WordPress Security Best Practices
WordPress sites get attacked constantly — but almost every hack we clean up traces back to the same handful of mistakes. Here are the practices we follow on every client site to keep things locked down, plus the exact plugins we trust to do the job.
The short version:
- Scan everything with Wordfence — the gold standard security plugin.
- Update weekly — outdated plugins are the #1 cause of WordPress hacks.
- Keep plugins minimal — every plugin is more attack surface.
- Stick to trusted plugins — Elementor for page building, Gravity Forms for forms.
The 10 Practices That Keep WordPress Sites Safe
These are the exact security practices we apply to every WordPress site we build or maintain. Implement all ten and you eliminate the vast majority of common attack vectors.
1. Install Wordfence (or a Reputable Security Plugin)
Wordfence is the gold standard for WordPress security. It bundles a firewall, malware scanner, login protection, and real-time threat intelligence in one plugin. The free version covers most small business needs.
How to do it:
- Install Wordfence Security from the WordPress plugin directory
- Run the initial scan to flag any existing malware, suspicious files, or weak passwords
- Enable the Web Application Firewall (WAF) to block malicious traffic before it hits your site
- Schedule daily automated scans and enable email alerts
- Enable two-factor authentication (2FA) on every admin account through Wordfence Login Security
2. Keep WordPress, Themes, and Plugins Updated
The single biggest cause of WordPress hacks is outdated software. Every plugin, theme, and core update typically contains security patches — the longer you delay, the wider the window for attackers.
How to do it:
- Update plugins at least once a week — always back up first
- Update one plugin at a time so you can spot which one breaks something
- Enable auto-updates for trusted critical plugins and WordPress minor releases
- Test major updates on a staging copy of your site before pushing them live
- Remove any plugin or theme that hasn't been updated by its developer in the last 12 months
3. Keep Plugins to a Minimum
Every plugin you install is code written by someone you've never met. The more plugins on your site, the larger your attack surface — and the higher the chance one of them is abandoned, buggy, or vulnerable.
How to do it:
- Audit your plugins quarterly and remove anything you don't actively use
- Combine functionality where possible — one well-maintained plugin is safer than three small ones
- Deactivate AND delete unused plugins (deactivated plugins still sit on your server with their code intact)
- Avoid stacking multiple plugins that do the same job (e.g. two SEO plugins, two caching plugins)
- Aim for 15 – 20 active plugins on a healthy site; 30+ is a red flag
4. Only Install Well-Reviewed, Well-Maintained Plugins
WordPress plugins come from thousands of independent developers. Some are excellent and patched within hours of a vulnerability. Others are hobby projects that go silent the moment something breaks. Knowing the difference is critical.
How to do it:
- Check the "Last updated" date — if it's older than 6 months, walk away
- Look for at least 10,000 active installs (more isn't always better, but very low usually means unproven)
- Read the most recent 1- and 2-star reviews — they tell you what's actually broken
- Confirm the plugin lists support for the current major WordPress version
- Prefer plugins from well-known companies (WPMU DEV, Yoast, Automattic, Awesome Motive, StellarWP) over solo developers
5. Enforce Strong Passwords + Two-Factor Authentication
Brute-force login attacks happen 24/7 on every WordPress site. A strong password plus 2FA makes those attacks effectively useless even if a username leaks.
How to do it:
- Require admin users to set passwords of at least 16 characters using a password manager
- Enable 2FA on every admin account (Wordfence Login Security or WP 2FA both work well)
- Limit login attempts so attackers get locked out after 5 failed tries
- Hide or rename the /wp-admin login URL with WPS Hide Login
- Never reuse passwords between WordPress and other accounts
6. Manage User Accounts Carefully
Most WordPress hacks come through compromised admin accounts, not zero-day exploits. The fewer admin accounts you have, the smaller your attack surface.
How to do it:
- Delete admin accounts belonging to former employees, contractors, or developers
- Never share login credentials — give every person their own account
- Use the lowest user role that still lets someone do their job (Editor instead of Admin, for example)
- Rename or remove the default "admin" username — it's the first thing every bot tries
- Audit your user list quarterly and remove anyone who no longer needs access
7. Force HTTPS Everywhere
An SSL certificate (HTTPS) encrypts the connection between your visitors and your site. Without it, login credentials and form submissions can be intercepted on public Wi-Fi networks — and Google flags non-HTTPS sites as "Not Secure".
How to do it:
- Get a free SSL certificate from your host (most include Let's Encrypt automatically)
- Update your WordPress site URL and home URL to use https://
- Install Really Simple SSL to catch and redirect any remaining http:// links
- Update internal links, image URLs, and embedded resources to use https://
- Verify your site loads with no mixed-content warnings in Chrome DevTools
8. Take Daily Off-Site Backups
A backup is your last line of defense. If your site gets hacked, defaced, or wiped out, the only thing that gets you back online is a recent backup stored somewhere other than the compromised server.
How to do it:
- Use a backup plugin like UpdraftPlus, BlogVault, or Solid Backups
- Schedule daily automated backups of both files and database
- Store backups off-site — Google Drive, Dropbox, S3, or a dedicated backup cloud
- Keep at least 30 days of backup history so you can roll back further than yesterday
- Restore a backup to a staging site once a year to confirm it actually works
9. Disable File Editing from the Dashboard
WordPress lets administrators edit theme and plugin files directly from the dashboard. If a hacker gets in, this is the first door they walk through to inject malicious code. Closing it costs nothing.
How to do it:
- Open your wp-config.php file
- Add this line above the "That's all, stop editing!" comment: define('DISALLOW_FILE_EDIT', true);
- Save the file and confirm the Theme Editor and Plugin Editor are now hidden in the dashboard
- For developer changes, use SFTP or your hosting file manager instead
- This single line blocks one of the most common post-hack escalation paths
10. Choose a Secure Host
Even the best WordPress hardening can't save you from a bad host. Cheap shared hosting often means shared vulnerabilities — if one site on the server gets hacked, yours can be next.
How to do it:
- Use a managed WordPress host (Kinsta, WP Engine, SiteGround, Cloudways) or a quality VPS
- Confirm your host runs daily server-level backups in addition to your WordPress backups
- Make sure PHP and MySQL versions are current — old PHP versions are unpatched
- Look for a host that offers free SSL, automatic core updates, and malware scanning
- Avoid the cheapest shared hosting plans — security and isolation matter more than $5/month savings
The Plugins We Trust on Every Client Site
When you keep plugins to a minimum, the ones you do install have to earn their place. After years of building WordPress sites, this is the shortlist we reach for every time.
Wordfence
Best for: Firewall, malware scanning, login protection
The most trusted WordPress security plugin. Free version covers small business needs, premium adds real-time firewall rules and country blocking. Active install base of 4M+ means problems get spotted and patched fast.
Visit WordfenceElementor
Best for: Building and editing custom pages without code
The page builder we recommend for almost every WordPress client. Massive active user base means it's well-maintained, well-documented, and constantly patched. Lets clients update their own pages safely without touching theme files.
Visit ElementorGravity Forms
Best for: Contact forms, quotes, surveys, conditional logic
The gold standard for WordPress forms. Premium-only, but worth every dollar — secure, fast, with bulletproof spam protection, conditional logic, and integrations for every major email/CRM service. We use it on every client site that needs forms.
Visit Gravity FormsYoast SEO or Rank Math
Best for: Title tags, meta descriptions, sitemaps, schema
Both are excellent — Yoast is the long-standing standard, Rank Math is a newer competitor with more features in the free tier. Stick with one and use it consistently. Never run both at the same time.
Visit Yoast SEO or Rank MathUpdraftPlus or BlogVault
Best for: Automated off-site backups and restore
UpdraftPlus is free and gets the job done. BlogVault is paid but adds incremental backups (lighter on your server), one-click staging, and faster restores. Either is far better than no backup plan.
Visit UpdraftPlus or BlogVaultWP Rocket or your host's built-in cache
Best for: Page caching, lazy loading, file optimization
WP Rocket is the easiest premium caching plugin to configure — flip it on and it works. If your host (Kinsta, WP Engine, SiteGround) has a built-in cache, use that instead and skip the third-party plugin.
Visit WP Rocket or your host's built-in cacheHow to Vet a Plugin Before You Install It
WordPress has 60,000+ plugins in the official directory and thousands more sold privately. Most are fine. Some are abandoned. A few are actively malicious. Run every new plugin through this checklist before you install it.
If a plugin fails on more than one of these checks, find an alternative. There's almost always a better-maintained option that does the same thing.
Plugin Vetting Checklist:
- Updated within the last 6 months
- At least 10,000 active installs
- 4-star or higher average rating with detailed reviews
- Compatible with the current major WordPress version
- Active support — developer responds to forum questions
- Reasonable number of negative reviews (some is normal — silence is suspicious)
- Lists a real company or named developer, not anonymous
- Doesn't duplicate functionality you already have
The 6 Mistakes That Get WordPress Sites Hacked
When we get a call about a hacked WordPress site, almost every time the root cause is one of these six things. Avoid them and you're ahead of 95% of WordPress site owners.
Running too many plugins
Every plugin is more code that can break, more attack surface for hackers, and more weight slowing your site. If you haven't used a plugin in 6 months, delete it.
Installing plugins from random websites
Only install from the official WordPress.org directory or from established premium developers. "Free" copies of premium plugins from sketchy sites are nearly always laced with malware.
Using "admin" as the username
Bots try the username "admin" first on every WordPress site they target. Combine that with a weak password and you're an easy hack. Always use a unique admin username.
Ignoring update notifications
That little number on your dashboard isn't a suggestion. Every update you skip is a known vulnerability you're leaving open for as long as you wait.
No backups (or backups only on the same server)
If your site gets hacked, on-server backups are usually compromised too. Always store backups off-site so you have a clean copy to restore from.
Giving everyone Administrator access
Editors, authors, and contractors don't need full admin privileges. Use the lowest role that lets each person do their job — it dramatically reduces what an attacker can do if any single account gets compromised.
Frequently Asked Questions
The questions we hear most often from WordPress site owners about security.
Wordfence is the most widely-used and trusted WordPress security plugin. It bundles a firewall, malware scanner, login protection, and 2FA in one plugin. The free version covers most small business needs; the premium adds real-time firewall rules and country blocking. Alternatives like Sucuri, iThemes Security (now Solid Security), and All-In-One WP Security are also reputable.
There's no hard number, but most healthy business sites run 15 – 20 active plugins. Above 30, you should start auditing. The risk isn't the count itself — it's that each plugin is code from a different developer, and the more you stack, the higher the odds one is abandoned, buggy, or vulnerable.
Plugin updates almost always include security patches. When a developer discovers a vulnerability, they release a patch — but until you install the update, your site is wide open. Outdated plugins are the #1 cause of WordPress hacks, by a large margin. Update at least weekly, with a backup taken first.
Check four things on the plugin's WordPress.org page: the last updated date (within 6 months), active installs (10,000+ is a good floor), the average rating (4 stars or higher), and whether the developer is responding to support questions in the forum. Skip anything that looks abandoned, no matter how good the description sounds.
Elementor is our top recommendation. It has a massive active user base, which means it's well-maintained, well-documented, and constantly patched. It also lets clients safely update their own pages without touching theme files. Other solid options: Bricks Builder for performance-focused builds, and Beaver Builder for clean code.
Contact Form 7 is free but its spam protection is weak by default and the user experience is dated. WPForms is fine but limited unless you pay for the premium tier. Gravity Forms is premium-only but in our experience it's the most reliable: bulletproof spam protection, conditional logic, payment integration, and integrations with every major CRM and email service. For business sites, it's worth the cost.
WordPress core is secure — Automattic and the WordPress security team patch vulnerabilities quickly. The risk almost always comes from outdated plugins, weak passwords, or bad hosting. A well-maintained WordPress site with a security plugin, 2FA, daily backups, and current plugins is as secure as any platform.
Common signs: unexpected redirects, strange content or admin users you didn't create, sudden ranking drops on Google, browser warnings about your site, security plugin alerts, or a sudden flood of traffic from countries where you don't do business. If you suspect a hack, scan with Wordfence immediately and restore from a clean backup if anything is found.
For a small business site, the free version of Wordfence is genuinely enough — firewall, scanning, 2FA, and login protection are all included. Premium adds real-time firewall rule updates (instead of waiting 30 days for them to filter into the free version) and country blocking, which matters more for ecommerce or high-traffic sites.
Three steps: 1) Run a backup so you have a recovery point. 2) Install Wordfence and run a full scan to identify any compromised files or weak settings. 3) Update every out-of-date plugin, theme, and WordPress core. If the scan finds anything serious or the site is already showing signs of compromise, get a professional involved before the damage spreads. We do emergency cleanups for clients regularly.
Want us to lock down your WordPress site?
We harden, monitor, and maintain WordPress sites for businesses across Ontario. Whether you need a one-off security audit or an ongoing plan, we'll make sure your site stays out of trouble.