WordPress Security: The Complete Guide (2026)
Table of Contents
WordPress powers roughly 42% of all websites on the internet. That reach makes it the single most-targeted CMS for attackers. According to Patchstack’s State of WordPress Security in 2026 report, 11,334 new vulnerabilities were discovered in the WordPress ecosystem in 2025 — a 42% increase year-over-year. Of those, 1,966 (17%) carried a high severity score indicating they were likely to be exploited in automated mass attacks.
The good news: most WordPress compromises are preventable. The attack surface — plugins, themes, weak passwords, outdated core — is well understood, and the countermeasures are concrete. This guide walks through the current threat landscape, the hardening steps that matter most, which security plugins are worth using, and how to keep a clean backup you can actually recover from.
The Current WordPress Threat Landscape
Where Vulnerabilities Come From
91% of new WordPress vulnerabilities in 2025 were found in plugins. Themes accounted for 9%. WordPress core had only 6 reported vulnerabilities, all low priority. This is a consistent pattern — the core team has robust security processes; third-party plugins vary enormously.
Premium plugins present a hidden risk. Because their source code is harder for security researchers to access, they receive less scrutiny than free plugins in the WordPress.org repository. In 2025, Patchstack found that 76% of vulnerabilities in premium WordPress components were exploitable in real attacks, and premium components had three times more Known Exploited Vulnerabilities (KEVs) than free components.
Speed of Exploitation
A patched vulnerability is only safer if site owners apply the update. The window is narrow. For the most heavily targeted vulnerabilities disclosed in 2025, the weighted median time to first exploit was 5 hours after public disclosure. Roughly half of high-impact vulnerabilities saw active exploitation within 24 hours.
Waiting to apply updates until your maintenance window is no longer a viable strategy for serious vulnerabilities. Automation matters here.
46% of Vulnerabilities Had No Patch at Disclosure
Nearly half of all vulnerabilities disclosed in 2025 had no fix from the developer by the time they were made public. This is why keeping plugins updated — while necessary — is not sufficient. You also need layered defences to catch what updates can’t.
WordPress Security Best Practices: The Hardening Checklist
1. Keep Everything Updated
WordPress core has supported automatic background updates since version 3.7. Enable them. For plugins and themes, use the automatic update option in Dashboard → Updates or a management tool that does it for you.
Delete plugins and themes you are not actively using. Inactive code that receives no updates is still exploitable.
2. Use Strong, Unique Passwords and 2FA
Brute-force attacks against /wp-login.php remain one of the most common attack vectors. A strong password (mixed case, numbers, symbols, 16+ characters) significantly raises the cost of a brute-force attempt. A password manager removes the friction of using unique credentials across every site.
Two-factor authentication (2FA) is the single most effective credential defence. Even if a password is compromised, 2FA blocks login without the second factor. WordPress.org’s own Multi-Factor Authentication documentation covers how to enable it. Plugins like Two Factor, WP 2FA, or Google Authenticator for WordPress make setup straightforward.
Never use “admin” as a username. Automated attacks specifically target this username. Rename it.
3. Harden Your File Permissions
WordPress has a recommended file permission structure. Deviating from it — especially making files world-writable — creates unnecessary exposure.
| Location | Recommended permissions |
|---|---|
| All directories | 755 |
| All files | 644 |
wp-config.php | 400 or 440 |
/wp-admin/ | 755 (owned by your user) |
/wp-content/ | 755 (writable by web server) |
Set these via shell:
find /path/to/wordpress/ -type d -exec chmod 755 {} \;
find /path/to/wordpress/ -type f -exec chmod 644 {} \;4. Disable the File Editor in wp-admin
WordPress ships with a built-in theme and plugin editor accessible from the Dashboard. If an attacker gains admin access, this is the first tool they reach for — it allows arbitrary PHP code execution with one click. Disable it by adding this line to wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );5. Secure wp-config.php
wp-config.php contains your database credentials, security keys, and salts. Protect it with two measures:
- Move the file one directory level above the WordPress root (WordPress will find it automatically).
- Block direct HTTP access via
.htaccess:
<Files "wp-config.php">
Require all denied
</Files>6. Change the Default Database Table Prefix
WordPress defaults to the wp_ table prefix. Many SQL injection attack scripts hardcode this prefix. Changing it to something random at installation time (e.g., xk8f_) blocks these automated probes. If your site is already live, plugins like Better Search Replace or a direct MySQL edit can rename the tables — take a full backup first.
7. Limit Login Attempts and Restrict wp-admin
WordPress does not natively limit failed login attempts. A dedicated plugin or your firewall should handle this. Restricting /wp-admin/ to known IP addresses via .htaccess or your host’s control panel is an effective second layer for sites managed by a small team.
For HTTPS-only admin access, add this to wp-config.php:
define( 'FORCE_SSL_ADMIN', true );8. Use a Web Application Firewall (WAF)
A WAF filters malicious traffic before it reaches WordPress. Three approaches exist:
- Plugin-level WAF — Wordfence, Solid Security (formerly iThemes Security), Sucuri Security. These run inside WordPress and inspect requests as they arrive.
- DNS-level WAF — Cloudflare WAF, Sucuri Website Firewall. Traffic routes through the service before reaching your server. More effective because malicious traffic is dropped before it hits your server at all.
- Server-level WAF — ModSecurity on Apache/Nginx. Requires server access but is very effective.
Note: Patchstack’s 2025 pentesting found that traditional WAFs blocked only 12% of WordPress-specific vulnerability attacks. This is not an argument against WAFs — it is an argument for layering defences, including dedicated WordPress-aware tools.
9. Run Regular Backups Off-Site
A backup strategy that lives only on the same server as your site is not a backup strategy — one server compromise wipes both. A sound backup setup has:
- Full site snapshots (database + files) on a regular schedule — daily for active sites, weekly minimum for others.
- Off-site storage — a remote location (AWS S3, Backblaze B2, Google Drive, etc.) separate from your host.
- Tested restores — a backup you have never tested restoring is of unknown value.
Plugins like UpdraftPlus, BlogVault, or JetBackup (available from some hosts) handle automated off-site backups. Many managed WordPress hosts (Kinsta, WP Engine, Cloudways) include daily off-site backups.
10. Choose Hosting That Takes Security Seriously
Shared hosting means your site shares a server with other sites. A compromise on a neighbour’s site can affect yours through server-level access. Qualities to look for in a host:
- Current, actively maintained server software (PHP, MySQL/MariaDB, nginx/Apache)
- Server-level firewall and DDoS mitigation
- Reliable backup and recovery options
- Isolation between hosted accounts (container or VM-level separation)
Managed WordPress hosts — Kinsta, WP Engine, Pressable, Cloudways — are built specifically for WordPress and typically include server hardening, automatic core updates, and integrated backup.
Recommended WordPress Security Plugins
| Plugin | Primary function | Free tier |
|---|---|---|
| Wordfence Security | WAF, malware scanner, login protection, 2FA | Yes |
| Solid Security (iThemes) | Hardening rules, brute-force protection, 2FA | Yes |
| Sucuri Security | Audit log, malware scanner, post-hack tools | Yes (scanner only) |
| All In One WP Security | Hardening checklist, firewall, login lockdown | Yes |
| WP 2FA | Two-factor authentication | Yes |
| UpdraftPlus | Automated backups with off-site storage | Yes |
Only install the plugins you will actively maintain. A security plugin on an outdated version is itself a vulnerability.
Using AI to Audit Your WordPress Site
Easy MCP AI is not a security plugin — it does not run a WAF, scan for malware, or harden file permissions. However, if you are already using Easy MCP AI to connect Claude (or another AI client) to your WordPress site, its 96 core WordPress tools include user and site management tools that are genuinely useful for security hygiene audits.
A few things you can ask Claude once connected:
- “List all admin users on this site and when each account was last active.”
- “Show me all users with editor or higher roles.”
- “List all inactive users who have not logged in for more than 6 months.”
Stale admin accounts are a persistent security risk. An attacker who obtains old credentials to a forgotten admin account gets full access. Having an AI enumerate your current user list and flag accounts you don’t recognize is a fast, low-friction audit step.
Easy MCP AI’s security architecture is worth noting for context. Credentials are encrypted AES-256-GCM with per-provider HKDF-derived keys and stay on your own server. The plugin uses OAuth 2.1 for AI client authentication, per-tool permission scoping, and WordPress capability checks — so connecting an AI client to your site does not open new attack surface beyond what the permission model already controls.
For a deeper overview of MCP and what it enables on WordPress, see What Is MCP?
Key Facts
- 11,334 new vulnerabilities were discovered in the WordPress ecosystem in 2025, a 42% increase year-over-year (Patchstack, 2026)
- 91% of vulnerabilities were found in plugins; only 6 were found in WordPress core
- The weighted median time to mass exploitation for heavily targeted vulnerabilities is 5 hours after disclosure
- 46% of vulnerabilities disclosed in 2025 had no patch available at the time of public disclosure
- Traditional WAFs and hosting defences blocked only 12% of WordPress-specific vulnerability attacks in Patchstack’s 2025 pentesting study
- WordPress core has had automatic background security updates since version 3.7
- The most impactful single step for credential security is enabling two-factor authentication
DISALLOW_FILE_EDITinwp-config.phpremoves the built-in PHP code editor that attackers use after gaining admin access
Conclusion
WordPress security in 2026 is not about finding a single plugin and calling it done. The threat landscape — 11,000+ new vulnerabilities a year, exploitation windows measured in hours — requires layered, ongoing practice: updates applied promptly, strong credentials with 2FA, hardened file permissions, a WAF, and off-site backups you have actually tested.
The WordPress security fundamentals have not changed dramatically, but the pace of exploitation has. Automation on both sides — attackers and defenders — makes manual, infrequent maintenance increasingly risky.
→ Get Easy MCP AI from the WordPress plugin directory
Official Sources
- Hardening WordPress — WordPress Advanced Administration Handbook (last updated January 7, 2026)
- State of WordPress Security in 2026 — Patchstack (data updated February 25, 2026)
- WordPress Security Whitepaper — WordPress.org
- Multi-Factor Authentication — WordPress Advanced Administration Handbook
- Brute Force Attacks — WordPress Advanced Administration Handbook
- Easy MCP AI — WordPress Plugin Directory