In 2026, a WordPress site is hacked somewhere on the internet every 39 seconds. India is among the top 10 countries targeted by automated WordPress scanning bots โ and Indian businesses are particularly vulnerable because local hosting infrastructure is often older and because many site owners do not know that their website requires active security maintenance after launch.
The good news is that the vast majority of WordPress hacks are entirely preventable. Research consistently shows that over 95% of successful WordPress attacks exploit known vulnerabilities โ outdated plugins, weak passwords, unprotected admin pages โ that could have been fixed in minutes. This checklist covers the 15 most effective security measures you can implement, roughly in order of priority.
| Before You Start Take a full backup of your site before making any security changes. This ensures you have a safe restore point if anything goes wrong during implementation. If you do not currently have a reliable backup, start there. |
Hosting and Server Security (Steps 1โ3)
Step 1: Choose Hosting with Automatic Malware Scanning
Not all web hosting is equal from a security standpoint. Quality hosting providers run server-level malware scanning, maintain automatic firewalls, keep their server software patched, and isolate your account from other accounts on the same server (so one hacked site cannot infect yours). Look for hosts that explicitly advertise “Imunify360”, “ModSecurity”, or “SiteLock” protection.
For Indian businesses, reliable options include: SiteGround (Singapore data centre), Cloudways, or any VPS with cPanel + Imunify360. Avoid the very cheapest Indian shared hosting โ security infrastructure is often the first thing cut to keep prices low.
Step 2: Keep PHP Updated to Version 8.1 or Higher
Older PHP versions (7.4 and below) no longer receive security patches from the PHP development team. Running end-of-life PHP means server-level security vulnerabilities go unpatched regardless of what WordPress or plugin updates you apply. Log into cPanel and switch to PHP 8.1 or 8.2.
Step 3: Disable Directory Listing
By default, some web servers will show a list of all files in a directory if no index file exists โ exposing your file structure to anyone who knows to look. Add the following line to your .htaccess file to prevent this: Options -Indexes
WordPress Core and Plugin Security (Steps 4โ7)
Step 4: Enable Automatic WordPress Core Updates
WordPress core updates patch security vulnerabilities as they are discovered. For minor updates (e.g., 6.5.1 to 6.5.2), automatic updates are safe and strongly recommended. In wp-config.php, add: define(‘WP_AUTO_UPDATE_CORE’, true); โ or enable this via your hosting control panel. Major version updates (6.5 to 6.6) should be tested manually.
Step 5: Keep All Plugins and Themes Updated
The number one cause of WordPress hacks is outdated plugins with known vulnerabilities. The WordPress vulnerability database is publicly accessible โ hackers scan for sites running old versions and exploit them automatically within hours of a vulnerability being published. Check for plugin updates at least weekly, and consider a managed WordPress maintenance plan if you cannot commit to this.
Delete โ do not just deactivate โ any plugins you are not actively using. Inactive plugins can still be exploited.
Step 6: Only Install Plugins from Trusted Sources
Only install plugins from the official WordPress plugin repository or from reputable premium marketplaces (CodeCanyon, the developer’s official website). Never install nulled (pirated) plugins or themes โ they almost universally contain backdoor code that gives attackers admin access to your site.
Step 7: Remove Unused Themes
WordPress installs three default themes (Twenty Twenty-One, Twenty Twenty-Two, etc.) that most sites never use. Even inactive themes can contain vulnerabilities. Delete every theme you do not actively use โ keep only your active theme and, if it is a child theme, its parent theme.
Login and Access Security (Steps 8โ11)
Step 8: Change the Default Admin Username
Never use “admin” as your WordPress username. This is the first username every brute-force attack tries. If your username is still “admin”, create a new administrator account with a different username, transfer all content to the new account, and delete the “admin” account.
Step 9: Use a Strong Password and a Password Manager
Your WordPress admin password should be at least 16 characters, include uppercase, lowercase, numbers, and symbols, and be unique โ never reused from any other service. Use a password manager (Bitwarden is free and excellent) to generate and store it. Require all contributor and editor accounts to use strong passwords as well.
Step 10: Enable Two-Factor Authentication (2FA) for All Admin Accounts
2FA means that even if an attacker obtains your password, they cannot log in without also having your phone. Install the “WP 2FA” plugin (free) and require 2FA for all users with administrator or editor roles. Use an authenticator app (Google Authenticator or Authy) rather than SMS-based 2FA, which is easier to intercept.
Step 11: Limit Login Attempts and Change the Login URL
By default, WordPress allows unlimited login attempts โ making it vulnerable to brute-force attacks. Install “Limit Login Attempts Reloaded” (free) to block IP addresses after 3โ5 failed attempts. Optionally, change your login URL from the default /wp-admin/ to a custom path using a plugin like “WPS Hide Login” โ this eliminates automated targeting of your login page entirely.
Backup and Recovery (Steps 12โ13)
Step 12: Implement Automated Off-Site Backups
A backup stored on the same server as your site is useless if the server is compromised. Your backups must be stored in a different location โ Google Drive, Amazon S3, Dropbox, or a dedicated backup service. Use UpdraftPlus (free) to schedule automatic daily database backups and weekly full-site backups to your chosen cloud storage.
Test your backup restoration process at least once every quarter. A backup you have never tested is a backup you cannot trust.
Step 13: Set an Appropriate Backup Retention Period
Keep at least 30 days of backup history. Security incidents are often discovered days or weeks after they occur โ a 7-day backup window may not give you a clean restore point. For eCommerce sites where order data changes daily, daily backups with 30-day retention are the minimum acceptable standard.
Firewall and Monitoring (Steps 14โ15)
Step 14: Install a Web Application Firewall (WAF)
A WAF sits between your website and incoming traffic, blocking malicious requests before they reach WordPress. The two most accessible options for Indian WordPress sites are: Cloudflare (free plan provides basic WAF protection at the DNS level) and Wordfence Security (free plugin with WordPress-level firewall rules). For maximum protection, use both โ Cloudflare blocks attacks at the network level, Wordfence blocks anything that gets through at the application level.
Step 15: Set Up Security Monitoring and Alerting
You cannot protect what you cannot see. Set up active monitoring so you are immediately alerted to suspicious activity. Wordfence sends email alerts for failed login attempts, file changes, and known malware signatures. Combine this with uptime monitoring (UptimeRobot, free) so you are notified immediately if your site goes down โ which is often the first visible sign of a serious security incident.
WordPress Security Audit: Quick Self-Assessment
| Security Check | Done | To Do |
| PHP version 8.1 or higher | โ | โ |
| WordPress core auto-updates enabled | โ | โ |
| All plugins updated this week | โ | โ |
| Unused themes and plugins deleted | โ | โ |
| Admin username is not “admin” | โ | โ |
| Admin password is 16+ characters, unique | โ | โ |
| 2FA enabled for all admin accounts | โ | โ |
| Login attempts limited to 5 or fewer | โ | โ |
| Automated daily backup to off-site storage | โ | โ |
| 30+ days backup retention | โ | โ |
| Cloudflare or server-level WAF active | โ | โ |
| Wordfence or similar security plugin installed | โ | โ |
| Directory listing disabled in .htaccess | โ | โ |
| Google Search Console monitoring active | โ | โ |
| Uptime monitoring configured | โ | โ |
| Not sure if your WordPress site is secure? Xylus Info offers a free WordPress security audit covering all 15 points above. We will identify every vulnerability on your current site and give you a prioritised remediation plan โ even if you choose to fix the issues yourself. โ Get My Free Security Audit |