WordPress Security Best Practices: The 2026 Hardening Guide
.ss-article *{box-sizing:border-box}
.ss-progress{position:sticky;top:0;left:0;right:0;height:4px;background:transparent;margin:0 -20px 12px;z-index:50}
.ss-progress-fill{height:100%;background:linear-gradient(90deg,var(–a),var(–p));width:0;animation:ssProgress linear;animation-timeline:scroll(root)}
@keyframes ssProgress{to{width:100%}}
.ss-meta{display:flex;flex-wrap:wrap;gap:10px;align-items:center;font-size:13px;color:#4a6560;margin:8px 0 20px;font-weight:500}
.ss-meta-cat{background:var(–soft);color:var(–p);padding:4px 12px;border-radius:999px;font-weight:700;font-size:12px;letter-spacing:.6px;text-transform:uppercase}
.ss-meta-dot{opacity:.5}
.ss-hero{margin:0 -20px 28px;border-radius:0;overflow:hidden;box-shadow:0 12px 40px -12px rgba(15,31,26,.18)}
.ss-hero .ss-svg-wrap{width:100%;line-height:0}
.ss-hero svg{width:100%;height:auto;display:block}
.ss-excerpt{font-family:”Jost”,system-ui,sans-serif;font-size:clamp(19px,2.4vw,23px);line-height:1.55;color:#2a3a35;font-weight:500;margin:0 0 28px;border-left:3px solid var(–a);padding-left:16px}
.ss-toc{background:var(–soft);border-radius:14px;padding:18px 22px;margin:0 0 36px;border:1px solid rgba(33,124,112,.1)}
.ss-toc summary{cursor:pointer;list-style:none;display:flex;justify-content:space-between;align-items:center;font-family:”Jost”,sans-serif}
.ss-toc summary::-webkit-details-marker{display:none}
.ss-toc-label{font-weight:700;font-size:13px;letter-spacing:1.4px;text-transform:uppercase;color:var(–p)}
.ss-toc-count{font-size:12px;color:#6a7f7a}
.ss-toc ol{margin:14px 0 0;padding-left:0;list-style:none;counter-reset:sstoc}
.ss-toc li{counter-increment:sstoc;padding:8px 0;border-top:1px solid rgba(33,124,112,.12);font-size:15px}
.ss-toc li::before{content:counter(sstoc,decimal-leading-zero);color:var(–a);font-weight:700;margin-right:12px;font-family:”Jost”,sans-serif}
.ss-toc a{color:var(–ink);text-decoration:none;border-bottom:1px dashed transparent;transition:border .15s}
.ss-toc a:hover{border-bottom-color:var(–p)}
.ss-article .ss-h2,.ss-article h2.ss-h2{font-family:”Jost”,sans-serif;font-size:clamp(26px,4vw,34px);font-weight:800;color:var(–ink);margin:56px 0 20px;line-height:1.2;letter-spacing:-.01em;scroll-margin-top:80px}
.ss-article .ss-h3,.ss-article h3.ss-h3{font-family:”Jost”,sans-serif;font-size:clamp(20px,2.6vw,23px);font-weight:700;color:var(–ink);margin:36px 0 14px;line-height:1.3}
.ss-article .ss-p,.ss-article .ss-lead{margin:0 0 20px}
.ss-article .ss-lead{font-size:clamp(19px,2.3vw,21px);line-height:1.6;color:#1a2622;font-weight:400}
.ss-article .ss-list{margin:18px 0 24px;padding-left:22px}
.ss-article .ss-list li{margin:10px 0;line-height:1.7}
.ss-article .ss-list li::marker{color:var(–p)}
.ss-article a{color:var(–p);text-decoration:none;border-bottom:1px solid rgba(33,124,112,.3);transition:border .15s,color .15s}
.ss-article a:hover{border-bottom-color:var(–p);color:var(–ink)}
.ss-article strong{color:var(–ink);font-weight:700}
.ss-pullquote{margin:44px -8px;padding:24px 28px;background:transparent;border:0;position:relative;display:flex;gap:20px;align-items:flex-start}
.ss-pq-bar{flex:0 0 4px;align-self:stretch;background:linear-gradient(180deg,var(–a),var(–p));border-radius:3px}
.ss-pullquote p{font-family:”Jost”,serif;font-style:italic;font-size:clamp(22px,3vw,28px);line-height:1.4;color:var(–ink);margin:0;font-weight:500}
.ss-callout{margin:28px 0;padding:20px 24px;border-radius:14px;display:flex;gap:16px;align-items:flex-start;border:1px solid transparent}
.ss-callout-icon{flex:0 0 34px;width:34px;height:34px;border-radius:10px;display:flex;align-items:center;justify-content:center;font-weight:800;font-size:16px}
.ss-callout-body{flex:1}
.ss-callout-body strong{display:block;font-family:”Jost”,sans-serif;font-size:16px;margin-bottom:6px}
.ss-callout-p{margin:6px 0 0;font-size:15px;line-height:1.65}
.ss-callout-tip{background:#eafff9;border-color:rgba(1,219,192,.3)}
.ss-callout-tip .ss-callout-icon{background:var(–a);color:var(–ink)}
.ss-callout-warn{background:#fff6e5;border-color:rgba(229,170,0,.3)}
.ss-callout-warn .ss-callout-icon{background:#e5aa00;color:#fff}
.ss-callout-key{background:var(–soft);border-color:rgba(33,124,112,.25)}
.ss-callout-key .ss-callout-icon{background:var(–p);color:#fff}
.ss-stat{margin:28px 0;padding:22px 24px;background:linear-gradient(135deg,#0F1F1A,#173028);color:#fff;border-radius:14px;display:flex;gap:18px;align-items:center}
.ss-stat-num{font-family:”Jost”,sans-serif;font-size:clamp(38px,6vw,52px);font-weight:800;color:var(–a);line-height:1;flex:0 0 auto}
.ss-stat-rest{flex:1;font-size:15px;line-height:1.55;color:#e6efec}
.ss-midcta{margin:40px -20px;padding:0}
.ss-midcta-inner{background:linear-gradient(135deg,#0F1F1A,#217c70);color:#fff;padding:32px 28px;border-radius:0;display:flex;flex-direction:column;gap:20px}
.ss-midcta-kicker{margin:0;font-size:12px;font-weight:700;color:var(–a);letter-spacing:1.4px;text-transform:uppercase}
.ss-midcta-h{font-family:”Jost”,sans-serif;font-size:clamp(22px,3.2vw,28px);margin:4px 0 0;color:#fff;line-height:1.25;font-weight:700}
.ss-midcta-sub{margin:0;font-size:15px;color:#bfd7d1;line-height:1.55}
.ss-midcta-btn{align-self:flex-start;background:var(–a);color:var(–ink)!important;padding:14px 26px;border-radius:999px;font-weight:700;text-decoration:none;font-family:”Jost”,sans-serif;min-height:44px;display:inline-flex;align-items:center;border:none!important;transition:transform .15s}
.ss-midcta-btn:hover{transform:translateY(-1px)}
.ss-inline-svg{margin:40px -20px;border-radius:0;overflow:hidden}
.ss-inline-svg .ss-svg-wrap{line-height:0}
.ss-inline-svg svg{width:100%;height:auto;display:block}
.ss-inline-svg figcaption{margin:10px 20px 0;font-style:italic;font-size:14px;color:#6a7f7a;text-align:center}
.ss-byline{margin:56px 0 28px;padding:28px;background:#fff;border:1px solid var(–soft);border-radius:18px;display:flex;gap:20px;align-items:flex-start;box-shadow:0 8px 24px -16px rgba(15,31,26,.1)}
.ss-byline-mark{flex:0 0 56px;width:56px;height:56px;border-radius:14px;background:linear-gradient(135deg,var(–a),var(–p));color:#fff;display:flex;align-items:center;justify-content:center;font-family:”Jost”,sans-serif;font-weight:800;font-size:24px}
.ss-byline-body{flex:1}
.ss-byline-body h3{margin:0 0 6px;font-family:”Jost”,sans-serif;font-size:18px;color:var(–ink)}
.ss-byline-body p{margin:0 0 12px;font-size:15px;color:#3a4a46;line-height:1.6}
.ss-byline-links{display:flex;flex-wrap:wrap;gap:16px}
.ss-byline-links a{font-size:14px;font-weight:600}
.ss-news{margin:0 0 28px;padding:26px;background:var(–soft);border-radius:18px;display:flex;gap:20px;align-items:center;flex-wrap:wrap;justify-content:space-between}
.ss-news-kicker{margin:0;font-size:12px;font-weight:700;color:var(–p);letter-spacing:1.4px;text-transform:uppercase}
.ss-news h3{font-family:”Jost”,sans-serif;margin:4px 0 4px;font-size:22px;color:var(–ink)}
.ss-news-sub{margin:0;font-size:14px;color:#4a6560}
.ss-news-btn{background:var(–ink);color:#fff!important;padding:12px 22px;border-radius:999px;font-weight:700;text-decoration:none;border:none!important;min-height:44px;display:inline-flex;align-items:center}
.ss-related{margin:56px 0 28px}
.ss-related-h{font-family:”Jost”,sans-serif;font-size:22px;margin:0 0 18px;color:var(–ink)}
.ss-related-grid{display:grid;grid-template-columns:1fr;gap:16px}
.ss-related-card{display:flex;flex-direction:column;background:#fff;border:1px solid var(–soft);border-radius:16px;overflow:hidden;text-decoration:none!important;border-bottom:1px solid var(–soft)!important;color:var(–ink);transition:transform .15s,box-shadow .15s}
.ss-related-card:hover{transform:translateY(-2px);box-shadow:0 12px 30px -14px rgba(15,31,26,.18)}
.ss-related-img{aspect-ratio:16/9;background:linear-gradient(135deg,var(–a),var(–p));background-size:cover;background-position:center}
.ss-related-body{padding:16px 18px}
.ss-related-meta{font-size:12px;color:#6a7f7a;font-weight:600;letter-spacing:.4px;text-transform:uppercase}
.ss-related-body h3{font-family:”Jost”,sans-serif;margin:6px 0 0;font-size:17px;line-height:1.35;color:var(–ink)}
.ss-finalcta{margin:56px -20px 0}
.ss-finalcta-inner{background:linear-gradient(135deg,var(–a),var(–p));padding:44px 28px;text-align:center;color:#fff}
.ss-finalcta h2{font-family:”Jost”,sans-serif;color:#fff;margin:0 0 10px;font-size:clamp(26px,4.5vw,34px);border:0}
.ss-finalcta p{margin:0 auto 22px;max-width:520px;font-size:16px;color:#e6fffa;line-height:1.55}
.ss-finalcta-btn{display:inline-flex;align-items:center;background:var(–ink);color:#fff!important;padding:16px 32px;border-radius:999px;font-weight:700;text-decoration:none;font-family:”Jost”,sans-serif;font-size:16px;border:none!important;min-height:48px;transition:transform .15s}
.ss-finalcta-btn:hover{transform:translateY(-2px)}
.ss-finalcta-risk{margin-top:14px!important;font-size:13px;color:#d6fff7;opacity:.9}
@media (min-width:640px){
.ss-article{padding:0 24px;font-size:18px}
.ss-midcta-inner{flex-direction:row;align-items:center;padding:36px;border-radius:20px}
.ss-midcta-copy{flex:1}
.ss-midcta{margin:48px 0}
.ss-inline-svg{margin:48px 0;border-radius:20px}
.ss-hero{margin:0 0 32px;border-radius:20px}
.ss-finalcta{margin:64px 0 0}
.ss-finalcta-inner{border-radius:22px;padding:56px 32px}
.ss-related-grid{grid-template-columns:repeat(3,1fr)}
}
@media (min-width:1024px){
.ss-article{max-width:780px;font-size:18px}
.ss-toc{position:sticky;top:24px}
}
Hardened & monitored 24/7
{“@context”:”https://schema.org”,”@type”:”Article”,”headline”:””WordPress Security Best Practices: The 2026 Hardening Guide””,”description”:””WordPress security best practices that actually prevent hacks in 2026. Concrete steps for hosting, plugins, users, backups, and malware response.””,”image”:”https://sproutsagesolutions.com/wp-content/uploads/2026/04/ss-4057-69e8a0a2aea11.jpg”,”datePublished”:”2026-04-22T10:19:13+00:00″,”dateModified”:”2026-04-22T10:19:13+00:00″,”author”:{“@type”:”Organization”,”name”:”Sprout Sage Solutions”,”url”:”https://sproutsagesolutions.com”},”publisher”:{“@type”:”Organization”,”name”:”Sprout Sage Solutions”,”logo”:{“@type”:”ImageObject”,”url”:”https://sproutsagesolutions.com/wp-content/uploads/2023/09/logo-black.webp”}},”mainEntityOfPage”:{“@type”:”WebPage”,”@id”:”https://sproutsagesolutions.com/wordpress-security-best-practices/”}} # WordPress Security Best Practices: The 2026 Hardening Guide These WordPress security best practices come from cleaning up dozens of compromised sites — casino […]
In this guide13 sections
- Start with Hosting, Not Plugins
- Lock Down the Login Page
- Keep Core, Plugins, and Themes Updated
- Plugin Hygiene in 2026
- User Management and Permissions
- Database and File Security
- Backup Strategy That Actually Works
- Web Application Firewall and DDoS Protection
- SSL, HTTPS, and Security Headers
- Monitoring and Incident Detection
- What to Do If You Get Hacked
- The Monthly Security Checklist
- Get Your WordPress Site Properly Hardened
These WordPress security best practices come from cleaning up dozens of compromised sites — casino spam, SEO injections, hidden admin users, the works. WordPress powers 43% of the web, which makes it the biggest attack surface in the CMS world. The attacks in 2026 are mostly automated: bots scan IP ranges, fingerprint WordPress installs, and exploit known plugin vulnerabilities within hours of disclosure. Good hygiene stops 95% of them. This guide is the hardening checklist we apply to every WordPress site we manage, from five-page brochure sites to high-traffic e-commerce stores.
Start with Hosting, Not Plugins
Most “WordPress security” advice jumps straight to plugins. That is backwards. Your host decides whether a compromise on one site spreads to every site on the server, whether you get automatic malware scanning, and whether backups are actually restorable.
What to demand from your host in 2026:
- Isolated containers per site (no shared user accounts)
- PHP 8.2 or newer with automatic security patching
- ModSecurity or equivalent WAF enabled by default
- Daily off-site backups with 30-day retention minimum
- Free SSL via Let’s Encrypt with auto-renewal
- Automatic malware scanning (Imunify360, Patchman, or equivalent)
- Change the login URL with WPS Hide Login or similar
- Enable 2FA on every admin account — TOTP apps, not SMS
- Limit login attempts with Wordfence or Limit Login Attempts Reloaded
- Add Cloudflare Turnstile or reCAPTCHA to the login form
- Block login from countries you do not operate in at the firewall
- Enable automatic updates for minor WordPress core releases
- Review major core updates within 7 days of release
- Update plugins weekly, not “when we remember”
- Remove any plugin you are not actively using
- Replace any plugin that has not been updated in 12+ months
- Under 15 active plugins where possible
- Only install plugins with 10k+ active installs and a 4+ star rating
- Check the support forum — an active developer beats a popular abandoned one
- Avoid plugins from single developers with no team
- Never install nulled or cracked premium plugins (almost always backdoored)
- Only assign the Administrator role to people who need it (usually 1–2 people)
- Editors for content teams, Authors for guest writers
- Remove or disable accounts the day someone leaves
- Audit user list quarterly for unexpected accounts
- Use unique, strong passwords — Bitwarden or 1Password, not a shared spreadsheet
- Never use “admin” as a username
- Change the database table prefix from `wp_` to something custom (only on new installs)
- Disable file editing inside wp-admin with `define(‘DISALLOW_FILE_EDIT’, true);` in wp-config.php
- Move wp-config.php up one directory if the server allows
- Set correct file permissions: 644 for files, 755 for directories, 600 for wp-config.php
- Block PHP execution in /uploads/ via .htaccess or nginx config
- Daily automated backups (hosting-level + application-level)
- Offsite storage (S3, Backblaze B2, or Google Cloud Storage)
- 30-day retention minimum, 90 days for compliance-sensitive sites
- Monthly restore test to a staging environment
- Separate credentials for backup storage (attacker compromising WP should not reach backups)
- Cloudflare — free tier is enough for most sites, paid tiers add rate limiting
- Sucuri Firewall — strong on WordPress-specific rules
- Wordfence — application-level WAF, good but slower than CDN-level
- Host-level WAFs — included with most managed WordPress hosts
- `Strict-Transport-Security` (HSTS) — forces HTTPS
- `Content-Security-Policy` — restricts where scripts can load from
- `X-Frame-Options` — prevents clickjacking
- `X-Content-Type-Options: nosniff` — prevents MIME sniffing attacks
- `Referrer-Policy` — controls what gets leaked to third parties
- `Permissions-Policy` — restricts browser features
- Wordfence or Sucuri for malware scanning and file integrity monitoring
- Uptime Robot or Better Uptime for availability pings every minute
- Google Search Console — alerts for manual actions and security issues
- Activity log plugin (WP Activity Log) — audit trail of admin changes
- Email alerts for admin account creation, plugin installation, and file changes
- Core, theme, and plugin updates applied
- User list audited for unexpected accounts
- Backup restore test performed
- Wordfence/Sucuri scan reviewed for flagged files
- Activity log reviewed for unusual admin behavior
- Google Search Console security section checked
- SSL certificate and security headers validated
- Staging environment refreshed from production
Cheap shared hosting at $3/month is where 80% of compromises happen. Budget $15–$40/month minimum for a reputable managed WordPress host.
Lock Down the Login Page
wp-login.php and /wp-admin are the two most attacked URLs on your site. Brute force attempts run 24/7 from botnets rotating IPs. Two easy wins:
These five changes alone eliminate almost all brute-force credential stuffing. They take under 30 minutes to implement.
Keep Core, Plugins, and Themes Updated
⚡ 2-minute scorecard · instant result
Is your website quietly costing you leads?
Answer 5 quick questions. Get your score + the top fixes — free.
1. Does your site load in under 3 seconds on mobile?
2. Is there one clear call-to-action above the fold?
3. Is your main lead form 5 fields or fewer?
4. Is the whole site genuinely mobile-friendly?
5. Are trust signals (proof, reviews) near your CTA?
Outdated plugins cause more compromises than any other single factor. Wordfence’s 2025 threat report attributed 67% of WordPress hacks to known plugin vulnerabilities with patches already available.
The update discipline:
Before updating in production, test on a staging site. Managed hosts like WP Engine and Kinsta include staging environments for free.
Plugin Hygiene in 2026
The average WordPress site has 26 plugins. That is too many. Every plugin is a potential attack vector and a performance hit.
Plugin rules we enforce:
For bespoke functionality consider custom code inside the theme or a small mu-plugin instead of a third-party plugin. Our website design team writes client-specific logic into custom plugins so the site does not depend on third-party developers for core features.
User Management and Permissions
Compromised admin accounts account for a huge share of successful attacks. If a marketing intern has full admin access and their Gmail gets phished, your site is gone.
The user policy that works:
Check for hidden administrator accounts regularly. A common attack pattern injects a new admin user named something like “wpadmin” or “support” and leaves it dormant for weeks.
Database and File Security
Two hardening steps most sites skip:
These changes take an hour for a developer and eliminate several common privilege-escalation attack paths.
Backup Strategy That Actually Works
“We have backups” is not the same as “we have tested, restorable, offsite backups.” The difference becomes painful during a live incident.
The backup stack that works:
UpdraftPlus, Duplicator Pro, and Solid Backups are all solid choices for application-level backups. Host-level backups via managed hosts add a second layer.
For the design side of reliable sites see our UI/UX design principles for 2026 — a broken or restored site still needs a fast, clear UX when it comes back online.
Web Application Firewall and DDoS Protection
A WAF filters malicious traffic before it reaches WordPress. In 2026 every serious site should have one.
Options that work:
Cloudflare in front of a managed WordPress host is the standard setup we deploy for clients. It also accelerates the site and provides DDoS mitigation free.
SSL, HTTPS, and Security Headers
SSL is table stakes. What most sites miss is the security headers that go with it:
Test your headers at securityheaders.com. A good score is A or A+. Most WordPress sites score D or F out of the box because no one configured the headers.
For sites serving geographic markets these headers also affect performance budgets — see how we handle this for SEO services in New York where we bake security headers into the CDN config during onboarding.
Monitoring and Incident Detection
Prevention is step one. Detection is step two. You want to know within an hour if something changes on your site, not a week later when Google flags you.
The monitoring stack:
Configure these to email the real tech owner, not a generic “admin@” address that nobody reads.
What to Do If You Get Hacked
If your site gets compromised, speed matters. The longer malware sits, the more Google penalizes the domain.
The response playbook:
1. Take the site offline or restrict access to admin IPs only
2. Rotate all admin passwords and all API keys
3. Restore from the most recent clean backup (test in staging first)
4. Scan for backdoors — look in wp-content/uploads, mu-plugins, and theme functions.php
5. Update everything to the latest version
6. Submit a reconsideration request in Search Console if blacklisted
7. Identify the entry vector (which plugin, which user) and patch it
8. Do a full post-incident audit after 30 days
Do not just “clean the malware” and move on. Find out how they got in, or they will be back within a week.
Related reading on the audit side: our technical SEO audit template covers the search-side recovery checklist after a malware incident.
The Monthly Security Checklist
Run this every 30 days and most sites stay clean indefinitely:
30 minutes a month beats two weeks of incident response after a hack.
Get Your WordPress Site Properly Hardened
WordPress security is not a one-time fix — it is an ongoing operational discipline. If you are running a site that matters for revenue and you are not 100% sure it is hardened against the 2026 threat landscape, book a free consultation. We will run a security audit across hosting, plugins, users, backups, and response plans, then give you a prioritized remediation plan. Most sites we audit have three or four serious gaps they had no idea about. Fixing them before an attack is 100x cheaper than fixing them after.
schema.json
123
456
789
101112
{
“@context”:”https://schema.org”,
“@type”:”Article”,
“headline”:”SEO That Ranks”,
“author”: {
“@type”:”Organization”,
“name”:”Sprout Sage”
},
“datePublished”:”2026-04-22″,
“keywords”: [
“seo”,”content”]
}
VALID
Ready to turn this into real bookings?
Free 30-min audit. We review your current setup and give you 3 specific wins — whether we work together or not. Starts at 0/month. No contract. One medspa per market.
Book My Free Audit →No credit card. No pitch. No 12-month lock-in.
2026-Specific Threats You Need to Know About
WordPress security in 2026 is not the same game it was in 2023. Three trends changed the threat landscape:
- AI-powered brute force: Attackers now use LLMs to generate credential-stuffing lists based on publicly leaked data. Traditional rate limiting catches some, but you need application passwords or 2FA as a hard requirement — not optional.
- Supply chain attacks via plugins: In 2025, est. 12 popular plugins were compromised when their developers sold the plugin to unknown buyers who injected malware in the next update. The fix:
DISALLOW_FILE_MODSin wp-config plus manual update reviews. - XML-RPC amplification: Still the #1 attack vector for DDoS on WordPress. If you are not using Jetpack or the WordPress mobile app, block it entirely at the server level with
<Files xmlrpc.php> Order Deny,Allow / Deny from all </Files>in your .htaccess.
wp-config.php Hardening — The 5 Constants Most Sites Miss
Your wp-config.php is the single most powerful security configuration file in WordPress. Here are 5 constants that est. 80% of sites leave at default (insecure) values:
define('DISALLOW_FILE_EDIT', true); // Blocks theme/plugin editor in wp-admin
define('DISALLOW_FILE_MODS', true); // Blocks plugin/theme installs from admin
define('FORCE_SSL_ADMIN', true); // Forces HTTPS on wp-admin
define('WP_AUTO_UPDATE_CORE', 'minor'); // Auto-updates security patches only
define('AUTOMATIC_UPDATER_DISABLED', false); // Allows security auto-updates
DISALLOW_FILE_MODS is the most impactful. It prevents anyone — even a compromised admin account — from uploading a malicious plugin through the WordPress admin panel. Updates must happen via SFTP or your deployment pipeline, which is exactly how production sites should work.
The 5-Minute Security Audit You Can Run Right Now
Open a terminal and check these 5 things. Takes est. 5 minutes. If any fail, fix them immediately:
- Visit
yoursite.com/xmlrpc.php— should return 403 Forbidden, not an XML response - Visit
yoursite.com/?author=1— should NOT redirect to/author/admin/(exposes your admin username) - View source of any page — search for
name="generator"— should NOT show your WordPress version number - Visit
yoursite.com/wp-json/wp/v2/users— should return 403, not a list of all user accounts - Check your scripts — search source for
?ver=— WordPress version numbers in script URLs help attackers identify vulnerable plugin versions
Need help locking these down? I offer a free 30-minute security review for WordPress sites.
WordPress Security Threats in 2026: What Changed
The threat landscape shifted significantly since 2024. Here’s what I’m seeing across client sites in 2026:
- AI-powered brute force: Attackers now use AI to generate credential lists based on public data about your business (team names, locations, founding dates). Generic “admin/password123” attacks are being replaced by targeted guesses.
- Supply chain plugin attacks: Two major WordPress plugins were compromised in late 2025 — attackers injected malicious code into legitimate plugin updates. est. 300,000+ sites affected before patches were issued.
- Formjacking: Injecting invisible JavaScript into contact forms, payment forms, and login pages. Data exfiltrated to attacker-controlled servers. Particularly targeting WooCommerce and CFDB7 forms.
- LiteSpeed Cache exploits: Multiple CVEs disclosed for LiteSpeed Cache plugin in 2025-2026. If you’re running LiteSpeed (common on Hostinger, A2, Cloudways), keep this plugin updated aggressively.
wp-config.php Hardening: The 7 Lines Every Site Needs
Most WordPress security guides tell you to install a plugin. I’m telling you to add 7 lines to wp-config.php first — before any plugin matters:
| Constant | What It Does | Risk It Blocks |
|---|---|---|
DISALLOW_FILE_EDIT | Removes theme/plugin editor from wp-admin | Attacker with admin access can’t inject PHP |
DISALLOW_FILE_MODS | Blocks plugin/theme installs from dashboard | Compromised admin can’t install backdoor plugin |
FORCE_SSL_ADMIN | Forces HTTPS on wp-admin and wp-login | Prevents credential sniffing on open WiFi |
WP_AUTO_UPDATE_CORE | Auto-applies minor security releases | Zero-day patches apply without waiting for you |
WP_DEBUG = false | Hides error messages from public | Stops information leakage (paths, versions) |
| Fresh auth salts | Invalidates all sessions | Forces re-login after suspected breach |
DB table prefix ≠ wp_ | Custom prefix for new installs | Blocks SQL injection targeting default tables |
These take 5 minutes to implement and block est. 60-70% of common WordPress attacks. No plugin required.
Post-Hack Recovery Checklist (If You’re Already Compromised)
I’ve cleaned est. 40+ hacked WordPress sites. Here’s the exact sequence I follow:
- Quarantine first: Don’t delete malware files immediately. Move them to a
.forensics/directory with 403 .htaccess protection. You need evidence to understand the attack vector. - Scan all PHP files: Search for
eval(base64_decode,gzinflate,str_rot13, and obfuscated string concatenation like'base64_'.'decode'. Check/wp-content/uploads/— that’s where attackers hide PHP backdoors because it’s writable. - Audit users: Check wp_users for unknown administrator accounts. Check wp_usermeta for users with
a:1:{s:13:"administrator";b:1;}capabilities who shouldn’t have them. - Rotate everything: WP auth salts (forces all sessions to expire), database password, FTP/SFTP password, all admin passwords. In that order.
- Block execution in uploads: Add
.htaccessto/wp-content/uploads/withphp_flag engine off. This prevents uploaded PHP files from executing even if an attacker manages to upload them. - Verify core files: Run
wp core verify-checksumsto detect modified core files. Replace any that don’t match. - Monitor for 30 days: Attackers often leave multiple backdoors. If you only find one, the other activates days later. Keep the forensics directory and check
find -mtime -7 -name "*.php"weekly.
If your WordPress site shows signs of compromise — casino links, redirects, unknown admin accounts — reach out for emergency cleanup. I can typically identify and quarantine the threat within 2-4 hours.
