WordPress powers 43% of the web. That makes it the single largest target for automated attacks. Bots don’t care if your site is a Fortune 500 company or a 10-person law firm — they probe every WordPress installation they find, looking for the same vulnerabilities.
The good news: most WordPress breaches are preventable. Not with magic plugins, but with consistent, specific actions. Here’s what actually works.
Why WordPress Gets Hacked (It’s Not What You Think)
The biggest misconception is that hackers target your site. Most don’t. Automated scripts scan millions of sites simultaneously, looking for known vulnerabilities in outdated plugins, weak passwords, and exposed login URLs.
The three most common entry points, in order:
- Outdated plugins — 56% of WordPress hacks exploit vulnerabilities in plugins that had patches available
- Weak or reused passwords — brute-force attacks on wp-admin still account for roughly 20% of breaches
- Nulled themes and plugins — pirated software with backdoors baked in, sometimes from day one
None of these require a sophisticated attacker. They require a site owner who delayed an update or bought a $15 “pro” plugin from a gray-market marketplace.
Keep Everything Updated — On a Schedule, Not When You Remember
WordPress core, themes, and plugins all receive security patches. Every day you run outdated software is a day you’re exposed to known exploits.
Set a weekly update schedule. Tuesday works — that’s when most vendors release patches. Update plugins first, then themes, then core. Always have a backup before updating production.
Don’t use the “auto-update everything” setting blindly. Automatic updates can break sites when plugin versions conflict. A controlled weekly review takes 15 minutes and gives you control over what changes when.
The Plugin Audit Nobody Does
Most WordPress sites accumulate plugins over time. An e-commerce site might have 30+ active plugins — and 12 that nobody remembers installing. Each inactive plugin is a potential attack surface, even if it’s deactivated.
Quarterly, do a full plugin audit: list every plugin, ask whether you actually use it, delete anything you don’t. Deactivated plugins still exist on the server and can still be exploited.
Lock Down wp-admin Before Someone Else Does
The WordPress admin login page sits at /wp-admin or /wp-login.php by default. Every bot on the internet knows this. A few changes meaningfully reduce automated attack traffic:
Change the login URL. Plugins like WPS Hide Login move your login page to a custom URL. This doesn’t stop a determined attacker, but it eliminates 99% of automated brute-force attempts against your default login path.
Enable two-factor authentication. Any admin or editor account should require a second factor. Use Google Authenticator, Authy, or a hardware key. The Wordfence plugin includes 2FA. So does WP 2FA. Pick one and enforce it for every account with write access.
Limit login attempts. Three failed logins should lock an IP address for 20 minutes. Wordfence handles this. So does Limit Login Attempts Reloaded. This alone stops most brute-force scripts.
Disable XML-RPC if you don’t use it. WordPress’s XML-RPC endpoint is a common attack vector for credential stuffing and DDoS amplification. If you’re not using a mobile app or Jetpack to publish posts remotely, disable it entirely.
Use a Web Application Firewall
A WAF sits between the internet and your site and blocks malicious requests before they reach WordPress. For most small businesses, two options make sense:
Cloudflare (free tier) handles DNS-level filtering, rate limiting, and blocks known malicious IPs. It also gives you DDoS protection as a byproduct. Setup takes about 30 minutes.
Wordfence Premium operates at the WordPress level and blocks requests based on a continuously updated threat feed. The free version has a 30-day delay on firewall rules — the paid version gets rules in real time.
For businesses handling payments or sensitive client data, running both layers isn’t overkill.
SSL Is Table Stakes — But Check Your Configuration
Every business website needs HTTPS. In 2025, browsers flag HTTP sites as “Not Secure” in the address bar. Google uses HTTPS as a ranking signal. Your SSL certificate is non-negotiable.
What most people miss: SSL configuration problems that undermine the certificate’s value. Mixed content (images or scripts loading over HTTP on an HTTPS page), expired certificates, and weak cipher suites all create vulnerabilities or browser warnings.
Run your domain through SSL Labs’ free scanner (ssllabs.com/ssltest). An A grade is the baseline. If you get a C or below, your hosting provider or developer needs to fix the TLS configuration.
Backups Are Security Infrastructure
If your site gets hacked tomorrow, how quickly can you restore a clean version? If the answer is “not sure” or “never tested this,” your backup strategy isn’t a backup strategy.
A working backup plan has three parts:
- Automated daily backups — UpdraftPlus, BlogVault, or managed hosting backup tools
- Off-site storage — backups stored on the same server as your site are useless if the server is compromised; use S3, Google Drive, or Dropbox
- Tested restoration — run a restore to a staging environment every 90 days to confirm backups actually work
Most businesses have automated backups but have never run a restore. That’s not a backup plan — that’s an untested assumption.
Database and File Permission Hardening
WordPress stores all content and user data in a MySQL database. A few configuration changes meaningfully reduce exposure:
Use a custom database prefix. WordPress installs with wp_ as the default table prefix. SQL injection attacks often target this default. Changing it to something like site47_ during installation breaks a large class of injection attempts.
Set correct file permissions. WordPress files should be 644. Directories should be 755. The wp-config.php file, which contains your database credentials, should be 600. Many shared hosting environments are more permissive than this by default.
Restrict direct file access. The .htaccess file can block direct access to wp-config.php, the wp-includes directory, and XML-RPC. If your host runs Apache, this is a 10-line addition that meaningfully hardens your surface area.
Choose Managed Hosting for the Security Layer
Shared hosting places hundreds of sites on the same server. A vulnerability in any one of them can compromise the others. This is called “cross-site contamination” and it’s more common than most hosting providers admit.
Managed WordPress hosts — WP Engine, Kinsta, Cloudways — include server-level security: malware scanning, automatic isolation, WAF, and faster patch deployment. The cost difference ($25–$50/month vs. $5/month shared hosting) is usually less than one hour of cleanup time after a breach.
If your business generates revenue through its website, managed hosting is not a luxury. It’s a risk management decision.
What a Hacked WordPress Site Actually Costs
Business owners underestimate breach costs because they measure in downtime, not total impact. Factor in:
- Developer cleanup time: $500–$2,500 depending on infection severity
- SEO damage from Google’s “This site may be hacked” warning, which can persist for weeks even after cleanup
- Customer data exposure liability if your site handles forms, payments, or logins
- Time lost to communication with customers, hosts, and stakeholders
The security measures above cost a few hundred dollars in tools and a few hours per quarter in maintenance. The cleanup cost for an average WordPress breach costs more than that before the developer’s first coffee.
FAQ
How do I know if my WordPress site has already been hacked? Check Google Search Console for security alerts. Run your URL through Sucuri’s free SiteCheck scanner. Look for unexpected admin users in WordPress settings. Signs of infection include strange redirects, new user accounts, modified file timestamps, and your site appearing in Google results for unrelated topics.
Do I need a security plugin if my hosting provides malware scanning? Yes. Hosting-level scanning and plugin-level scanning look at different things. Hosting scans file changes. Security plugins like Wordfence monitor login attempts, file integrity, and block malicious IPs in real time. Run both.
Is WordPress less secure than other CMS platforms? WordPress isn’t inherently less secure — it’s more targeted because it’s more popular. A well-maintained WordPress site with strong passwords, updated software, and a WAF is significantly more secure than a neglected site on any platform.
How often should I change WordPress admin passwords? Use a strong, unique password (generated by a password manager) and two-factor authentication. If you do that, forced password rotation is less critical. Change passwords immediately if you have any reason to suspect a breach or if an admin user leaves your organization.
What should I do if my WordPress site gets hacked? First, take the site offline to prevent further spread. Contact your hosting provider — many managed hosts include cleanup assistance. Hire a developer to clean the infection (not just remove visible symptoms). Restore from a pre-infection backup if possible. Then audit how the attacker got in.
Can a cheap shared hosting plan get me hacked? Yes, through cross-site contamination. Your site can be compromised through a vulnerability on another site sharing your server, even if your own code is clean. This is one of the primary arguments for managed WordPress hosting.
Do page builders create additional security risks? They add surface area. More code, more third-party integrations, and more plugin dependencies mean more potential vulnerabilities. A hand-coded site with minimal plugins has a smaller attack surface by design.
WordPress security isn’t a one-time setup — it’s ongoing maintenance. If you’re building a new site or inheriting one that’s overdue for a security review, we build sites with security hardening as part of the architecture, not bolted on afterward. Our custom WordPress development includes proper file permissions, database configuration, and a minimal-plugin approach that reduces your attack surface from day one. Get started with a project review.