18 Ways to Secure Your WordPress Site

WordPress powers over 43% of the world's websites — including the majority of Pakistani business sites built by agencies in Karachi, Lahore, and Islamabad. That dominance makes it the single most-targeted CMS on the internet. According to Sucuri's 2025 Website Threat Research Report, over 70% of all hacked CMS sites were running WordPress. The average cost of a website breach in Pakistan — including downtime, data recovery, and lost sales — is estimated at PKR 180,000 to PKR 1.2 million depending on the site's revenue dependency.

The good news: the overwhelming majority of WordPress attacks are opportunistic, automated, and entirely preventable. A hardened WordPress installation stops 95% of common attack vectors before they even touch your database. These 18 security practices are ranked from foundational to advanced — apply them in order.

1. Keep WordPress Core, Themes, and Plugins Updated

Outdated software is the number-one cause of WordPress compromise. Every unpatched vulnerability is a known exploit that attackers actively scan for. Enable automatic minor updates in wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', 'minor' );

For major updates, test on a staging environment first. Pakish (/managed-wordpress-hosting) includes automatic update management.

Action: Audit your installed plugins today. Remove any plugin not updated within the last 12 months.

2. Use Strong, Unique Passwords for Every Account

WordPress stores passwords as MD5 hashes by default in older versions. Modern brute-force rigs can crack an 8-character password in under 2 hours. Use passwords of at least 20 characters mixing letters, numbers, and symbols, and use a password manager.

The WordPress admin, cPanel/Plesk, FTP, and database accounts must each have a distinct password. A single shared password means a phishing compromise of one credential exposes everything.

3. Install a Reputable Security Plugin

A good WordPress security plugin provides a firewall, malware scanner, login protection, and audit log in a single install. The three most trusted options:

| Plugin | Free Tier | Key Strength | Monthly Cost (Pro) | |---|---|---|---| | Wordfence | Yes | Real-time firewall + scanner | ~PKR 5,500/mo | | Sucuri | Limited | CDN-level WAF + CDN | ~PKR 8,200/mo | | iThemes Security Pro | No | Brute-force lockouts, 2FA | ~PKR 4,800/mo |

For most Pakistani SME sites, Wordfence Free is sufficient. Upgrade to Sucuri if you run a WooCommerce store processing transactions.

4. Enable Two-Factor Authentication (2FA) on All Admin Accounts

A stolen password alone is worthless against 2FA. Use the WP 2FA or Google Authenticator plugin to add an OTP requirement to your admin and editor logins. This single step blocks 99.9% of credential-stuffing attacks.

Require 2FA for every user with the editor role or above — not just the administrator.

The default wp-admin and wp-login.php paths are publicly known and receive thousands of automated brute-force attempts daily. The WPS Hide Login plugin lets you rename the login path to anything you choose (e.g., /staff-access-2026).

Even with a custom login URL, brute-force bots cycle through IP ranges. Limit failed login attempts to 3–5 before a temporary lockout. Wordfence and Login LockDown both handle this.

7. Force SSL/HTTPS Across the Entire Site

All traffic between your visitors and your server should be encrypted. An unprotected HTTP connection allows any man-in-the-middle (common on public WiFi in Pakistan) to intercept login cookies and session tokens.

Obtain a free Let's Encrypt SSL certificate via your host's control panel. Then force HTTPS by adding this to .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

On Pakish (/shared-hosting), SSL activates in one click from the dashboard.

8. Automate Daily Off-Site Backups

Backups are your last line of defence. A backup stored only on your web server is useless when the server is compromised. Use UpdraftPlus to schedule daily automated backups to Google Drive, Dropbox, or Amazon S3.

Backup schedule recommendation:
- Daily: Full database + uploads folder
- Weekly: Full site snapshot
- Remote: Google Drive / S3 (separate credentials from site)
- Test restore: Monthly

9. Disable File Editing From the WordPress Dashboard

The WordPress dashboard's built-in PHP editor lets an attacker with admin access inject malicious code directly through the browser. Disable it entirely:

// Add to wp-config.php
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );

10. Harden File and Folder Permissions

Incorrect file permissions are among the most common server-side vulnerabilities. The correct permission structure for WordPress:

| Path | Correct Permission | |---|---| | WordPress root directory | 755 | | wp-config.php | 440 | | .htaccess | 444 | | wp-content/ | 755 | | wp-content/uploads/ | 755 |

Set via SSH: find /path/to/wordpress -type f -exec chmod 644 {} \; then find /path/to/wordpress -type d -exec chmod 755 {} \;.

11. Remove Unused Themes and Plugins

Inactive plugins and themes are not automatically patched. Vulnerabilities in unused code still exist. Delete — do not just deactivate — any theme or plugin you are not actively using.

12. Protect wp-config.php

Your wp-config.php contains database credentials and secret keys. Restrict HTTP access via .htaccess:

<Files wp-config.php>
  Order allow,deny
  Deny from all
</Files>

13. Block PHP Execution in the Uploads Directory

Attackers who upload a malicious PHP file can then execute server-side code. Block PHP execution inside /wp-content/uploads/ with a .htaccess file in that directory:

<Files *.php>
  Order Deny,Allow
  Deny from all
</Files>

This is one of the highest-impact, lowest-effort hardening steps and is often missed even by experienced developers.

14. Implement a Web Application Firewall (WAF)

A WAF inspects incoming HTTP requests and blocks known attack patterns. Options:

DNS-level WAF: Cloudflare Free or Sucuri WAF — routes traffic through their CDN before it hits your server
Plugin-level WAF: Wordfence — operates at the PHP level

DNS-level WAFs are more effective because they block traffic before consuming your server's resources.

15. Use a Separate Database User With Minimal Privileges

Create a dedicated WordPress database user with only the permissions it actually needs: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER. Remove global privileges (SUPER, GRANT OPTION, etc.).

16. Monitor With Uptime and Security Alerting

You cannot protect what you cannot see. Set up:

Uptime monitoring: UptimeRobot (free, 5-minute intervals) — alerts via WhatsApp or email when your site goes down
Wordfence alerts: email notification for any blocked attack
Google Search Console: alerts for manual actions or security issues

A site that goes down at 2am in Karachi and isn't noticed until 9am has already lost 7 hours of sales and SEO ranking signals.

17. Enforce a Content Security Policy (CSP) Header

A Content Security Policy header tells browsers which domains are allowed to load scripts and media. Add via .htaccess in report-only mode first:

Header set Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com; img-src 'self' data: https:;"

Switch to Content-Security-Policy once you confirm no legitimate resources are blocked.

18. Audit User Accounts and Roles Quarterly

WordPress installations accumulate accounts belonging to former employees and test users. Quarterly, go to Users → All Users and:

Remove any account that no longer needs access
Confirm every user has the minimum role required
Check for suspicious admin accounts

The WP Security Audit Log plugin logs all user activity and surfaces privilege escalation attempts.

Security Hardening in One Hour: Priority Checklist

If you have one hour today, complete these in order of impact:

Update WordPress core, all plugins, all themes ✓
Enable Wordfence and run a full scan ✓
Activate SSL and force HTTPS ✓
Enable 2FA on the admin account ✓
Add define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php ✓
Set up UpdraftPlus with offsite backup to Google Drive ✓
Add PHP execution block to /wp-content/uploads/ ✓

These seven steps cost nothing and protect against over 80% of common WordPress attack vectors.

For Pakistani businesses who want these protections managed automatically, Pakish (/managed-wordpress-hosting) includes daily malware scanning, automatic updates, off-site backups, and a CDN-level WAF as standard. No configuration required.

Have questions about your specific WordPress setup? (https://my.pakish.net/submitticket.php?step=2&deptid=1) — we provide free security audits for all Pakish hosting customers.