WordPress is the world's most popular CMS, which also makes it the most common target for automated attacks. The good news: a handful of straightforward steps block the vast majority of attempts. Work through this checklist once on every WordPress install and you'll be in much better shape than most sites on the internet.
The essentials
1. Use strong, unique passwords for every admin user
The single most common way WordPress sites get compromised is through a weak or reused admin password. A password manager (1Password, Bitwarden, LastPass) makes this painless — generate a random 20+ character password for each admin user, and never reuse it anywhere else.
Inside WordPress: Users → All Users, click a user, and look for the Set New Password section.
2. Enable two-factor authentication (2FA) on wp-admin
Even a strong password can leak. 2FA stops anyone who has your password from logging in without also having your phone or authenticator app.
Plugins that add 2FA:
- Two-Factor (by the WordPress contributors team) — simple, official, free
- Wordfence — includes 2FA plus a firewall and login security
- Solid Security (formerly iThemes Security)
3. Limit login attempts
By default, WordPress will accept unlimited password guesses at wp-login.php. Install a plugin that locks out an IP after a few failed attempts:
- Limit Login Attempts Reloaded (free, lightweight)
- Wordfence (already mentioned — it does this too)
4. Keep WordPress core, plugins, and themes up to date
Most real-world compromises exploit known vulnerabilities in outdated plugins. Enable auto-updates for minor WordPress releases, and check every week or two for plugin/theme updates.
Enable auto-updates on a per-plugin basis under Plugins → Installed Plugins — there's an "Enable auto-updates" link beside each one.
5. Remove plugins and themes you don't use
Every installed plugin and theme is code that can be exploited — even if it's deactivated. Delete anything you're not actively using.
6. Only install plugins and themes from trusted sources
Stick to the official WordPress plugin directory, the theme directory, or reputable premium marketplaces (Envato, StudioPress, directly from the developer). "Nulled" (pirated) plugins are a leading cause of hacked WordPress sites — they're often bundled with backdoors.
Additional hardening
Use a unique admin username
Attackers try admin first on every site. If you already have an admin user, create a new admin account with a different username, log in as the new account, and delete admin (assigning their posts to the new account).
Hide the WordPress version
Not a silver bullet, but it avoids broadcasting exactly which bugs might apply to your install. Plugins like Solid Security or Sucuri Security do this automatically.
Use a security plugin for ongoing monitoring
One of these running at all times catches suspicious changes early:
- Wordfence — firewall + malware scan + 2FA, very popular, free tier is solid
- Sucuri Security — integrity monitoring and hardening
- Solid Security — broad hardening toolkit
Don't run more than one — they'll conflict.
Lock down wp-admin and xmlrpc.php if you can
If you always log in from the same location (a home office, a specific country), restrict /wp-admin/ to those IPs via .htaccess. If you don't use the XML-RPC API (most sites don't, unless you post via the mobile app or Jetpack), block xmlrpc.php — it's a frequent brute-force target.
Don't use FTP — use SFTP or cPanel File Manager
FTP transmits passwords in plain text. On CanSpace, use the File Manager in cPanel, or SFTP (on our Medium and Professional plans, with SSH enabled on request).
If you think your site has been compromised
Signs of compromise: strange admin users you didn't create, files in wp-content/uploads/ that aren't images, unexpected redirects, or a notice from Google Search Console. If you suspect something is wrong:
- Change your WordPress admin password immediately.
- Change your cPanel password (Client Area → Services → Manage → Change Password).
- Update all plugins, themes, and WordPress core.
- Open a ticket and we'll restore from a backup, scan for malware, and help you investigate what got in.
Related articles
Not sure where to start, or want us to take a look at your install? Open a support ticket
