WordPress powers over 40% of all websites on the internet — and that popularity makes it the single biggest target for cybercriminals in 2026. Security researchers at Patchstack reported that more high-severity WordPress vulnerabilities were discovered in 2025 than in the previous two years combined, and that number is rising in 2026. New threats are being weaponised within hours of discovery, not days.

The uncomfortable truth is that most WordPress sites don’t get hacked because someone personally targeted them. They get hacked because automated bots scan millions of sites every single day looking for known vulnerabilities left unpatched. If your site has a weakness, a bot will find it — whether you run a small portfolio, a WooCommerce store, or a high-traffic blog.

This checklist covers 15 practical, actionable steps every WordPress site owner and developer should implement in 2026. Work through it from top to bottom and you will eliminate the vast majority of attack vectors that hackers rely on.

1. Keep WordPress Core, Plugins, and Themes Updated

This is the single most impactful security action you can take. When a vulnerability is discovered in WordPress core, the team typically releases a patch within days — but that patch only protects you if you install it. The same applies to every plugin and theme on your site.

The statistics make this critical: plugins account for 90–97% of all WordPress vulnerabilities. Outdated plugins are the number one entry point for attackers in 2026, and abandoned plugins — those no longer maintained by their developers — are particularly dangerous because vulnerabilities in them will never be patched.

• Enable automatic updates for WordPress minor security releases at minimum
• For business-critical sites, test all updates on a staging environment first before pushing to production
• Audit your plugin list every 90 days — remove any plugin that has not been updated in over 12 months
• Check the WordPress Plugin Directory for “last updated” dates and active installation counts before installing anything new

2. Use Strong, Unique Passwords for Every Account

Weak passwords remain the number one cause of WordPress breaches in 2026. Brute force attacks have evolved significantly — AI-powered tools now predict likely passwords based on leaked credential databases, personal information, and common patterns. A password like admin123 or your domain name will be cracked in seconds.

Every account connected to your WordPress site needs a strong, unique password — your WordPress admin, your hosting control panel, your database, your FTP, and your email account linked to WordPress.

• Use a password of at least 16 characters combining uppercase, lowercase, numbers, and symbols
• Never reuse passwords across different accounts
• Use a password manager like Bitwarden (free) or 1Password to generate and store credentials securely
• Change all passwords immediately on any site that has been compromised or where you suspect unauthorised access

3. Enable Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step to your login process — typically a time-sensitive code from an app on your phone. Even if an attacker steals your password through a data breach or phishing attack, they cannot log in without that second factor. It is one of the most effective security measures available and takes under five minutes to set up.

• Install a plugin like WP 2FA, Wordfence Login Security, or Solid Security to add 2FA to your WordPress login
• Use an authenticator app like Google Authenticator or Authy rather than SMS codes, which can be intercepted
• Enforce 2FA for all admin and editor-level users, not just yourself
• Store backup codes in a secure location in case you lose access to your authenticator device

4. Change the Default WordPress Login URL

By default, every WordPress site’s login page is accessible at /wp-admin or /wp-login.php. Every automated bot and hacker knows this. Changing your login URL to something non-standard eliminates a huge volume of automated attack traffic before it ever reaches your login form — it is not a silver bullet on its own, but it meaningfully reduces noise.

• Use a plugin like WPS Hide Login to change your login URL to something custom (e.g., /site-access-2026)
• Important: Bookmark your new login URL immediately — if you forget it, you will be locked out of your own site
• Combine this with login attempt limiting for maximum effectiveness

5. Limit Login Attempts

By default, WordPress allows unlimited login attempts. This means an attacker can try thousands of username-password combinations against your login page without being blocked — a classic brute force attack. Limiting login attempts locks out an IP address after a defined number of failed tries, stopping brute force attacks in their tracks.

• Install Limit Login Attempts Reloaded or use the login protection built into security plugins like Wordfence or Solid Security
• Set a lockout after 3–5 failed attempts and gradually increase the lockout duration for repeat offenders
• Whitelist your own IP address to prevent accidentally locking yourself out

6. Install a WordPress Security Plugin

A dedicated WordPress security plugin provides a firewall, malware scanner, login protection, and real-time threat monitoring in a single package. Think of it as a security operations centre for your website running 24 hours a day.

The three most trusted options in 2026 are:

• Wordfence Security — includes a Web Application Firewall (WAF), malware scanner, real-time threat intelligence, and login security. The free tier is excellent for most sites
• Solid Security (formerly iThemes Security) — strong hardening features, two-factor authentication, and integration with Patchstack’s vulnerability database
• Patchstack — the best choice for agencies managing multiple client sites. Provides virtual patching that protects against known vulnerabilities even before you update the plugin

7. Install an SSL Certificate and Force HTTPS

An SSL certificate encrypts all data transmitted between your website and its visitors — including login credentials, form submissions, and payment information. In 2026, HTTPS is not optional. Browsers actively mark HTTP sites as “Not Secure,” which destroys user trust and directly harms your Google search rankings.

• Most quality hosting providers offer free SSL certificates via Let’s Encrypt — enable it with one click in your hosting control panel
• After installing SSL, update your WordPress URLs under Settings → General to use https://
• Install the Really Simple SSL plugin to automatically redirect all HTTP traffic to HTTPS and fix mixed content warnings
• Check your SSL configuration is working correctly using SSL Labs’ free SSL Server Test

8. Choose a Secure, Reputable Hosting Provider

Your hosting environment is the foundation of your site’s security. Cheap shared hosting plans often mean shared security risks — if another website on the same server is compromised, your site can be affected too. In 2026, your hosting provider should be doing a significant portion of the security heavy lifting for you.

• Choose a managed WordPress host that includes built-in server-level firewalls, daily malware scanning, and automatic backups — providers like Kinsta, WP Engine, or Cloudways
• Ensure your host runs the latest stable PHP version — in 2026 that means PHP 8.2 or PHP 8.3. Outdated PHP versions are no longer security-patched and are a known vulnerability
• Look for hosts that offer DDoS protection and Web Application Firewall (WAF) at the server level
• Confirm your host provides one-click staging environments so you can test updates safely before deploying to your live site

9. Set Correct File Permissions

Incorrect file permissions are a silent but serious vulnerability. If your WordPress files or directories have permissions that are too permissive, attackers who gain any level of access to your server can overwrite or inject malicious code directly into your site’s files.

• WordPress directories should be set to 755 (owner can read, write, execute; others can read and execute)
• WordPress files should be set to 644 (owner can read and write; others can only read)
• The wp-config.php file should be set to 440 or 400 — this is your most sensitive file and should be readable only by the owner
• You can check and correct file permissions via your hosting file manager or FTP client

10. Disable the Built-In Theme and Plugin File Editor

WordPress includes a built-in file editor under Appearance → Theme File Editor and Plugins → Plugin File Editor. While convenient, this is a serious security liability — if an attacker gains admin access to your dashboard, they can use this editor to inject malicious PHP code directly into your theme or plugin files without needing server access.

Disabling it takes one line of code. Add this to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

• This prevents file editing via the dashboard without affecting your ability to edit files via FTP or your hosting file manager
• Also consider adding define( 'DISALLOW_FILE_MODS', true ); on fully locked-down production sites to prevent plugin and theme installation via the dashboard entirely

11. Implement Regular Automated Backups

Backups are not a security measure in the traditional sense — they will not prevent an attack. But they are your most important recovery tool. If your site is compromised, infected with malware, or corrupted by a bad update, a recent clean backup means recovery takes hours rather than weeks. Without a backup, a serious attack can mean permanent loss of your site, content, and customer data.

• Use a plugin like UpdraftPlus, BlogVault, or WP Migrate to automate daily backups
• Store backups off-site — on Amazon S3, Google Drive, or Dropbox. Never store your only backup on the same server as your website
• Test your backups regularly by restoring to a staging site — a backup you have never tested is a backup you cannot trust
• For WooCommerce stores, increase backup frequency to multiple times per day to avoid losing order data

12. Never Use Nulled or Pirated Themes and Plugins

Nulled plugins and themes — pirated premium products distributed for free — are one of the most common ways malware ends up on WordPress sites in 2026. The person distributing the “free” premium plugin is not being generous. They have modified the files to include a backdoor, a hidden script that gives them access to your server, allows them to redirect your visitors, or turns your site into part of a spam network.

• Only ever install plugins and themes from the official WordPress.org repository, the developer’s own website, or reputable marketplaces like ThemeForest or CodeCanyon
• If a premium plugin is being offered for free anywhere other than the official source, treat it as malware — because it almost certainly is
• Regularly audit your installed plugins and themes and remove any you are not actively using

13. Protect Your wp-config.php and .htaccess Files

The wp-config.php file contains your database credentials, security keys, and core WordPress configuration. It is the most sensitive file on your entire WordPress installation. The .htaccess file controls server-level behaviour for Apache-based hosts. Both need to be explicitly protected.

Add the following to your .htaccess file to block direct access to wp-config.php:

<files wp-config.php>
order allow,deny
deny from all
</files>

• Move wp-config.php one directory level above your WordPress root if your hosting setup allows it — WordPress will still find it automatically
• Disable directory browsing in .htaccess by adding Options -Indexes to prevent attackers from viewing your file structure
• Use strong, unique values for your WordPress security keys and salts in wp-config.php — regenerate them at api.wordpress.org/secret-key

14. Disable XML-RPC If You Don’t Need It

XML-RPC is a WordPress feature that allows remote connections to your site — originally designed for mobile apps and third-party publishing tools. In 2026, most sites don’t need it, but it remains enabled by default. Attackers exploit XML-RPC to perform amplified brute force attacks, using a single request to try thousands of username-password combinations simultaneously.

• If you don’t use the WordPress mobile app, Jetpack, or any tool that requires XML-RPC, disable it completely
• Add this to your .htaccess to block all XML-RPC access:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

• Alternatively, use the Disable XML-RPC plugin for a no-code solution
• If you need XML-RPC for a specific integration, use a security plugin to whitelist only the specific IP addresses that need access

15. Conduct Regular WordPress Security Audits

Security is not a one-time setup — it is an ongoing process. The threat landscape changes every week. New vulnerabilities are discovered in popular plugins daily, attack techniques evolve, and your site changes over time as you add new plugins, users, and content. A regular security audit catches problems before attackers do.

• Monthly: Review all installed plugins and themes, remove unused ones, and ensure all active ones are up to date. Check user accounts and remove any you don’t recognise
• Quarterly: Run a full malware scan using Wordfence or Solid Security. Review file permissions. Test your backup restoration process on a staging environment
• Annually: Full security audit including penetration testing, review of user roles and permissions, hosting environment review, and SSL certificate validity check
• Subscribe to Patchstack or WPScan vulnerability alerts to receive notifications when a plugin you use is found to have a security issue

Quick Reference: WordPress Security Checklist 2026

Here is a summary of all 15 steps for easy reference:

1. Keep WordPress core, plugins, and themes updated
2. Use strong, unique passwords for all accounts
3. Enable two-factor authentication (2FA)
4. Change the default WordPress login URL
5. Limit login attempts
6. Install a WordPress security plugin (Wordfence, Solid Security, or Patchstack)
7. Install SSL and force HTTPS sitewide
8. Choose secure, managed WordPress hosting
9. Set correct file permissions (755/644)
10. Disable the built-in theme/plugin file editor
11. Set up automated off-site backups
12. Never use nulled or pirated plugins/themes
13. Protect wp-config.php and .htaccess
14. Disable XML-RPC if not needed
15. Conduct regular security audits

Need Help Securing Your WordPress Site?

Working through this checklist yourself takes time — and if security is not your primary expertise, it is easy to miss things. A single unpatched plugin or misconfigured permission can undo everything else you have done correctly.

At ArshadWebStudio, WordPress security hardening is part of every site we build and maintain. Whether you need a one-time security audit, ongoing monthly maintenance, or a full site lockdown after a breach, we can help. Get in touch today and let’s make sure your WordPress site is properly protected in 2026.

About the Author

Arshad Shah is a freelance WordPress and Shopify developer at arshadwebstudio.com, specialising in custom WordPress development, plugin development, performance optimisation, and website security. He helps businesses and agencies build fast, secure, and scalable WordPress websites.