WordPress Security

WordPress security is mostly about reducing attack surface and catching problems early — not about making a site impenetrable. Most WordPress compromises happen through three vectors: outdated plugins with known vulnerabilities, brute-forced or leaked wp-admin credentials, and compromised hosting environments where one infected site on shared hosting affects others.

The security guides here are written from the perspective of an agency that has dealt with actual compromised client sites. Not theoretical threats — real malware injections, SEO spam attacks, credential stuffing on admin login pages, and supply chain compromises via abandoned plugins. The guidance is practical: what to do first, what tools are worth running, and how to structure a security setup that doesn't add meaningful maintenance overhead.

The non-negotiables for every WordPress site: automatic plugin and theme updates (or at minimum, monitored updates — known vulnerabilities in outdated plugins are the most common attack vector), two-factor authentication on all admin accounts, a daily off-site backup with tested restore procedures, and login rate limiting. Everything beyond this is hardening that reduces risk further but the above four items eliminate the vast majority of real-world attacks.

On security plugins: Wordfence and Solid Security (formerly iThemes Security) are the most common. Both are useful for login protection and file change monitoring. Neither makes a poorly maintained site secure. The backup strategy matters more than any security plugin — when (not if) something goes wrong, the backup is what gets you back online.