Dashboard > Updates<\/strong> and apply everything. If a plugin hasn’t been updated by its developer in over 12 months and has known CVEs, consider replacing it.<\/p>\n\ud83d\udcdd Note: Premium themes and plugins sometimes need manual updates if they’re not connected to an active license. Check those separately.<\/p>\n
Step 2: Use a Strong Admin Username and Password<\/h3>\n The default admin username is literally “admin” \u2014 and attackers know this. If your account is still named that, create a new administrator account with a different username, log in as the new user, then delete the old “admin” account and reassign its content.<\/p>\n
Use a generated password of at least 20 characters. WordPress’s built-in password generator is fine. Store it in a password manager, not a sticky note or your browser’s saved passwords on a shared machine.<\/p>\n
Step 3: Enable Two-Factor Authentication<\/h3>\n A strong password alone isn’t enough if it leaks in a breach. Add two-factor authentication (2FA) to all administrator accounts.<\/p>\n
Install the WP 2FA<\/strong> plugin (free, actively maintained as of 2026). Once installed, go to Users > Your Profile<\/strong> and follow the 2FA setup wizard. Force 2FA for admin roles under WP 2FA > Policies<\/strong>.<\/p>\nStep 4: Limit and Protect wp-login.php<\/h3>\n Brute-force attacks against wp-login.php<\/code> are relentless. There are two things you should do here: rate-limit login attempts and optionally add an extra layer of HTTP authentication.<\/p>\nInstall Limit Login Attempts Reloaded<\/strong> and configure it to lock out an IP after 5 failed attempts for at least 20 minutes. This alone stops the vast majority of automated attacks.<\/p>\nFor higher-security sites, you can add HTTP Basic Auth in front of the login page. In cPanel, go to Security > Password Protect Directories<\/strong>, select your WordPress root, and enable protection. This adds a browser-level username\/password prompt before WordPress even loads.<\/p>\n\u26a0 Warning: If you use XMLRPC for a mobile app or Jetpack, HTTP Basic Auth on the root directory will break those connections. Protect \/wp-login.php<\/code> specifically instead of the whole directory.<\/p>\nStep 5: Disable XML-RPC If You Don’t Need It<\/h3>\n XML-RPC is a remote access protocol that WordPress enables by default. Most sites don’t need it. When it’s enabled, it becomes another attack vector \u2014 it allows credential stuffing and, in older setups, amplification attacks using the system.multicall<\/code> method.<\/p>\nAdd this to your .htaccess<\/code> file (Apache) to block it entirely:<\/p>\n<\/button>Copied to clipboard<\/span><\/p>\n# Block XML-RPC\n<Files xmlrpc.php>\n Order Deny,Allow\n Deny from all\n<\/Files><\/code><\/pre>\n<\/div>\nFor Nginx, add this inside your server block:<\/p>\n
<\/button>Copied to clipboard<\/span><\/p>\nlocation = \/xmlrpc.php {\n deny all;\n access_log off;\n log_not_found off;\n}<\/code><\/pre>\n<\/div>\n\ud83d\udcdd Note: If you use Jetpack, it requires XML-RPC. In that case, restrict access to Automattic’s IP range rather than blocking it completely.<\/p>\n
Step 6: Set Correct File Permissions<\/h3>\n Incorrect file permissions are one of the most overlooked issues I see on compromised sites. World-writable files let malicious scripts modify your site’s core files.<\/p>\n
The correct permissions for most WordPress installations are:<\/p>\n
\nDirectories: 755<\/code><\/li>\nFiles: 644<\/code><\/li>\nwp-config.php<\/code>: 640<\/code> or 600<\/code><\/li>\n<\/ul>\nFrom SSH, you can fix permissions across your entire install with:<\/p>\n
<\/button>Copied to clipboard<\/span><\/p>\n# Fix directory permissions\nfind \/home\/yourusername\/public_html -type d -exec chmod 755 {} ;\n\n# Fix file permissions\nfind \/home\/yourusername\/public_html -type f -exec chmod 644 {} ;\n\n# Lock down wp-config.php\nchmod 640 \/home\/yourusername\/public_html\/wp-config.php<\/code><\/pre>\n<\/div>\nReplace \/home\/yourusername\/public_html<\/code> with your actual document root.<\/p>\nStep 7: Harden wp-config.php<\/h3>\n Your wp-config.php<\/code> file contains your database credentials. There are two quick wins here.<\/p>\nFirst, move it one directory above your document root if your host allows it. WordPress will find it automatically. This means it’s outside the web-accessible folder entirely.<\/p>\n
Second, make sure your security keys and salts are set. If yours still have placeholder text like put your unique phrase here<\/code>, generate new ones at https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/<\/code> and replace the corresponding lines in wp-config.php<\/code>.<\/p>\nAlso add this line to block direct PHP execution in config:<\/p>\n
<\/button>Copied to clipboard<\/span><\/p>\ndefine('DISALLOW_FILE_EDIT', true);<\/code><\/pre>\n<\/div>\nThis disables the theme and plugin editor inside the WordPress dashboard, which is a common post-compromise persistence method attackers use.<\/p>\n
Step 8: Install a Security Plugin<\/h3>\n A dedicated security plugin handles malware scanning, file integrity monitoring, and firewall rules. Wordfence Security<\/strong> (free tier) or Solid Security<\/strong> (formerly iThemes Security) are both solid options in 2026.<\/p>\nAfter installing Wordfence, run an initial scan under Wordfence > Scan<\/strong>. Pay attention to modified core files \u2014 if wp-includes\/functions.php<\/code> or similar shows as modified when you haven’t touched it, that’s a red flag.<\/p>\nStep 9: Keep Backups Offsite<\/h3>\n This isn’t a hardening step exactly, but it’s your recovery plan when hardening fails. Don’t rely solely on your hosting provider’s snapshots. Use a plugin like UpdraftPlus<\/strong> to push daily backups to an external destination (S3, Google Drive, Dropbox). If your site is compromised, you want a clean copy you can restore from independently.<\/p>\nCommon Issues and Troubleshooting<\/h2>\nLocked out of wp-admin after enabling 2FA<\/h3>\n This happens when the 2FA app isn’t synced correctly or the backup codes weren’t saved. Connect via SFTP or File Manager, navigate to \/wp-content\/plugins\/<\/code>, and rename the WP 2FA plugin folder (e.g. from wp-2fa<\/code> to wp-2fa-disabled<\/code>). This deactivates the plugin without needing dashboard access. Log in, then re-enable and reconfigure 2FA properly.<\/p>\nHTTP 403 after modifying .htaccess<\/h3>\n A syntax error in .htaccess<\/code> causes Apache to return 403 or 500 errors sitewide. Access your file via File Manager in cPanel, check the file for mismatched tags or typos, and compare against a known-good template. The WordPress default .htaccess<\/code> for pretty permalinks starts with # BEGIN WordPress<\/code> \u2014 anything you add should go above or below that block, not inside it.<\/p>\nWordfence scan shows modified core files after a WordPress update<\/h3>\n This is usually a false positive immediately after a core update \u2014 Wordfence’s signature database sometimes lags by a few hours. Run the scan again after 24 hours. If files still show as modified, compare them manually against the official WordPress source at https:\/\/core.svn.wordpress.org\/<\/code>. Unexpected modifications to wp-includes<\/code> or wp-admin<\/code> files that you didn’t make warrant a full malware investigation.<\/p>\nXML-RPC block breaking WooCommerce mobile app or Jetpack<\/h3>\n If you’ve blocked XML-RPC globally and a plugin stops working, you need to whitelist specific IPs rather than block everything. For Jetpack, Automattic publishes their IP ranges. Update your .htaccess<\/code> rule to use Allow from <IP><\/code> exceptions inside the <Files xmlrpc.php><\/code> block.<\/p>\nLogin page still accessible after Password Protect Directories in cPanel<\/h3>\n cPanel’s directory protection creates an .htpasswd<\/code> file and adds an AuthType Basic<\/code> directive. If it’s not working, check that the .htaccess<\/code> file in your WordPress root actually contains the auth block and isn’t being overridden by a parent directory’s config. Also confirm the path in the AuthUserFile<\/code> directive is absolute, not relative.<\/p>\nFAQ<\/h2>\n\n
Frequently Asked Questions<\/h2>\n\n
What is the most common way WordPress sites get hacked?<\/h3>\n\n
Outdated plugins are the leading cause by a wide margin. Attackers scan for sites running vulnerable plugin versions and exploit them automatically. Keep everything updated, remove plugins you’re not using, and check for plugins that haven’t had a security release in over a year.<\/p>\n<\/div>\n<\/div>\n
\n
Do I need a security plugin or is WordPress secure by default?<\/h3>\n\n
WordPress core is reasonably secure when kept updated, but it doesn’t include login rate limiting, file integrity monitoring, or a web application firewall out of the box. A security plugin like Wordfence fills those gaps. It’s not optional for any production site.<\/p>\n<\/div>\n<\/div>\n
\n
How do I know if my WordPress site has already been hacked?<\/h3>\n\n
Common signs include unexpected admin accounts, strange files in wp-content, your site redirecting to spam pages, or Google Search Console flagging malware. Run a Wordfence scan and check your wp-admin user list under Users > All Users for accounts you don’t recognise.<\/p>\n<\/div>\n<\/div>\n
\n
Should I hide the WordPress login URL?<\/h3>\n\n
Renaming wp-login.php is a common recommendation, but I’d consider it a secondary measure rather than a real security control. Bots will find it eventually, and it creates its own problems if you forget the URL or lock yourself out. Rate limiting and 2FA on the default URL are more reliable.<\/p>\n<\/div>\n<\/div>\n
\n
Does Host & Tech's managed WordPress hosting include security features?<\/h3>\n\n
Yes. Our Managed WordPress Hosting includes server-level hardening, automatic core and plugin updates, malware scanning, and daily backups. It’s a good option if you want the security baseline handled for you without manual configuration.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Most WordPress hacks aren’t sophisticated \u2014 they exploit weak passwords, outdated plugins, and default configurations that take 10 minutes to fix. This guide covers the security steps that actually matter, in the order you should do them.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[91],"tags":[507,504,335,502,505,339,506,503],"class_list":["post-202","post","type-post","status-publish","format-standard","hentry","category-wordpress","tag-how-to-secure-your-wordpress-site-a-practical-hardening-guide","tag-malware-prevention","tag-two-factor-authentication","tag-wordpress-hardening","tag-wordpress-permissions","tag-wordpress-security","tag-wordpress-security-hardening","tag-wp-login-protection"],"yoast_head":"\n
How to Secure Your WordPress Site: A Practical Hardening Guide<\/title>\n<meta name=\"description\" content=\"Step-by-step WordPress security hardening guide covering file permissions, login protection, plugins, and server-level fixes. Updated for 2026.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Secure Your WordPress Site: A Practical Hardening Guide\" \/>\n<meta property=\"og:description\" content=\"Step-by-step WordPress security hardening guide covering file permissions, login protection, plugins, and server-level fixes. Updated for 2026.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/\" \/>\n<meta property=\"og:site_name\" content=\"Host And Tech knowledge base\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/stshostandtech\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-02T06:08:53+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@stshostandtech\" \/>\n<meta name=\"twitter:site\" content=\"@stshostandtech\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/person\\\/b6fa79c48ddaba71af32e395c5b017ee\"},\"headline\":\"How to Secure Your WordPress Site: A Practical Hardening Guide\",\"datePublished\":\"2026-06-02T06:08:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/\"},\"wordCount\":1521,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#organization\"},\"keywords\":[\"How to Secure Your WordPress Site: A Practical Hardening Guide\",\"malware prevention\",\"two-factor authentication\",\"wordpress hardening\",\"wordpress permissions\",\"WordPress security\",\"WordPress security hardening\",\"wp-login protection\"],\"articleSection\":[\"WordPress Hosting\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/\",\"name\":\"How to Secure Your WordPress Site: A Practical Hardening Guide\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#website\"},\"datePublished\":\"2026-06-02T06:08:53+00:00\",\"description\":\"Step-by-step WordPress security hardening guide covering file permissions, login protection, plugins, and server-level fixes. Updated for 2026.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wordpress\\\/how-to-secure-wordpress-site\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Secure Your WordPress Site: A Practical Hardening Guide\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#website\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/\",\"name\":\"Host And Tech knowledge base\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#organization\",\"name\":\"Host And Tech knowledge base\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/logo-dark.png\",\"contentUrl\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/logo-dark.png\",\"width\":1134,\"height\":395,\"caption\":\"Host And Tech knowledge base\"},\"image\":{\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/stshostandtech\",\"https:\\\/\\\/x.com\\\/stshostandtech\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/#\\\/schema\\\/person\\\/b6fa79c48ddaba71af32e395c5b017ee\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/hostandtech.com\\\/kb\"],\"url\":\"https:\\\/\\\/hostandtech.com\\\/kb\\\/author\\\/admin_fjj7qydm\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Secure Your WordPress Site: A Practical Hardening Guide","description":"Step-by-step WordPress security hardening guide covering file permissions, login protection, plugins, and server-level fixes. Updated for 2026.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/","og_locale":"en_US","og_type":"article","og_title":"How to Secure Your WordPress Site: A Practical Hardening Guide","og_description":"Step-by-step WordPress security hardening guide covering file permissions, login protection, plugins, and server-level fixes. Updated for 2026.","og_url":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/","og_site_name":"Host And Tech knowledge base","article_publisher":"https:\/\/www.facebook.com\/stshostandtech","article_published_time":"2026-06-02T06:08:53+00:00","author":"admin","twitter_card":"summary_large_image","twitter_creator":"@stshostandtech","twitter_site":"@stshostandtech","twitter_misc":{"Written by":"admin","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/#article","isPartOf":{"@id":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/"},"author":{"name":"admin","@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/person\/b6fa79c48ddaba71af32e395c5b017ee"},"headline":"How to Secure Your WordPress Site: A Practical Hardening Guide","datePublished":"2026-06-02T06:08:53+00:00","mainEntityOfPage":{"@id":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/"},"wordCount":1521,"commentCount":0,"publisher":{"@id":"https:\/\/hostandtech.com\/kb\/#organization"},"keywords":["How to Secure Your WordPress Site: A Practical Hardening Guide","malware prevention","two-factor authentication","wordpress hardening","wordpress permissions","WordPress security","WordPress security hardening","wp-login protection"],"articleSection":["WordPress Hosting"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/","url":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/","name":"How to Secure Your WordPress Site: A Practical Hardening Guide","isPartOf":{"@id":"https:\/\/hostandtech.com\/kb\/#website"},"datePublished":"2026-06-02T06:08:53+00:00","description":"Step-by-step WordPress security hardening guide covering file permissions, login protection, plugins, and server-level fixes. Updated for 2026.","breadcrumb":{"@id":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hostandtech.com\/kb\/wordpress\/how-to-secure-wordpress-site\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hostandtech.com\/kb\/"},{"@type":"ListItem","position":2,"name":"How to Secure Your WordPress Site: A Practical Hardening Guide"}]},{"@type":"WebSite","@id":"https:\/\/hostandtech.com\/kb\/#website","url":"https:\/\/hostandtech.com\/kb\/","name":"Host And Tech knowledge base","description":"","publisher":{"@id":"https:\/\/hostandtech.com\/kb\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hostandtech.com\/kb\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/hostandtech.com\/kb\/#organization","name":"Host And Tech knowledge base","url":"https:\/\/hostandtech.com\/kb\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/logo\/image\/","url":"https:\/\/hostandtech.com\/kb\/wp-content\/uploads\/2026\/05\/logo-dark.png","contentUrl":"https:\/\/hostandtech.com\/kb\/wp-content\/uploads\/2026\/05\/logo-dark.png","width":1134,"height":395,"caption":"Host And Tech knowledge base"},"image":{"@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/stshostandtech","https:\/\/x.com\/stshostandtech"]},{"@type":"Person","@id":"https:\/\/hostandtech.com\/kb\/#\/schema\/person\/b6fa79c48ddaba71af32e395c5b017ee","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/aa1edac8bbadb442e059a5b65ad45a3b2e3ce689202373b96e3e567517ae4b39?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/hostandtech.com\/kb"],"url":"https:\/\/hostandtech.com\/kb\/author\/admin_fjj7qydm\/"}]}},"_links":{"self":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/posts\/202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/comments?post=202"}],"version-history":[{"count":0,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/posts\/202\/revisions"}],"wp:attachment":[{"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/media?parent=202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/categories?post=202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hostandtech.com\/kb\/wp-json\/wp\/v2\/tags?post=202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}