
A hacked website costs more than the time it takes to fix. There's the downtime, the Google warning that scares customers off, and — if you run an online store — the very real risk of stolen customer data. The good news is that almost every WordPress security incident we see traces back to a handful of avoidable gaps, not some unstoppable attack. Here's what actually protects a WordPress site in practice.
Keep everything updated, always
The single biggest cause of WordPress compromises is outdated software — an old plugin, an unpatched theme, or a version of WordPress core that's fallen behind. Security researchers publish vulnerabilities for older versions, and automated bots scan the web looking for exactly those weaknesses. An unpatched site is a standing invitation.
- Update WordPress core as soon as a release is available.
- Update every plugin and theme regularly, not just when something breaks.
- Remove plugins and themes you're not actually using — even inactive ones are a risk if left installed.
- Check that your hosting runs a currently supported PHP version.
This is exactly why a routine matters more than a one-off fix — see our full WordPress maintenance checklist for a schedule you can actually stick to, and our guide on when to update WordPress if you're unsure how aggressive to be about it.
Use strong, unique logins — and limit who has them
Weak or reused passwords are behind a huge share of successful attacks, particularly brute-force attempts against the login page. A Toowoomba accounting firm sharing one "admin" login with a simple password is far more exposed than a business where every staff member has their own strong, unique credentials.
- Use long, random passwords — a password manager makes this painless.
- Turn on two-factor authentication for every admin account.
- Give each user their own account with only the access level they need.
- Remove accounts for staff who've left immediately.
- Rename or restrict the default "admin" username, which is the first thing attackers try.
Choose hosting that takes security seriously
Not all hosting is equal, and cheap, generic hosting is a common weak point. A host built specifically for WordPress typically includes a hardened server configuration, malware scanning, automatic backups and a support team that actually understands WordPress when something goes wrong.
Shared, unmanaged hosting can mean your site sits on the same server as thousands of others, and a vulnerability in one can sometimes expose neighbours. Managed WordPress hosting isolates and hardens sites properly, which is worth paying a little more for once your business depends on the site staying online.
Install a reputable security plugin
A good security plugin covers ground that's hard to manage manually: firewall rules that block malicious traffic before it reaches WordPress, malware scanning, login attempt limiting, and file change monitoring that flags if something's been tampered with. Popular, well-maintained options like Wordfence or Sucuri cover most of this well.
The key word is well-maintained — an abandoned security plugin is itself a risk. Check that whatever you install is actively updated and has a solid track record.
Back up automatically, and check the backups work
Security and backups go hand in hand. If the worst happens, a recent, working backup is the difference between a five-minute restore and rebuilding a site from scratch. Automated daily backups, stored off the server itself, are the standard for any business site.
Just as important: actually test a restore occasionally. A backup nobody has verified is a false sense of security. We cover this properly in our WordPress backup guide.
Lock down the technical basics
A handful of technical settings meaningfully reduce your attack surface without any ongoing effort once they're set up:
- Force HTTPS across the entire site with a valid SSL certificate.
- Disable file editing from within the WordPress dashboard.
- Limit login attempts to stop brute-force guessing.
- Hide or restrict access to sensitive files like
wp-config.php. - Set correct file and folder permissions on the server.
Most of these are one-off changes a developer or host can implement in under an hour, and they close off entire categories of common attacks.
Monitor and respond, don't just set and forget
Security isn't purely preventative — knowing quickly when something's wrong matters just as much. Uptime monitoring alerts you the moment your site goes down. Security plugin scans flag suspicious file changes. Google Search Console will warn you directly if Google detects malware on your site.
A Geelong plumber's site that goes down at 2am is far better caught by an automated alert than discovered by a customer trying to book a job the next morning.
Security essentials at a glance
| Area | What to have in place |
|---|---|
| Updates | WordPress core, plugins and themes updated regularly |
| Access | Unique logins, two-factor authentication, minimal admin accounts |
| Hosting | Reputable WordPress-specific hosting with hardened servers |
| Plugins | One well-maintained, actively updated security plugin |
| Backups | Automated, off-server, and periodically tested |
| Technical | HTTPS enforced, file editing disabled, login attempts limited |
| Monitoring | Uptime alerts and regular security scans |
Getting the full picture right doesn't require a security specialist on staff — it requires a sensible checklist followed consistently, which is exactly what a good website security guide or ongoing maintenance plan provides.
Key Takeaways
- Outdated software is the leading cause of WordPress hacks — updates matter more than almost anything else.
- Strong, unique logins with two-factor authentication stop most brute-force attacks cold.
- Quality WordPress-specific hosting hardens the server layer you can't control yourself.
- Automated, tested backups turn a disaster into a minor inconvenience.
- Ongoing monitoring catches problems fast, before they become expensive.
Frequently Asked Questions
Is WordPress secure by default?
WordPress core itself is regularly audited and reasonably secure out of the box. Most real-world vulnerabilities come from outdated plugins, weak passwords, poor hosting or neglected maintenance rather than a flaw in WordPress itself, which is why ongoing care matters so much.
How often should I update WordPress for security reasons?
Core, plugin and theme updates should be applied as soon as practical, ideally within a few days of release, especially if the update addresses a security fix. Waiting weeks or months to update is one of the most common ways sites get compromised.
What's the most common way WordPress sites get hacked?
Outdated plugins and themes with known vulnerabilities are the most common entry point, followed closely by weak or reused passwords on admin accounts. Both are entirely preventable with a consistent maintenance routine.
Do I need a security plugin if my host already offers security features?
It's still worth having one, since host-level security and a plugin like Wordfence or Sucuri cover different layers — server hardening versus application-level monitoring, login protection and file scanning. Together they give more complete coverage than either alone.
How do I know if my WordPress site has been hacked?
Warning signs include unexpected pop-ups, unfamiliar admin users, a Google "site may be hacked" warning in search results, sudden traffic or ranking drops, or your host flagging malware. Security scans and uptime monitoring catch most of this before customers ever notice.
Is shared hosting safe for a WordPress business site?
Basic shared hosting can be safe for a low-stakes site, but it generally offers weaker isolation and fewer security features than WordPress-specific managed hosting. For any business relying on its website for enquiries or sales, the extra cost of managed hosting is usually well justified.
Do I need an SSL certificate even for a simple brochure site?
Yes. HTTPS is now a baseline expectation — browsers actively warn visitors when a site isn't secure, and Google has confirmed it as a ranking signal. Most hosts now include a free SSL certificate, so there's rarely a reason to go without one.
What should I do immediately if I think my site has been hacked?
Take the site offline or put it in maintenance mode, restore from your most recent clean backup if available, change every password immediately, and get a developer or security specialist to investigate the cause before bringing it back online, so the same vulnerability doesn't let the attacker straight back in.
Get a website you can trust
Security isn't a one-off task — it's an ongoing habit that protects your reputation, your customers and your revenue. If you'd like a WordPress site that's built and maintained with security taken seriously from day one, have a chat with Pixel and Pine.


