Back to Blog
Guide8 min read2026-05-01

WordPress Security: Hardening Your Site Against Attacks

WordPress is the most attacked CMS on the web — not because it's inherently insecure, but because its popularity makes it a high-value target.

WordPress Security: Hardening Your Site Against Attacks

WordPress powers a massive share of the web, which makes it the most targeted CMS by attackers. The overwhelming majority of WordPress compromises aren't caused by vulnerabilities in WordPress core — they're caused by outdated plugins, weak credentials, and misconfigured servers. This guide covers the practical hardening steps that reduce your attack surface.

Keep Everything Updated

The most effective WordPress security measure is also the most straightforward: keep WordPress core, themes, and plugins updated. The WordPress security team patches vulnerabilities quickly, but those patches only protect sites that apply them.

Enable automatic updates for minor WordPress releases in wp-config.php:

define('WP_AUTO_UPDATE_CORE', true);

For plugins and themes, review the WordPress 6.x automatic background update settings in your admin dashboard. Enabling auto-updates for plugins removes the window of exposure between a patch release and your manual update.

The exception: plugins with complex integrations (payment gateways, CRM connectors) should be tested in staging before auto-updating in production.

Use Strong Credentials and Limit Login Attempts

Brute-force attacks against the WordPress login page are constant background noise on any publicly accessible WordPress site. Two countermeasures address this:

Strong, unique passwords — WordPress admin accounts should use randomly generated passwords of at least 20 characters. Use a password manager. Never reuse credentials across services.

Login attempt limiting — Plugins like Limit Login Attempts Reloaded or WP Cerber block IP addresses after a configurable number of failed login attempts. This stops credential-stuffing and brute-force attacks.

Two-factor authentication — Add TOTP-based 2FA to all admin accounts using plugins like WP 2FA or Google Authenticator. A stolen password doesn't grant access without the second factor.

Change the Default Login URL

The default WordPress login page at /wp-login.php is known to every bot. Moving it to a custom URL (e.g., /site-admin) filters out automated attacks that don't bother enumerating custom paths.

Use plugins like WPS Hide Login to relocate the login URL. This is security through obscurity — not a primary defense — but it meaningfully reduces log noise and automated attack volume.

Disable XML-RPC

WordPress's XML-RPC endpoint (/xmlrpc.php) was originally designed for remote publishing tools. In 2026, it's rarely needed and is a common attack vector for brute-force credential stuffing and DDoS amplification.

Disable it in .htaccess (Apache):

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

Or via Nginx configuration:

location = /xmlrpc.php {
  deny all;
}

If you use the Jetpack plugin, which requires XML-RPC, configure a whitelist rather than a blanket block.

Audit and Minimize Plugins

Every plugin is an extension of your attack surface. A plugin with a remote code execution vulnerability gives an attacker a foothold in your WordPress installation regardless of how well you've hardened everything else.

Audit your plugin list periodically:

  • Remove plugins you no longer use.
  • Check plugin update frequency — abandoned plugins accumulate unpatched vulnerabilities.
  • Prefer plugins with large install bases and active development.
  • Check the WordPress plugin directory for security advisories on installed plugins.

The fewer plugins running, the smaller the attack surface.

Harden File Permissions

WordPress file permissions should prevent web-accessible files from being written by the web server process except where explicitly needed.

Recommended permissions:

  • Directories: 755
  • Files: 644
  • wp-config.php: 600 (readable only by owner)

Avoid 777 permissions on any directory. If a plugin or theme installer requires 777 to write files, this is a red flag.

Add this to wp-config.php to prevent direct file editing through the WordPress admin (which is a social engineering risk):

define('DISALLOW_FILE_EDIT', true);

Use HTTPS Everywhere

All WordPress traffic should be encrypted in transit. Unencrypted admin sessions expose session cookies to network-level interception.

Force HTTPS in wp-config.php:

define('FORCE_SSL_ADMIN', true);

On managed hosting platforms like PandaStack, SSL is provisioned automatically — your site is served over HTTPS from day one without manual certificate management.

Implement a Web Application Firewall

A Web Application Firewall (WAF) inspects incoming HTTP requests and blocks known malicious patterns before they reach WordPress. Cloudflare's WAF (available on paid plans) is a popular option for sites already using Cloudflare for DNS and CDN. Wordfence and Sucuri offer WordPress-native WAF plugins.

A WAF provides meaningful protection against SQL injection, cross-site scripting, and known exploit patterns targeting WordPress-specific vulnerabilities.

Monitor for Indicators of Compromise

Set up monitoring to detect anomalies:

  • File integrity monitoring — Alert when core WordPress files are modified unexpectedly.
  • Login monitoring — Alert on admin logins from new IP addresses or countries.
  • Outbound traffic monitoring — Compromised WordPress sites often make outbound connections to C2 servers.

Wordfence and iThemes Security both include file integrity monitoring and alerting.

Leverage Platform-Level Security

For managed WordPress on platforms like PandaStack, the infrastructure layer provides a security baseline: the OS and server software are maintained by the platform, network-level protections are applied, and daily backups mean a compromise can be responded to with a clean restore.

Platform-managed infrastructure removes a category of vulnerability from your responsibility — operating system and web server CVEs are patched by the platform, not by you.

Security Hardening Checklist

  • ✅ WordPress core, plugins, themes up to date
  • ✅ Strong unique passwords and 2FA on admin accounts
  • ✅ Login attempt limiting enabled
  • ✅ XML-RPC disabled (or restricted)
  • ✅ Unused plugins removed
  • ✅ File permissions correctly set
  • ✅ HTTPS enforced
  • ✅ WAF enabled
  • ✅ File integrity monitoring active
  • ✅ Daily backups verified

Implement these measures systematically and you'll have significantly reduced your exposure. Explore PandaStack's managed WordPress at [dashboard.pandastack.io](https://dashboard.pandastack.io) or read the documentation at [docs.pandastack.io](https://docs.pandastack.io).

Ready to deploy?

Start free on PandaStack — no credit card required.

Start free on PandaStack

More in Guide

Browse all Guide articles →
Guide

Edge Functions Explained: What They Are and Why Your App Needs Them

2025-01-01

Guide

How We Cut Our Cloud Bill by 60% by Switching to PandaStack

2025-01-01

Guide

Add SSO Authentication to Any Web App in Minutes

2024-12-01

See also

ComparisonBest Cloud Hosting for WordPress in 2026ComparisonBest WP Engine Alternatives for WordPress Hosting