WordPress security advice online tends to go one of two ways: either it is ignored entirely, or it spirals into a dozen plugins fighting each other. Here is the middle ground that covers the vast majority of real-world attacks.
The basics that stop most automated attacks
- Keep WordPress core, themes and plugins updated — most breaches exploit known, already-patched vulnerabilities.
- Use strong, unique passwords and enable two-factor authentication for every admin account.
- Move or hide the default login URL — the vast majority of brute-force bots only ever try /wp-login.php.
- Limit login attempts to slow down automated password guessing.
- Remove unused plugins and themes entirely rather than just deactivating them — inactive code can still be a target.
The less obvious layer: hardening
Beyond the checklist basics, disabling XML-RPC, blocking user enumeration through author archive URLs, and hiding version numbers from your page source all remove small pieces of information that automated scanners use to profile a site before attacking it.
Backups are part of your security strategy, not separate from it
No hardening is 100% guaranteed. The real safety net is a recent, tested, off-server backup — so that in the worst case, “restore from this morning” is a real option instead of a disaster.
