Why WordPress Security Matters
WordPress powers over 43% of all websites on the internet, making it the most popular — and most targeted — CMS in the world. According to Sucuri's annual report, over 90,000 WordPress sites are attacked every day.
The good news: most attacks exploit known vulnerabilities that are easily preventable. Follow this checklist and you'll be better protected than 90% of WordPress sites.
Step 1: Keep WordPress Core Updated
Outdated WordPress versions contain known vulnerabilities that are publicly listed. Enable automatic background updates for minor releases by adding this to your wp-config.php:
define('WP_AUTO_UPDATE_CORE', true);Check for major updates manually and apply them promptly.
Step 2: Update All Plugins and Themes
Plugins are the #1 source of WordPress hacks — not WordPress core. Enable automatic plugin updates in Dashboard → Updates → Auto-updates, or use a managed hosting plan that handles updates for you.
Delete inactive plugins and themes — even deactivated ones can be exploited.
Step 3: Use a Strong Admin Password
Never use "admin", "password", or your domain name as your username or password. Use WordPress's built-in password generator to create a strong, unique password and store it in a password manager like Bitwarden or 1Password.
Step 4: Change the Default Admin Username
If your admin username is "admin", attackers already know half of your login credentials. Create a new administrator account with a unique username and delete the "admin" account.
Step 5: Enable Two-Factor Authentication (2FA)
2FA adds a second layer of login security. Even if someone guesses your password, they can't log in without your phone. Install WP 2FA or Google Authenticator plugin to set this up.
Step 6: Limit Login Attempts
Brute force attacks try thousands of password combinations per minute. Install Limit Login Attempts Reloaded to lock out IP addresses after a set number of failed login attempts.
Step 7: Change the Default Login URL
The default WordPress login page is /wp-admin or /wp-login.php — every attacker knows this. Change it to something unique like /site-login-2026 using a plugin like WPS Hide Login.
Step 8: Install a Security Plugin
A dedicated security plugin provides a firewall, malware scanner, and login protection in one. Top options:
- Wordfence Security — most popular, excellent free version
- Sucuri Security — great malware scanning and site integrity monitoring
- iThemes Security — user-friendly with comprehensive protection
Step 9: Install an SSL Certificate
SSL encrypts data transmitted between your site and visitors. It also shows the padlock icon in browsers and improves your Google rankings. Most quality hosts, including Flyhost, provide free Let's Encrypt SSL — activate it from cPanel in one click.
Step 10: Set Up Daily Backups
No security is 100% perfect. A recent backup means you can recover from any attack within minutes. Use:
- UpdraftPlus — backs up to Google Drive, Dropbox, or S3
- Your host's automated backup — Flyhost takes daily automatic backups
Test your backups by restoring to a staging environment at least once per quarter.
Step 11: Protect wp-config.php
The wp-config.php file contains your database credentials. Block direct access by adding this to your .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>Step 12: Disable XML-RPC if Not Needed
XML-RPC is a legacy API that's frequently exploited for brute force attacks. If you don't use mobile apps or Jetpack's advanced features, disable it by adding to .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Bonus: Choose Secure Hosting
Your hosting provider is your first line of defence. Flyhost includes a Web Application Firewall (WAF), DDoS protection, and malware scanning at the server level — before threats even reach your WordPress installation.
Conclusion
WordPress security doesn't require an expert — just consistent habits. Work through this checklist once and set up automatic updates, 2FA, and daily backups. These twelve steps will protect your site from the vast majority of threats targeting WordPress in 2026.