WordPress powers a huge share of the web, which makes it a favourite target for automated attacks. The good news is that a handful of sensible measures block the overwhelming majority of them. Here’s what genuinely moves the needle.
Lock down the login
Most attacks are automated guesses at your login. Defend it three ways: never use “admin” as a username, use a long unique password, and enable two-factor authentication. Adding a limit on failed login attempts stops brute-force bots cold — after a few wrong guesses, the attacker is locked out.
Keep everything updated
Outdated plugins and themes are the number one way WordPress sites get hacked. Enable automatic updates for minor core releases and keep plugins and themes current. Delete anything you’re not using — an inactive plugin is still a potential entry point.
Use SSL everywhere
Serve the whole site over HTTPS so logins and form submissions are encrypted. Free SSL via AutoSSL means there’s no excuse not to. Force HTTPS with a redirect so nobody lands on the insecure version.
Set correct file permissions
Folders should be 755 and files 644. Never use 777 — it lets anyone write to that file. Your wp-config.php, which holds your database credentials, can be tightened to 640 or even 440.
Protect wp-config and disable file editing
Add this to wp-config.php to stop attackers editing theme and plugin files from the dashboard if they get in:
define('DISALLOW_FILE_EDIT', true);
Add a security plugin and a firewall
A reputable security plugin gives you malware scanning, a firewall and login protection in one place. At the server level, our accounts run CSF/LFD and mod_security, which block many attacks before they ever reach WordPress.
Back up, so a breach isn’t a catastrophe
Even with everything locked down, keep off-site backups. If the worst happens, a clean recent backup means you recover in minutes instead of rebuilding from scratch.
Do these and you’ve closed the doors that automated attacks rely on. For high-value sites we can add extra server-side hardening — just ask.