WordPress is the most targeted CMS on the internet. These steps significantly reduce the risk of your site being hacked.

1. Keep everything updated

Always run the latest version of WordPress core, all plugins, and your theme. Outdated software with known vulnerabilities is the number one way sites get hacked. See the update guide in this knowledge base.

2. Use strong passwords and change the admin username

• Never use the username admin — it is the first one attackers try
• Create a new administrator account with a unique username, then delete the old admin account
• Use a password of at least 16 characters with mixed case, numbers, and symbols

3. Install a security plugin

A security plugin monitors your site and blocks attacks. Good free options:

• Wordfence Security — firewall, malware scanner, login protection
• Sucuri Security — security hardening, activity auditing

4. Limit login attempts

By default, WordPress allows unlimited login attempts. Brute-force bots exploit this. Install Limit Login Attempts Reloaded or use the feature built into Wordfence to block IPs after a set number of failed attempts.

5. Enable two-factor authentication

Add a second layer of login security. The WP 2FA plugin is easy to set up and supports authenticator apps.

6. Disable XML-RPC if not needed

XML-RPC is a legacy remote publishing feature that is frequently abused for brute-force attacks. If you do not use apps like JetPack that require it, disable it by adding this to your .htaccess:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

7. Set correct file permissions

Correct permissions prevent unauthorized file access:

• Folders: 755
• Files: 644
• wp-config.php: 600

You can set permissions in cPanel File Manager by right-clicking a file or folder and selecting Change Permissions.

8. Take regular backups

Even with all precautions, have a backup plan. Use cPanel Backup to download weekly backups, or install a plugin like UpdraftPlus to automate backups to cloud storage.