TL;DR
- WordPress security 2026 relies on three pillars: updates, access control, and backups. Everything else is advanced configuration.
- 60% of WordPress breaches result from outdated plugins, not zero-day attacks.
- 12 concrete steps with plugins and commands. No generic advice like "use strong passwords".
- Implementation time for all 12 steps: 4-6 hours. Plugin costs: $0-100/year.
- Security audit and GDPR compliance from $1,380 net (6,000 PLN) for businesses requiring full verification.
Why don't standard WordPress security tips work?
Most articles about WordPress security end with a list: "install Wordfence, use strong passwords, make backups". That's true, but lacks specifics: which Wordfence configuration, what kind of passwords, how often to backup and where to store them.
Below are 12 steps with concrete tools, commands, and settings. No theory.
What changed in WordPress security in 2026?
Three trends reshaped the landscape over the past 12 months. First: automated plugin scanning by bots. Attackers no longer manually search for vulnerable installations. They mass-scan all public WordPress installations looking for known CVEs. The time between vulnerability disclosure and first attacks has shrunk to hours.
Second: supply chain attacks. Several popular plugins with millions of installations were compromised by malicious code injected in updates. Verifying the plugin publisher is now as important as verifying the plugin itself.
Third: automated penetration testing tools are freely available. Anyone can run WPScan and find a vulnerability in your installation in 5 minutes.
12 steps to secure WordPress in 2026
Step 1: Enable automatic updates for core, themes, and plugins
WordPress security statistics show that most exploited vulnerabilities are known and patched. The problem: admins don't update.
Enable automatic minor updates in wp-config.php:
define('WP_AUTO_UPDATE_CORE', 'minor');
For plugins: in the WordPress dashboard, for each plugin, click the "auto-updates" icon and select "Enable auto-updates". For themes: same process in Appearance > Themes.
Exception: custom-built or heavily modified plugins. Auto-updates there might break customizations. Test on staging before enabling auto-update.
Step 2: Remove unused plugins and themes
Every installed plugin (even deactivated) is a potential attack vector. Patchstack database shows dozens of vulnerabilities in popular plugins monthly.
Rule: if you haven't used a plugin in 3+ months, delete it. Default WordPress themes (Twenty Twenty-X): delete all except the one currently active.
Step 3: Change database table prefix
The default wp_ prefix is known to every attacker. Change it during installation or via a plugin like Brozzme DB Prefix. New prefix: random string (e.g., k7q3_).
Warning: changing after installation requires backup before and verification after. Don't execute without staging tests.
Step 4: Secure wp-config.php file
wp-config.php contains database credentials. Move it one directory above public_html (WordPress will automatically find it). Add to .htaccess:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Step 5: Restrict access to wp-admin
If you administer from one IP (fixed office connection): restrict access to /wp-admin/ and wp-login.php via .htaccess:
<Files wp-login.php>
order deny,allow
deny from all
allow from YOUR_IP
</Files>
Without fixed IP: use a plugin like Loginizer or Login LockDown. Block IPs after 3-5 failed login attempts.
Step 6: Change default admin login
An account with login admin is the first brute-force target. Create a new account with a different login and full administrator rights. Delete the old admin account. Assign all posts to the new account when deleting.
Step 7: Enable two-factor authentication (2FA)
Even with strong passwords: 2FA blocks most brute-force and phishing attacks. Plugin: Two Factor Authentication (WP 2FA). Configuration: TOTP via Google Authenticator or Authy. Mandatory for all accounts with Editor role and above.
Step 8: Install and configure WAF firewall
Two options:
Wordfence Free: WAF blocks known attacks, scans files, monitors logins. Configuration: Extended Protection (requires adding rule to .htaccess), daily scanning, email notifications for suspicious activity.
Cloudflare WAF ($20/month): Filters traffic before it reaches your server. Faster than Wordfence because it doesn't load PHP. Additional benefits: CDN, DDoS protection, SSL.
Wordfence threat intelligence updates rules in real time.
Step 9: HTTPS and SSL certificate with auto-renewal
HTTPS is fundamental in 2026. Let's Encrypt certificate: free, automatically renewed every 90 days. Check if your hosting offers auto-renewal in the control panel.
After SSL installation: force HTTPS via .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Remove mixed content: HTTP resources loaded on HTTPS pages. Use Better Search Replace plugin to change URLs in the database.
Step 10: 3-2-1 backup rule
3-2-1 rule: 3 copies, 2 different media, 1 off-site.
UpdraftPlus plugin (Free): Automatic daily backup, storage in Google Drive or Dropbox (off-server). Retention: 7 versions. Configuration takes 15 minutes.
Test backup: once a month, run restore on staging environment and verify the site works.
Step 11: Disable XML-RPC if not using it
XML-RPC is an old WordPress API interface used by some mobile apps and remote publishing tools. In 2026, most integrations use REST API. XML-RPC is often used for brute-force attacks and DDoS through amplification.
Disable via .htaccess:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Or via Disable XML-RPC plugin (one-click configuration).
Step 12: Monitor logs and alerts
Install WP Activity Log or Simple History. Log: logins, plugin installations, file changes, user changes. Set email alerts for: new user registration, plugin installation, failed login (5+ times from one IP).
Minimum: check logs once weekly. For suspicious activity: review immediately.
When is self-configuration not enough?
The 12 steps above protect against 90% of common attacks. But there are scenarios requiring deeper audits.
E-commerce stores (customer payment data), companies processing sensitive personal data, public organization websites: these need full security audits and GDPR verification.
Soft Synergy conducts security audits from $1,380 (6,000 PLN). Scope: code audit, server configuration verification, penetration testing, report with recommendations. Timeline: 2-4 weeks.
Additional notes for WooCommerce stores
WooCommerce adds another attack vector: payment APIs, customer card data (via payment gateways), order history. Several additional steps specifically for e-commerce:
- PCI DSS compliance for card-accepting stores: ensure your payment gateway (Stripe, local processors) is certified and your site doesn't store card data
- Webhook verification: validate Stripe/payment processor signatures on every webhook
- Separate role for store manager: don't give full administrator permissions to someone managing products
More about secure e-commerce in our knowledge center.