Loading tutorials…
Loading tutorials…
A hacked WordPress site does more than lose data — it tanks Google rankings, gets your domain flagged in Meta Ads, and loses paid traffic to spammy redirects. This is the security baseline that protects your marketing investment.
Who this is forWordPress site owners with no formal security plugin installed, or sites that have been hacked before. Especially relevant if you run paid ads — a hacked site mid-campaign can burn through budget on a malicious redirect before you notice.
What you'll need
Step 1
Tools → Site Health → Status. Users → All Users. Document active admin accounts and any "Critical" Site Health warnings.
WordPress Admin → Tools → Site Health → Status.
Note any Critical issues (red). Common ones: outdated PHP version (under 8.1), debug mode enabled in production, file editing enabled.
WordPress Admin → Users → All Users. Filter by Administrator role.
For every Administrator account, verify: (1) you recognize the person, (2) the email is real and current, (3) they still need admin access.
Delete or downgrade any abandoned admin accounts. Former agencies, ex-employees, test accounts — all are attack vectors.
Look for usernames "admin," "administrator," "root," or your domain name — these are first guesses in brute-force attacks. If yours is one of these, plan to change it (next step).
Step 2
WordPress does not let you rename users via UI. Create a new admin user with a non-guessable username, reassign content, delete the old one. Force password reset on all users.
WordPress Admin → Users → Add New. Create a new account with role Administrator and a username that is NOT "admin," "yourname," or your domain.
Set a strong password (use a password manager — 1Password, Bitwarden, Dashlane). Minimum 20 characters mixed.
Email confirmation. Log out and log back in with the new admin account.
Users → Users → click old "admin" account → Delete → "Attribute all content to: [new admin user]."
For all remaining users, edit each → "Send Password Reset" — forces them to set a new strong password on next login.
Consider installing a strong-password-enforcement plugin (WP Force SSL or Password Policy Manager).
Step 3
Wordfence (free) for self-managed monitoring and malware scanning. Sucuri (paid, $200+/yr) for hands-off managed security. One only.
Wordfence — free version is enough for most sites. Plugins → Add New → search Wordfence Security. Install Now → Activate.
Wordfence → Dashboard → walks through initial setup. Add email for alerts (use a secondary email, not the WP admin email).
Wordfence → All Options → enable: Brute Force Protection, Login Attempts limit (5 fails = 30 min lockout), Live Traffic.
Wordfence → Scan → Start New Scan. Initial scan takes 10-30 minutes. Review findings.
Alternative: Sucuri Security ($200+/yr) — fully managed monitoring, cleanup if hacked, CDN + WAF. Better for sites where you do not want to monitor yourself.
Never install both Wordfence AND Sucuri. They conflict on firewall rules, file scanning, and email alerts.
Step 4
Hosting control panel → install Let's Encrypt SSL (free, 90-day auto-renewing). WordPress Settings → General → set both URLs to https://. Force redirect via .htaccess or plugin.
Most modern hosts (Bluehost, SiteGround, Cloudways, Kinsta, WP Engine) include free Let's Encrypt SSL. Activate it from the host control panel — usually one click.
WordPress Admin → Settings → General → set both WordPress Address and Site Address to https://yoursite.com.
Force HTTPS redirect. Easiest: install Really Simple SSL plugin → enable. Verifies SSL cert and adds the redirect rule.
Manual alternative: edit .htaccess to add RewriteCond %{HTTPS} off / RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Visit yoursite.com (without https://). Should redirect to https://yoursite.com — green padlock in browser.
Test mixed-content warnings: Chrome DevTools → Console. Any 'Mixed Content: ... was loaded over HTTP' errors mean some assets still load over HTTP. Fix the source (image src, embedded video src).
Step 5
Install a 2FA plugin (Wordfence 2FA, or Two-Factor by core contributors). Enforce 2FA for Administrator and Editor roles.
Wordfence includes 2FA in the free version. Wordfence → Login Security → Two-Factor Authentication → Activate 2FA.
Each admin user opens the same screen, scans a QR code with an authenticator app (Authy, 1Password, Google Authenticator), enters the verification code.
Wordfence → Login Security → 2FA → "Require 2FA for these roles" → tick Administrator and Editor.
Test: log out, log back in. After entering correct password, expect a 2FA prompt.
Save recovery codes in your password manager. Without them, losing your phone locks you out of admin.
Standalone alternative: 'Two Factor' plugin by Plugin Contributors — lightweight, no Wordfence overhead.
Step 6
Host backups are not always recoverable when you need them. Add UpdraftPlus, BlogVault, or BackupBuddy — store backups off-host (Google Drive, S3, Dropbox).
Check your host's backup policy. Most include daily backups, but recovery can take 24+ hours and may cost extra.
Install UpdraftPlus (free for basic, $70/yr for premium add-ons). Plugins → Add New → search UpdraftPlus → Install → Activate.
UpdraftPlus → Settings → Configure backup schedule. Daily for active sites, weekly for low-update sites.
Remote storage: connect Google Drive, Dropbox, or Amazon S3. Backups stored ONLY on the host are at risk if the host gets compromised.
Run a manual backup to verify the schedule works. Backup → Backup Now → Include database, plugins, themes, uploads, other.
Test the restore flow at least once. A backup you cannot restore is not a backup. UpdraftPlus → Existing backups → Restore.
Step 7
Disable file editing via wp-config.php constant. Move wp-config.php one directory up if possible. Disable XML-RPC if you do not use it.
SFTP into the site root. Open wp-config.php.
Add line: define('DISALLOW_FILE_EDIT', true); — this disables the Appearance → Theme File Editor and Plugins → Plugin File Editor. Stops attackers who get admin access from editing files via the UI.
Add line: define('FORCE_SSL_ADMIN', true); — forces admin pages to use HTTPS.
Most sites do not need XML-RPC. Wordfence → All Options → block XML-RPC. Or add to .htaccess: <Files xmlrpc.php> Order Allow,Deny Deny from all </Files>. Test that Jetpack and the mobile app still work if you use them — they need XML-RPC.
Some hosts disable file editing by default — confirm in Tools → Site Health.
Common mistakes
Using "admin" as the admin username
What goes wrong: Brute-force bots try 'admin' as the username on every WordPress site they hit. Combined with a weak password, this gives them admin access in under an hour of attempts. From there: malware injection, redirect installs, SEO spam injection.
How to avoid: Create a new admin user with a non-guessable username, reassign content, delete the 'admin' user. Use a password manager for strong passwords.
No 2FA on admin accounts
What goes wrong: Without 2FA, a stolen or guessed password is enough to take over the site. Most WordPress compromises in 2026 are credential-based, not exploit-based. 2FA blocks the majority of them.
How to avoid: Wordfence or Two Factor plugin → enforce 2FA for Administrator and Editor roles.
Running outdated plugins or themes
What goes wrong: Plugins with known CVEs (Common Vulnerabilities and Exposures) are scanned for by automated bots. A site running an outdated version of a popular plugin (e.g., LiteSpeed Cache 5.6 with a critical CVE) gets exploited within hours of going public.
How to avoid: Plugins → Installed Plugins → Update available (auto-checks). Enable auto-updates for plugins from trusted sources. Tools → Site Health flags outdated PHP/WordPress core.
No 301 redirect to HTTPS
What goes wrong: Site loads on both http:// and https://. Google sees two versions, splits ranking authority. Chrome shows 'Not Secure' on the http version. Conversion rate drops 5-15%. Some browsers warn users away from the site entirely.
How to avoid: Install Really Simple SSL (handles the redirect automatically) or add the 301 rule to .htaccess. Verify by visiting http://yoursite.com — should redirect.
Storing backups only on the host
What goes wrong: Host gets compromised or fails — backups are gone with the site. Even hosts with "daily backups" sometimes lose them in catastrophic failures.
How to avoid: UpdraftPlus or similar → store backups off-host on Google Drive, S3, or Dropbox. Test restore at least once.
Ignoring Wordfence/Sucuri alerts
What goes wrong: Wordfence emails about blocked attacks, file changes, plugin vulnerabilities. Owners ignore them as noise. Real intrusion alerts get missed in the inbox.
How to avoid: Route Wordfence alerts to a dedicated email folder. Review weekly, not daily. Triage: ignored repeat block attempts; investigate 'file changed' or 'plugin known to be vulnerable.'
Recap
Done — what's next
WordPress speed optimization — the marketing-impact checklist
Read the next tutorial
Hand it off
WordPress security is a one-time install + ongoing watchfulness. A vetted WordPress specialist sets the baseline (2FA, security plugin, backups, SSL, hardening) in 3-4 hours and produces a monitoring runbook. Typically $80-160 total at $14-16/hr. Compare against the cost of a single hack ($500-5,000+ in recovery).
See specialist rates
Wordfence free for self-managed sites with technical owners. Sucuri ($200+/yr) for sites where security is hands-off — they monitor, alert, and clean up hacks. Larger e-commerce sites benefit from Sucuri's managed CDN+WAF; smaller content sites are fine on Wordfence.
Required for Administrator and Editor (anyone who can edit content or settings). Recommended for Author. Optional for Contributor and Subscriber. Force via Wordfence → Login Security → 2FA → Require for these roles.
Weekly review at minimum. Enable auto-updates for trusted plugins (Yoast, RankMath, Wordfence, WooCommerce). Manual updates for plugins where breaking changes are common (cache plugins, page builders) — test on a staging site first.
(1) Take the site offline temporarily (host control panel → maintenance mode). (2) Restore from a clean backup if you have one before the hack date. (3) If no clean backup: hire a specialist (Sucuri offers cleanup services $200-500 per incident). (4) Change all passwords, revoke API keys, regenerate WordPress secret salts (Tools → Wordfence salt regenerator). (5) Re-scan after cleanup.
Wordfence adds 80-150ms to page load when actively scanning — usually scheduled at low-traffic hours. Sucuri operates externally (cloud WAF), so no on-server overhead. The performance cost is small compared to the security gain.
Yes. Host backups have failed often enough that no security professional relies on them alone. UpdraftPlus to Google Drive is free and takes 30 minutes to set up. Cheap insurance.
WordPress
A slow WordPress site costs you ad ROAS, organic rankings, and conversion rate at the same time. This checklist walks through the speed wins that actually move marketing metrics — not just PageSpeed scores.
WordPress
Installing Yoast or RankMath is step two. Step one is making sure WordPress itself is configured for SEO — permalinks, indexable content rules, taxonomy hygiene. Skip this and the SEO plugin is putting lipstick on a leak.
WordPress
Yoast is the default SEO plugin for 13M+ WordPress sites — but most installs ship with the wrong sitemap settings, broken breadcrumbs, and schema that contradicts your theme. This walks through the install + the configuration the wizard skips.
WordPress
WordPress is the easiest CMS to start with and the easiest to make a mess of by month 18. This is the honest framework for when DIY becomes the bottleneck and a specialist pays for themselves.