WordPress Security in 2025: 7 Critical Steps Every Site Owner Must Take

WordPress powers about 40% of the web, which means it's also the biggest target. The good news: most successful attacks exploit basic mistakes that take an hour to fix. Here's the security baseline I recommend for every WordPress site I touch.

1. Use unique strong credentials, never "admin"

Username "admin" + a six-character password is the equivalent of leaving your front door unlocked. Use a unique admin username, a 16+ character password from a password manager, and enable two-factor authentication. Wordfence, Two Factor Authentication, and miniOrange all offer solid 2FA plugins.

2. Keep WordPress, themes, and plugins updated

About 90% of compromised WordPress sites had outdated software. Enable auto-updates for security releases at minimum. For major version updates, use a staging environment first, but don't let "I'll update it next month" turn into a year-old vulnerability.

3. Limit and audit plugins ruthlessly

Each plugin is potential attack surface. Quarterly: list all active plugins, remove any you're not actively using, and check the last update date for the rest. Anything not updated in 12+ months is a red flag — find an actively-maintained alternative.

4. Disable file editing in the admin

Add this to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

If an attacker compromises an admin account, they can no longer edit theme/plugin code through the dashboard. Closes one of the most common escalation paths.

5. Restrict admin access by IP (where practical)

If your team's IPs are stable, restrict /wp-admin to those addresses via your server config. Even an IP allowlist of "office + a couple of VPN IPs" closes a huge attack surface.

6. Use a web application firewall

Cloudflare's free WAF, Wordfence Premium, or Sucuri all block known attack patterns before they reach WordPress. They're not a substitute for the steps above, but they catch a lot of automated noise.

7. Backup, off-server, automatically, and test restore

Daily automatic backups stored off-server (S3, Google Drive, your own remote box). And — critically — test the restore process at least once. A backup you've never restored is a backup that probably doesn't work when you need it.

Bonus: monitoring

Tools like Wordfence Live Traffic or Sucuri's monitoring will alert you to brute-force attempts, file changes, or suspicious admin activity. The earlier you know about an attack, the easier it is to respond.

If you've already been hacked

• Change every admin password.
• Restore from a backup taken before the compromise (this is why off-server backups matter).
• Update everything.
• Have a professional run a deep scan — hidden backdoors are common.

Need a WordPress security audit and hardening? Drop me a line.