Most WordPress security advice you'll find online is two things at once: technically correct and operationally unrealistic. The "47-item checklist" approach treats every possible hardening as equally important — which means owners do none of it. The actual truth is that WordPress security is mostly about a handful of disciplines done consistently, and the rest is theater.

I'm David Campbell, founder of Nerd Stack. We maintain WordPress sites for clients in real production, including for high-trust verticals where security isn't optional. This checklist is the 80/20 version — what actually moves the needle, backed by current vulnerability data from Patchstack and Wordfence, with an honest take on what's theater and what's not.

The 80/20 of WordPress Security

The data on what actually compromises WordPress sites is unambiguous. Patchstack's State of WordPress Security report documented that 96% of WordPress vulnerabilities live in third-party plugins, not in core. Wordfence's 2024 Annual Report found that vulnerability disclosures rose 68% year over year, and that credential stuffing and brute-force login attempts are the #1 attack vector. Sucuri's 2023 data found that 49.21% of hacked sites had a backdoor planted by attackers, and 55.2% had at least one unauthorized administrator account.

If you do five things consistently — disciplined plugin management, real login hardening, working off-site backups, an active WAF + malware scanning, and clean user-role hygiene — you've addressed the categories that account for the vast majority of WordPress compromises. The rest is incremental.

1. The Plugin Discipline

This is the single most important thing in WordPress security, and the most commonly neglected. With 96% of vulnerabilities living in plugins, your plugin discipline is essentially your security posture.

What this looks like in practice:

  • Audit what you have. Open your plugin list. For each plugin: Do you still use it? Was it last updated more than a year ago? Has its developer disappeared? Plugins you don't actively need should be deactivated and deleted, not left "just in case" — even deactivated plugins can have exploitable code on disk.
  • Update on a defined cadence. Critical security patches within days of release, not the monthly maintenance window. Patchstack found that 33% of disclosed WordPress vulnerabilities weren't patched at disclosure — meaning the public knew about the vulnerability before a fix was available, and any site running that plugin was exposed.
  • Watch for abandonment. Patchstack reported 1,614 plugins and themes removed from the WordPress repository in 2024 for unpatched security issues. If a plugin is removed from wp.org, it generally means active development has stopped and the security gap is not getting fixed. Replace it.
  • Prefer the smaller plugin footprint. Every plugin is attack surface. The choice between one well-maintained plugin and three half-maintained ones is the well-maintained one, even if the result is slightly less functional. "More plugins" is not a feature.

2. Login Hardening

Credential stuffing and brute-force attacks are Wordfence's #1 attack vector against WordPress sites. Attackers run automated tools against millions of WordPress sites attempting common passwords, leaked credential dumps from breaches elsewhere, and dictionary attacks. Login hardening isn't optional.

The five things that matter:

  • Enable two-factor authentication on every admin account. Plugins like Wordfence Login Security, Two Factor Authentication, or Authy plug-ins make this trivial. 2FA defeats credential stuffing almost completely.
  • Enforce strong-password requirements. WordPress core supports this; some plugins (like iThemes Security) add policy enforcement. "Strong password" is not a suggestion.
  • Limit login attempts. Lock out IPs after a small number of failed attempts. Wordfence and similar security plugins do this out of the box.
  • Change the default admin URL. Plugins can move /wp-admin to a custom path. Doesn't defeat targeted attacks, but eliminates 80%+ of automated attacks that just hit the default endpoint.
  • Audit administrator accounts regularly. Remove old admin accounts for people who no longer need access. The fewer admin accounts exist, the smaller your attack surface.

3. Backups That Actually Work

A backup you've never restored is not a backup; it's a hope. Real backup discipline has four pieces:

  • Off-site storage. Backups stored on the same server as the site protect against nothing serious. A compromised host or hacked server takes the backups with it. Off-site means a different service entirely — S3, B2, Google Cloud Storage, etc.
  • Versioned retention. Multiple historical backups, not just yesterday's. If a compromise went undetected for two weeks, yesterday's backup is itself compromised. Keep daily backups for 30 days, weekly for 12 weeks, monthly for a year — adjust to budget.
  • Both files and database. Files alone or database alone restores nothing useful. You need both, and ideally backed up close in time so they match.
  • Tested restores. Once a quarter, restore a backup to a staging environment and verify it actually works. Most backup failures are discovered during the emergency when you need to restore — at the worst possible moment.

Plugins that handle this competently: UpdraftPlus, BlogVault, BackupBuddy, ManageWP. Managed hosts like Kinsta and WP Engine handle backups at the infrastructure level, which is generally more reliable than plugin-based approaches.

4. Web Application Firewall + Malware Scanning

A WAF (Web Application Firewall) blocks known-malicious traffic before it ever reaches WordPress. Malware scanning catches compromises that get through. You want both.

The three main options for SMB WordPress sites:

  • Wordfence — most popular, free tier is genuinely useful, premium adds real-time threat intel. WAF runs at the application level (inside WordPress). Strong on login protection.
  • Patchstack — vulnerability-focused, monitors specifically for known plugin vulnerabilities, patches them virtually until the plugin developer ships a fix. Best for plugin-heavy sites.
  • Sucuri — cloud-based WAF (sits in front of your site, blocks traffic before it hits your server). Generally more effective than application-level WAFs for blocking large-scale attacks. Strong on malware cleanup if you do get hit.

For most SMBs, Wordfence's free tier plus disciplined updates is enough. Sites in higher-risk categories or with higher uptime requirements benefit from a paid WAF/scanning service. Picking one and configuring it properly matters more than picking the "best" one.

5. User-Role Hygiene

Sucuri found that 55.2% of database-infected sites had at least one unauthorized administrator account — a backdoor planted by attackers so they can return even after the original entry point is patched. User-role hygiene is what catches this and prevents it from becoming a persistent compromise.

What to do:

  • Audit administrators regularly. Once a quarter, list every account with administrator role. Anyone who shouldn't have admin access — remove. Anyone you don't recognize — remove immediately and investigate how it got created.
  • Use the principle of least privilege. Most users don't need admin. Editor, Author, or Contributor roles cover most needs. Admin should be reserved for genuine site management.
  • Remove old accounts on departure. When someone leaves the team, their account is removed the same day. Sleeping accounts get compromised; active accounts don't (as easily).
  • Watch for unexpected new admin accounts. Security plugins can alert you when a new admin account is created. Don't ignore those alerts.

The "We Got Hacked" Playbook

If you find evidence of compromise — unauthorized admin accounts, spam pages, browser warnings, traffic anomalies — the first 60 minutes matter. The playbook:

  1. Don't panic and don't just delete things. Forensic evidence matters for figuring out what happened and what to harden afterward.
  2. Take the site offline if possible (maintenance mode or a temporary 503), or at minimum disable login. Stop the attacker from doing more damage while you assess.
  3. Reset every admin password and revoke active sessions. Don't wait to find out which credential was compromised.
  4. Pull a current backup of the compromised site for forensics — you'll want to know what was changed.
  5. Identify the entry point. Recent plugin updates, recently added plugins, file changes, server logs. This usually points at a specific outdated plugin or compromised credential.
  6. Restore from a clean backup from before the compromise, then immediately patch whatever the entry point was — otherwise you're restoring directly back into the same vulnerability.
  7. Run a full malware scan on the restored site to confirm it's clean.
  8. Review and remove unauthorized accounts and any unfamiliar files. Don't trust that the restore caught everything.
  9. If you can't do all of this confidently, call a specialist. Sucuri and Wordfence both offer paid incident response. The cost is real but dramatically less than the cost of a compromise that lingers.

Once you're clean, hardening: 2FA on every admin, plugin audit, abandon any plugins that haven't been updated in the last six months, and ideally move to a managed maintenance plan so the next vulnerability gets patched before it gets exploited.

What This Checklist Doesn't Cover (Intentionally)

Plenty of WordPress security advice covers things that genuinely matter at scale but don't move the needle for typical SMB sites: hiding the WordPress version number, disabling XML-RPC, file integrity monitoring, custom .htaccess rules, server-level hardening. These aren't wrong, but they're 80% of the checklist for 5% of the security improvement. Get the five disciplines above right first; everything else is incremental.

Frequently Asked Questions

What is the most important WordPress security measure?

Disciplined plugin management — auditing plugins, removing unused ones, and updating quickly when security patches drop. 96% of WordPress vulnerabilities live in plugins (Patchstack), so your plugin discipline is essentially your security posture.

Do I need a security plugin like Wordfence or Sucuri?

Yes for almost every WordPress site. A WAF and malware scanner catch attacks that disciplined updates alone won't prevent — particularly credential stuffing, brute-force attempts, and known-malicious traffic patterns. For most SMBs, Wordfence's free tier is sufficient; sites with higher risk or uptime requirements benefit from paid options.

How often should I update WordPress plugins?

Critical security patches within days of release. Non-critical updates can be batched monthly. Watch for plugin abandonment (no updates in 6+ months) and replace abandoned plugins — Patchstack documented 1,614 plugins removed from the WordPress repo in 2024 for unpatched security issues.

What should I do if my WordPress site has been hacked?

Take the site offline if possible, reset admin passwords, identify the entry point, restore from a clean backup taken before the compromise, patch the entry point, run a malware scan, and audit for unauthorized accounts. If you can't do these confidently, call a paid incident response service — the cost is dramatically less than the cost of a lingering compromise.

Is two-factor authentication actually necessary?

Yes. Credential stuffing and brute-force login attempts are the #1 attack vector against WordPress (Wordfence), and 2FA defeats them almost completely. The mild inconvenience of 2FA versus the consequences of an admin account compromise is not a close decision.

How do I know if a plugin is safe to use?

Check that it's been updated in the last 90 days, has a substantial install base (10,000+ active installs is a reasonable floor for non-niche plugins), comes from a developer with a track record, and ideally is monitored by Patchstack or a similar vulnerability database. If a plugin doesn't meet those criteria, it's a higher-risk install — find an alternative if one exists.

When a Checklist Isn't Enough

A disciplined owner with technical comfort and an hour or two a week can do everything in this checklist. The realistic problem is consistency: the moment maintenance slips behind, the gap between "patched" and "vulnerable" opens. Vulnerabilities are disclosed daily; a site that's patched only when someone gets around to it is a site that's exposed during the gaps.

That’s why managed maintenance exists as a service. For a defined monthly cost, the discipline gets enforced regardless of how busy your team gets — updates applied on schedule, backups verified, scans run, response time defined when something does go wrong. We covered the criteria for evaluating maintenance plans in our companion post on whether you need a website maintenance plan and how to decide.

If you want to talk through your specific WordPress site — including whether you should be on a maintenance plan or whether the discipline is sustainable in-house — book a free call with us. We’ll give you a straight answer including, where applicable, the things you can absolutely do yourself.

Sources: Patchstack State of WordPress Security; Wordfence 2024 Annual WordPress Security Report; Sucuri 2023 Hacked Website & Malware Threat Report; WordPress.org Hardening Documentation.