WordPress security 2026 — 10 steps to protect your site from hackers

WordPress powers around 43% of all websites on the internet — which is exactly why it is the most popular target of automated attacks. Good news: 90% of hacks happen because of outdated plugins, weak passwords, or poorly configured hosting — and all of this is preventable without technical knowledge.

Updates are number one. An outdated plugin or theme with a known vulnerability is an entry point for a bot that scans thousands of sites per hour. Enable automatic updates for the WordPress core, and update plugins manually on a regular basis — once a week is enough. Plugins you do not use — delete them, do not just deactivate.

Passwords: every account (admin, editor, FTP, hosting, database) needs a unique, complex password. Use a password manager (Bitwarden is free). Two-factor authentication (2FA) is mandatory for all admin accounts — the Wordfence or WP 2FA plugin resolves this in 5 minutes. Change the default 'admin' username if you still have it.

Backup 3-2-1: 3 copies of data, on 2 different media, with 1 offsite (cloud). UpdraftPlus (free) sends backups directly to Google Drive or Dropbox. Test restores once a month — a backup you have not tested does not exist.

A WAF (Web Application Firewall) blocks malicious requests before they reach WordPress. Cloudflare's free plan offers basic WAF and DDoS protection. The Wordfence Security plugin adds an application-level firewall. If you suspect your site has been hacked: Sucuri SiteCheck (free scan), then contact a professional — do not delete files on your own. Feather Studio offers WordPress security audits and ongoing maintenance — contact us.