Chykalophia Docs
Security

Securing your WordPress site

The key security settings every WordPress site owner should check — from keeping software up to date to limiting login attempts.

securitywordpressintermediate

WordPress powers a huge portion of the web, which also makes it a common target for automated attacks. The good news: most WordPress hacks happen because of preventable issues — outdated software, weak passwords, or unnecessary access. A few simple steps put you in a much stronger position.

Quick summary

Keep WordPress, themes, and plugins up to date. Use strong, unique passwords for every admin account. Turn on two-factor authentication. Remove user accounts that are no longer needed. Install a reputable security plugin. And make sure your hosting includes backups.

Keep everything up to date

Outdated software is the number-one cause of WordPress hacks. Attackers scan for sites running known vulnerable versions and exploit them automatically.

What to keep updated:

  • WordPress core — the main WordPress software
  • Themes — even ones you're not actively using
  • Plugins — every single one

Check for updates regularly, or ask us to include updates in your care plan. See WordPress updates explained for how to do this safely.

Deactivate, don't just leave unused

Deactivate and delete themes and plugins you no longer use. Inactive plugins still contain code that can be exploited. See Deactivating vs deleting plugins.

Use strong passwords for all admin accounts

Every administrator account on your WordPress site should have a strong, unique password. Use your password manager to generate one.

Don't share the admin password between multiple people. Instead, create a separate account for each person who needs access, and give them only the permissions they need. See WordPress user roles explained.

Turn on two-factor authentication

WordPress doesn't include 2FA out of the box. We recommend installing the WP 2FA plugin or using the 2FA feature included in Wordfence (if you already use Wordfence).

Once installed, require 2FA for all administrator accounts at minimum. See Securing your WordPress site two-factor authentication steps.

Install a security plugin

A good security plugin adds several layers of protection:

  • Firewall — blocks malicious traffic before it reaches WordPress
  • Malware scanning — checks your files for known malicious code
  • Login protection — limits failed login attempts, blocks suspicious IPs
  • File change monitoring — alerts you when core files change unexpectedly

We recommend Wordfence or Solid Security (formerly iThemes Security). Your hosting provider may also include security scanning at the server level.

Limit login attempts

By default, WordPress allows unlimited login attempts — which means attackers can try millions of password combinations automatically. This is called a brute-force attack.

Most security plugins include login attempt limiting. You can also configure it separately with the Limit Login Attempts Reloaded plugin. Set it to lock out an IP after three to five failed attempts.

Change the default admin username

When WordPress is first installed, it often suggests "admin" as the username. This is one of the first things attackers try. If your main admin account is still called "admin," create a new administrator account with a different username, log in with the new account, and delete the old "admin" account.

Keep your admin URL harder to find

By default, your WordPress login page is at /wp-admin or /wp-login.php. You can change this URL using a security plugin. This doesn't stop a determined attacker, but it eliminates a huge amount of automated scanning traffic.

Many security plugins include this feature. Look for "login URL" or "hide login" in your security plugin's settings.

Check your user accounts

Review who has admin access to your WordPress site regularly:

Log into your WordPress dashboard.

Go to Users → All Users.

Review the list. Remove any accounts that belong to former staff, old contractors, or anyone who no longer needs access.

Ensure no one has more permissions than they need. An author doesn't need administrator access.

See also Security steps when someone leaves.

Make sure backups are running

A recent backup is your ultimate safety net. If your site is hacked and you can't clean it, a clean backup means you can restore the whole site quickly.

Check with your hosting provider that automatic backups are configured. Most managed WordPress hosts (Flywheel, WP Engine, Kinsta) include daily backups. See Why backups are your safety net.

Use a reputable hosting provider

Good hosting includes:

  • Server-level firewall and malware scanning
  • Automatic WordPress updates (or at least notifications)
  • Daily backups with easy restore
  • SSL certificate (HTTPS)
  • Security monitoring and incident response

Cheap, shared hosting often lacks these features. See our hosting guides for recommended providers.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Safe browsing habits for your team

Simple, practical habits that keep your whole team safer when browsing the web — no technical expertise required.

What to do if your site is hacked

A calm, step-by-step guide to recovering your website after a hack — what to do first, how to clean up, and how to prevent it happening again.

On this page

Keep everything up to dateUse strong passwords for all admin accountsTurn on two-factor authenticationInstall a security pluginLimit login attemptsChange the default admin usernameKeep your admin URL harder to findCheck your user accountsMake sure backups are runningUse a reputable hosting providerCommon questionsRelated guidesLearn more
Securing your WordPress site | Chykalophia Docs