Harden Your WordPress Site Against Common Threats

WordPress powers a huge share of the web, which also makes it a frequent target for attacks. This article covers practical steps to harden your WordPress site against the most common threats, using both WordPress settings and your Exact Hosting tools.

Why WordPress needs hardening

Most WordPress compromises come from a handful of avoidable weaknesses: outdated core, plugins, or themes; weak admin passwords; and abandoned extensions. Hardening means closing those gaps before an attacker finds them. None of the steps below require advanced technical skills.

For broader server-level protection, see Securing Your Site with cPanel Tools. If your site is already compromised, see My Website Was Hacked: Cleanup & Recovery first.

Before you begin

• Admin access to your WordPress dashboard.
• cPanel access, for file and security tasks.
• A current backup, so you can recover if a change causes an issue.

Step 1: Keep everything updated

Outdated software is the number one cause of WordPress compromises.

1. In your WordPress dashboard, go to Dashboard > Updates.
2. Update WordPress core, then all plugins and themes.
3. Turn on automatic updates for core and for trusted plugins where available.

Tip: Update from a backup point. On the rare occasion an update conflicts with a plugin, you can roll back quickly.

Step 2: Remove what you don't use

Every installed plugin and theme is a potential entry point, even when deactivated.

1. Go to Plugins and delete any you are not actively using.
2. Go to Appearance > Themes and delete unused themes, keeping one default theme for troubleshooting.

Step 3: Strengthen logins

1. Make sure no account uses the username admin. Create a new administrator with a unique name and remove the old one.
2. Use a strong, unique password for every administrator account.
3. Add two-factor authentication with a reputable security plugin.
4. Consider limiting login attempts to slow down brute-force attacks.

Step 4: Use only trusted plugins and themes

• Install from the official WordPress directory or reputable commercial developers.
• Check that an extension is actively maintained and compatible with your WordPress version.
• Avoid "nulled" or pirated premium plugins — they frequently contain malicious code.

Step 5: Lock down sensitive files

• Protect wp-config.php and your admin area using your security plugin or server rules.
• Disable file editing in the dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php, so an attacker who gains access cannot edit your theme and plugin code from the browser.

Warning: Always back up wp-config.php before editing it. A mistake in this file can take your site offline with a database connection error or a 500 error.

Step 6: Add a security plugin

A reputable WordPress security plugin can combine several of the above protections — malware scanning, a firewall, login protection, and file-integrity monitoring — in one place. [SME CONFIRM: whether Exact Hosting recommends or bundles a specific security plugin.]

Next steps

• Add server-level protection. See Securing Your Site with cPanel Tools.
• Confirm your SSL is active. See Your Free SSL Certificate (AutoSSL).
• Keep good backups. See Restoring Your Site from a Backup.

Questions? Contact Exact Hosting Support.