, which makes it a constant target for automated attacks. The good news: almost every successful WordPress hack exploits the same short list of weaknesses, and you can close them in an afternoon. Here is what actually matters, in order.

1. Keep everything updated

Outdated plugins are the number one way WordPress sites get hacked. Update core, your theme and every plugin promptly, and turn on automatic updates for at least minor core releases. A plugin you have not updated in a year is a liability.

2. Lock down logins

The login page is attacked constantly by bots guessing passwords.

  • Use a strong, unique admin password and never the username admin.
  • Add two-factor authentication with a plugin.
  • Limit login attempts so bots are locked out after a few tries.
  • Consider moving the login URL off the default /wp-admin.

3. Remove what you do not use

Every plugin and theme is code that can be exploited, even when deactivated. Delete plugins and themes you are not actively using. Fewer moving parts means fewer ways in.

4. Only install trusted plugins

Install from the official directory or reputable developers. Avoid nulled (pirated) premium plugins entirely · they are a classic way attackers smuggle in backdoors. Check that a plugin is actively maintained before relying on it.

5. Use HTTPS everywhere

Serve the whole site over https with a free certificate so logins and form data are encrypted. See How to get a free SSL certificate.

6. Set correct file permissions

On most setups, directories should be 755 and files 644, and wp-config.php can be tightened to 640 or 600. Never leave files world-writable (777).

7. Add a security plugin or a firewall

A reputable security plugin bundles a web application firewall, malware scanning and login protection. At the network level, a service like Cloudflare blocks a lot of bad traffic before it reaches the site. See How to set up Cloudflare.

8. Back up, and test the restore

Security includes recovery. Keep automatic off-site backups and test a restore once, so a hack means rolling back, not rebuilding. See How to back up your server.

If you have already been hacked

  1. Take the site offline or into maintenance mode.
  2. Restore from a clean backup from before the compromise.
  3. Change every password: admin, database, hosting and FTP.
  4. Update everything, then scan again before going live.

FAQ

What is the most common way WordPress gets hacked?

Outdated plugins and themes, followed by weak admin passwords. Keeping everything updated and securing logins prevents most attacks.

Do I need a security plugin?

It helps a lot, since it bundles a firewall, scanning and login protection. Pair it with updates and strong passwords rather than relying on it alone.

Are nulled premium plugins safe if I scan them?

No. Treat nulled plugins as compromised by default. They are one of the most common sources of WordPress backdoors.

Want hardening handled for you? Talk to support. Security tuning is part of every managed plan.

Was this guide helpful? Our engineers are here 24/7 if you get stuck.
All guides Contact support