WordPress security: a no-nonsense checklist
Ten security steps that account for 95% of real WordPress attacks. Skip the security-plugin theater and do the basics properly.
The boring stuff that matters most
Almost every WordPress site that gets hacked falls to one of three things: a known plugin vulnerability with a patch the owner didn't install, a weak admin password, or a compromised hosting account on a poorly-isolated shared server.
Fix those three and you've eliminated the vast majority of real-world risk.
The actual checklist
Use a password manager and a 16+ character random admin password. Enable two-factor authentication for all admin accounts. Disable the 'admin' username — create a new admin and delete the old one.
Set core, themes, and plugins to auto-update. Remove every plugin and theme you're not using. Check the plugin's last-updated date before installing anything — abandoned plugins are landmines.
What security plugins actually do
Wordfence, Sucuri, and iThemes Security mostly do: brute-force login protection, malware scanning, and notifications. Useful, but they're not magic.
If you've handled the basics above, a security plugin is incremental insurance. If you haven't, no security plugin will save you.
Questions readers ask about this topic
Do I need a security plugin?
How do I know if my site is hacked?
Is WordPress less secure than other CMSes?
Where to go next on Hostilo
One email a month. Hosting deals, new reviews, no fluff.
The WordPress performance checklist that actually works
Twelve changes that move real Core Web Vitals numbers, ranked by impact, not popularity.
How to speed up WordPress: the only checklist you need
Ten changes that actually move the needle on WordPress speed — ranked by impact, not by what plugin authors want you to install.