Do I need a security plugin, or is hardening enough?

Hardening covers configuration — it reduces your attack surface. A security plugin adds active monitoring, scanning, and a firewall, which catches things hardening alone cannot. For most sites, using a reputable security plugin alongside the hardening steps above is the right approach.

Will these changes affect my site's performance?

Most hardening steps have no measurable performance impact. A plugin-based WAF adds a small amount of processing time per request, but on modern hosting this is negligible. If performance is a concern alongside security, the two goals are more compatible than they might seem.

How do I know if my WordPress site has already been hacked?

Common signs include unexpected redirects to other sites, unfamiliar admin accounts, content you did not publish, security warnings in Google Search Console, and your host suspending the account. If you see any of these, treat the site as compromised and investigate before making other changes.

Is it safe to use a free security plugin, or do I need a paid one?

The free tiers of well-established plugins like Wordfence and Wordfence-adjacent tools provide genuine, meaningful protection for most small and medium sites. Paid tiers add real-time threat intelligence and premium support, which are worth considering for higher-traffic or business-critical sites — but free is far better than nothing.

WordPress Security Hardening: What Actually Matters in 2025

The most important WordPress security changes you can make take less than an hour and require no specialist knowledge — but most site owners either skip them entirely or waste time on tweaks that make no real difference. This guide cuts through the noise and gives you the hardening steps that actually stop the attacks hitting WordPress sites right now, in the order that matters most.

Why WordPress Sites Get Compromised

WordPress powers roughly 40% of the web, which makes it the single most profitable target for automated attack tools. The attackers running these tools are not manually picking on your site — they are running bots that scan millions of sites simultaneously, testing for known vulnerabilities, weak passwords, and exposed configuration details. The vast majority of successful compromises follow one of three paths:

Outdated software. A plugin or theme with a known, publicly documented vulnerability.
Weak or reused credentials. A password that can be guessed or that appeared in a previous data breach.
Misconfiguration. Default settings that expose information attackers need to escalate access.

The good news is that fixing all three categories is entirely within reach for any site owner. Here is how to do it.

The Hardening Steps That Actually Move the Needle

1. Keep Everything Updated — Without Exception

Outdated plugins are the single most common entry point. When a vulnerability is disclosed, a patch is usually released within days — but the details of that vulnerability are also published publicly, meaning attackers immediately begin scanning for unpatched sites. Keeping WordPress core, every plugin, and every theme current is not optional maintenance; it is your primary line of defence.

Enable automatic background updates for minor WordPress core releases. For plugins and themes, set a weekly review cadence at minimum, or use a managed hosting environment or care plan that handles updates on your behalf. If you have inactive themes or plugins installed but not in use, delete them — they receive no attention and can still be exploited.

2. Use Strong, Unique Passwords on Every Account

Credential stuffing — using username/password pairs leaked from other sites — is extraordinarily common. If your WordPress admin password has ever been used anywhere else, rotate it now. Use your browser's built-in password manager or a dedicated tool like 1Password or Bitwarden to generate and store a unique password of at least 20 random characters.

This applies to every user account on the site, not just your own. A contributor account with a weak password is just as dangerous as an administrator account with one.

3. Enforce Two-Factor Authentication on Admin Accounts

Even a strong password can be phished or leaked. Two-factor authentication (2FA) means a stolen password alone is not enough to gain access. Enable 2FA for every account with Editor access or above. Plugins such as WP 2FA or the authenticator built into some managed hosts provide this. Use an authenticator app (Google Authenticator, Authy) rather than SMS where possible — SMS codes can be intercepted.

4. Limit Login Attempts

By default, WordPress allows unlimited login attempts. Brute-force bots take full advantage of this. A plugin that rate-limits failed login attempts and temporarily blocks the offending IP address stops these attacks cold. Limit Login Attempts Reloaded is a well-maintained option. Most good security plugins include this functionality as well.

5. Change the Default Login URL (With Caveats)

Moving your login page from /wp-admin to a custom URL reduces automated bot traffic hitting that endpoint. It is not a security control in the strict sense — a determined attacker can find it — but it does meaningfully reduce noise and failed-login load. Do not rely on this alone. Use it alongside rate limiting and 2FA, not instead of them. If you use a caching plugin, make sure the custom login URL is excluded from the cache.

6. Disable XML-RPC if You Do Not Need It

XML-RPC is a legacy remote-access feature that is heavily abused for brute-force attacks and as a relay for DDoS traffic. If you do not use a mobile app to post, do not use Jetpack's older features, and do not publish via a third-party client, you almost certainly do not need XML-RPC. You can disable it by adding a rule to your .htaccess file or via a security plugin. Check with your host before doing this — some managed hosts handle it at the server level already.

7. Protect `wp-config.php` and Sensitive Files

Your wp-config.php file contains your database credentials. Add the following block to your .htaccess file (on Apache servers) to block direct HTTP access to it:

<files wp-config.php>
  order allow,deny
  deny from all
</files>

Similarly, disable directory listing (so visitors cannot browse your file structure) by ensuring your .htaccess contains Options -Indexes. On Nginx, these protections are configured at the server block level — check with your host.

8. Add Security Headers

HTTP security headers instruct browsers on how to handle your content and significantly reduce the impact of cross-site scripting (XSS) and clickjacking attacks. The headers that matter most for most WordPress sites are:

X-Frame-Options: SAMEORIGIN — prevents your site from being loaded in an iframe on another domain.
X-Content-Type-Options: nosniff — stops browsers from guessing at MIME types.
Referrer-Policy: strict-origin-when-cross-origin — limits referrer data sent to other sites.
Permissions-Policy — restricts access to browser APIs like camera and microphone.

These can be added via .htaccess, a plugin, or your host's control panel. The securityheaders.com scanner will show you what is currently set and what is missing.

9. Run a Web Application Firewall

A web application firewall (WAF) inspects incoming requests before they reach WordPress and blocks common attack patterns — SQL injection, XSS, malicious file uploads. Wordfence (free tier included) runs as a WordPress plugin. Cloudflare's free plan adds a WAF at the DNS level that intercepts traffic before it even hits your server. For most small sites, either option provides a meaningful layer of protection. Using both is not overkill.

10. Audit User Roles and Remove Stale Accounts

Review every user account in Users → All Users. Remove accounts for developers, contractors, or staff who no longer need access. Downgrade anyone whose role is higher than necessary — a content writer does not need Editor access; a guest blogger does not need Subscriber-plus. Every unnecessary account with elevated permissions is a liability.

What to Check With a One-Time Security Scan

After implementing the above, run a scan with a tool like Wordfence or Sucuri's free website scanner to check for known malware, exposed sensitive files, and outdated software you might have missed. These scans are not exhaustive, but they catch the most common problems quickly. If you find something unexpected — or if your site is showing symptoms like unexpected redirects, unfamiliar admin accounts, or strange content — read our full guide on what to do if your WordPress site has been hacked.

The Settings That Sound Important but Are Often Overhyped

You will find guides recommending you change the default database table prefix (wp_), hide the WordPress version number, or rename the wp-content directory. These changes are not harmful, but they provide minimal real-world security benefit against modern automated attacks, and some — like renaming wp-content — can break plugins and themes in hard-to-debug ways. Prioritise the ten steps above before spending time on these.

Keeping Your Site Hardened Over Time

Security is not a one-time configuration — it is an ongoing practice. The most effective things you can do to maintain good security posture over time are:

Keep updates current on a reliable schedule.
Take regular offsite backups so you always have a clean restore point.
Review user accounts quarterly.
Re-run a security scan every few months.

If that maintenance load is more than you want to manage, a Mend Care Plan covers managed updates, backups, security monitoring, and uptime alerting for $99/month — so nothing falls through the cracks.

When to Call a Professional

If you are implementing these steps on a live site and something goes wrong — a plugin conflict, a misconfigured .htaccess rule, a site that stops loading — that is a fixable problem, but it can feel urgent when your site is down. If you are not sure whether your site has already been compromised, or if a scan is flagging files you do not recognise, do not attempt a manual cleanup without a verified clean backup in hand.

In either case, request a free Mend diagnosis. A senior engineer will triage the situation, tell you exactly what needs doing, and quote a flat price before any work starts — no card required.

Getting these basics right puts you ahead of the overwhelming majority of WordPress sites on the web. Attackers go for easy targets; a site with updated software, strong credentials, 2FA, and a WAF in place is simply not worth their time when millions of unprotected sites are one scan away.