WordPress security is something many website owners only think about after they have been hacked. A compromised WordPress site can be taken offline, have its content replaced with spam, be used to distribute malware to your visitors, or lose years of search engine rankings overnight. The consequences for a South African business — lost revenue, damaged reputation, recovery costs — can be severe. The good news is that most WordPress security incidents are entirely preventable. This checklist covers the most important steps to protect your WordPress website before a problem occurs.

Why WordPress Sites Get Targeted

WordPress is the world's most popular content management system, which makes it the most targeted. Attackers do not always target specific sites — they use automated bots to scan the internet for sites running vulnerable versions of WordPress, themes, or plugins. If your site is running outdated software with known security vulnerabilities, it will likely be found and exploited eventually, regardless of how small or obscure your website is. The solution is to remove as many of these vulnerabilities as possible through consistent maintenance and proactive WordPress security measures.

The most common attack vectors for WordPress sites include brute-force login attempts (automated bots trying thousands of username and password combinations), exploitation of known vulnerabilities in outdated plugins or themes, and injection attacks through poorly coded forms or comment sections. Most of these attacks are entirely automated and opportunistic — they are not targeted at you personally, but they are effective if your defences are weak.

Your WordPress Security Action Plan

Keep everything updated. The single most important WordPress security action you can take is keeping WordPress core, all plugins, and your theme updated. Software updates frequently include security patches for known vulnerabilities. Enable automatic updates for minor WordPress releases. Check for plugin and theme updates at least once a week. Delete plugins and themes you are not actively using — inactive plugins with security vulnerabilities are just as dangerous as active ones.

Use strong, unique passwords everywhere. Use a strong, unique password for your WordPress admin account, your hosting control panel, your FTP account, and your database. A strong password is at least 16 characters and combines uppercase and lowercase letters, numbers, and symbols. Use a password manager like Bitwarden (free) or 1Password to generate and store strong passwords — you do not need to memorise them.

Change the default admin username. WordPress historically used "admin" as the default username, and many sites still use it. Attackers assume "admin" is the username and target it with brute-force attacks. If your username is "admin," create a new administrator account with a different username, log in with the new account, and delete the old admin account.

Enable two-factor authentication. Two-factor authentication (2FA) adds a second verification step to your login process — typically a time-based code from an authenticator app on your phone. Even if an attacker has your password, they cannot log in without the second factor. The Wordfence or WP 2FA plugins make it straightforward to enable two-factor authentication on your WordPress site.

Install a security plugin. A dedicated WordPress security plugin provides a web application firewall, malware scanning, login protection, and real-time monitoring. Wordfence Security and Sucuri Security are the two most widely used options. Both offer free versions that are sufficient for most South African business websites. Configure the firewall, run regular malware scans, and act on any alerts the plugin sends you.

Limit login attempts. By default, WordPress allows unlimited login attempts, making it easy for bots to run brute-force attacks. Install a plugin that limits failed login attempts and temporarily blocks IP addresses that repeatedly fail. Wordfence includes this functionality, or you can use a dedicated plugin like Login LockDown.

Implement regular backups. Backups are your last line of defence. If your site is ever compromised, a recent clean backup means you can restore it quickly and completely. Use UpdraftPlus to schedule automatic backups to a remote location — Google Drive or Dropbox work well. Keep at least the last 30 days of daily backups. Test your restore process periodically to confirm that backups are working and complete.

Use HTTPS. If your site is still running on HTTP rather than HTTPS, fix this immediately. An SSL certificate encrypts data between your site and your visitors' browsers. Most South African hosting providers offer free SSL certificates through Let's Encrypt. HTTPS is also a ranking factor in Google Search, so moving to HTTPS improves both your WordPress security and your SEO simultaneously.

Disable file editing in the WordPress dashboard. WordPress includes a built-in code editor that allows you to edit theme and plugin files directly from the admin dashboard. If an attacker gains access to your admin panel, they can use this editor to inject malicious code. Disable it by adding define('DISALLOW_FILE_EDIT', true); to your wp-config.php file.

WordPress security is not a one-time task — it is an ongoing practice. Schedule monthly security reviews, keep your software updated, and monitor your site for unusual activity. A few hours spent on proactive WordPress security will save you from days of stressful recovery work later.