I’ve been maintaining WordPress sites since 2008. In that time, I’ve seen security advice range from reasonable to paranoid overkill.
Here’s what I tell my clients: most WordPress hacks aren’t sophisticated attacks. They’re automated scripts exploiting known vulnerabilities in outdated software. Prevent that, and you’ve eliminated 90% of your risk.
But the threat landscape has changed. Automated crawlers are smarter now; they can navigate past CAPTCHA, mimic human behavior, and probe vulnerabilities faster than ever. The bots hitting your site in 2026 aren’t the same ones from five years ago. Basic security measures that used to be enough are now just the starting line.
The Non-Negotiables
1. Keep WordPress Core Updated
This is the single most important thing you can do. WordPress releases security patches regularly, and outdated installations are easy targets.
Enable auto-updates for minor releases. For major releases, I recommend updating within a week of release after confirming plugin compatibility.
2. Keep Plugins and Themes Updated
Outdated plugins are the #1 attack vector for WordPress sites. Every plugin is a potential attack surface.
My rule: if you’re not using it, delete it. Deactivated plugins can still be exploited.
3. Use Strong, Unique Passwords
This seems obvious, but I still see “admin/password123” on sites. Use a password manager. Every login should have a unique, complex password.
4. Limit Login Attempts
Brute-force attacks attempt thousands of password combinations. A plugin like Limit Login Attempts Reloaded stops this in its tracks.
5. Regular Backups
Security isn’t just prevention; it’s recovery. Daily off-site backups mean you can recover from almost anything.
Here’s what most people miss: if your backups live on the same server as your site and that server goes down, your backups go with it. Tools like UpdraftPlus are fine for DIY site owners backing up to cloud storage, but for business-critical sites, I set up dedicated backup systems tailored to each client—off-site, redundant, and tested.
What Actually Matters Less Than You’d Think
Security plugins with dozens of features. Most of these features duplicate what you can accomplish with simpler solutions. I prefer targeted tools over all-in-one security suites.
Changing your login URL. This is security through obscurity. It doesn’t stop determined attackers and can cause issues with some plugins.
Hiding that you use WordPress. Same problem. If someone wants to know, they’ll find out. Focus on actual security instead.
When to Worry More
Some sites need security beyond the basics:
E-commerce sites that handle payment data should implement additional monitoring and PCI compliance measures. But here’s what I’m seeing right now: quick-pay buttons like Apple Pay and Google Pay, as well as express checkout integrations, introduce new vulnerabilities by bypassing the traditional checkout flow. There’s no human checkpoint. The transaction fires, the data moves, and if something in that chain is compromised, there’s no friction to catch it. And once a bot finds that entry point, it doesn’t stop. You’ll see failed payment attempts every hour or less, which can hammer your checkout until something breaks or gets through. If you’re running any form of express payment, your security posture needs to account for that.
Sites that collect user data, memberships, intake forms, or any other feature that handles sensitive information require additional attention to data protection. This isn’t just about encryption. It’s about who has access, how long data is stored, and what happens when a plugin that touches that data hasn’t been updated in six months.
High-traffic sites are bigger targets and may need WAF protection and DDoS mitigation. The more visible you are, the more automated attacks you attract.
The Real Security Problem
The biggest security risk isn’t technical; it’s neglect. Sites that get hacked are usually sites that haven’t been updated in months or years.
But neglect isn’t always obvious. The issue I see most often is what happens when teams change. A new developer joins and installs their preferred security plugin without removing the existing one. The next person does the same. Before long, you’ve got three or four plugins doing roughly the same thing, each with slightly different vulnerabilities, none of them fully configured.
Stack those together, and you don’t have layered security; you have layered risk. More attack surface, more conflicts, more things no one is monitoring. The fix isn’t adding another plugin. It’s an audit, strip it back, pick the right tools, and maintain them.
If you don’t have time to maintain your site, hire someone who does. Monthly maintenance is far cheaper than recovering from a hack.
One More Thing
If your site does get compromised, don’t panic. With good backups, you can restore to a clean state. Clean up the infection, update everything, change all passwords, and investigate how it happened.
Most hacks are opportunistic, not personal. Fix the vulnerability they exploited, and you’re unlikely to see them again.
Mary Lee Weir has been building and maintaining WordPress sites since 2008. She provides ongoing maintenance and security services for clients across multiple industries.
Need a plan? Book a one-hour strategy session and walk away with a clear direction for your website, marketing, or AI visibility. All sessions are recorded with full transcription, so you have everything we discussed.
Want to get to know me first? Book a free 15-minute intro call. No pitch, just a conversation.
