WordPress security advice online tends to go one of two ways: either it is ignored entirely, or it spirals into a dozen plugins fighting each other. Here is the middle ground that covers the vast majority of real-world attacks.

The basics that stop most automated attacks

  • Keep WordPress core, themes and plugins updated — most breaches exploit known, already-patched vulnerabilities.
  • Use strong, unique passwords and enable two-factor authentication for every admin account.
  • Move or hide the default login URL — the vast majority of brute-force bots only ever try /wp-login.php.
  • Limit login attempts to slow down automated password guessing.
  • Remove unused plugins and themes entirely rather than just deactivating them — inactive code can still be a target.

The less obvious layer: hardening

Beyond the checklist basics, disabling XML-RPC, blocking user enumeration through author archive URLs, and hiding version numbers from your page source all remove small pieces of information that automated scanners use to profile a site before attacking it.

Backups are part of your security strategy, not separate from it

No hardening is 100% guaranteed. The real safety net is a recent, tested, off-server backup — so that in the worst case, “restore from this morning” is a real option instead of a disaster.