You don't need to be a security expert to protect your website. Most successful attacks exploit basic oversights that are straightforward to fix.

Keep everything updated

Outdated software is the single most common cause of website hacks. This means:

  • WordPress core β€” update as soon as new versions are released
  • Plugins and themes β€” even ones you are not actively using
  • PHP version β€” check your host's control panel; anything below PHP 8.0 is end-of-life

Set a reminder to check for updates at least once a week. Better still, enable automatic updates for minor WordPress releases.

Use strong, unique passwords

Every login that touches your site needs a strong password:

  • WordPress admin
  • Hosting control panel
  • FTP/SFTP account
  • Domain registrar
  • Database (phpMyAdmin)

Use a password manager β€” Bitwarden is free and open source. Never reuse passwords across services. Enable two-factor authentication wherever it is offered, especially on your hosting control panel.

Limit login attempts

By default WordPress allows unlimited login attempts, making brute-force attacks trivial. Install a plugin like Limit Login Attempts Reloaded or add this to your .htaccess to restrict wp-login.php to your own IP:

<Files wp-login.php>
  Order Deny,Allow
  Deny from all
  Allow from YOUR.IP.ADDRESS.HERE
</Files>

Set up automated backups

A backup you haven't tested is not a backup. You need:

  • Daily automated backups stored somewhere other than your server (your host's backup and a separate cloud storage like Google Drive or Backblaze)
  • Retention of at least 30 days β€” malware is sometimes dormant for weeks before it activates
  • A tested restore process β€” download your backup and actually restore it to a staging environment at least once

Most hosts include backups in their control panel. UpdraftPlus is a reliable free plugin for WordPress that can push backups to cloud storage automatically.

Install a security plugin

For WordPress, install Wordfence (free tier is sufficient for most sites). It provides:

  • Malware scanning
  • Firewall rules
  • Login protection
  • File change detection

Run a full scan immediately after installing and schedule weekly scans.

Monitor for downtime

You need to know the moment your site goes down. UptimeRobot offers free monitoring with 5-minute checks and email/SMS alerts. Set it up and forget about it β€” until it emails you.

Check your site with Google Search Console regularly

Google will notify you if it detects malware or manual penalties on your site. Log in to Search Console at least monthly and check the Security & Manual Actions section.