WordPress security hardening: the no-fluff 2026 guide

Two-factor authentication on every administrator and editor account. Not optional in 2026.

A real web application firewall in front of WordPress (Cloudflare WAF, Wordfence Premium, or Sucuri).

Strict file permissions: 644 on files, 755 on folders, wp-config.php at 600, no writable theme files in production.

Automatic security updates for WordPress core, and a tested process for plugin updates.

Offsite, encrypted, restored-and-tested backups. Daily for content sites, hourly for ecommerce.

Strict-Transport-Security with a long max-age and includeSubDomains.

Content-Security-Policy at least in report-only to learn what your site loads, then enforce.

Referrer-Policy strict-origin-when-cross-origin.

X-Frame-Options DENY or a frame-ancestors CSP directive to block clickjacking.

Hiding the WP-version in the head. Attackers fingerprint by behaviour, not by meta tags.

Renaming wp-login.php. Helpful against the dumbest bots, useless against a targeted attack.

Changing the database table prefix on an existing site. Risky for marginal benefit.

Take a forensic snapshot first so we know what changed.

Rotate every credential: WordPress admins, database, hosting, SFTP, API keys.

Reinstall core, themes, and plugins from clean sources. Never trust a file already on the server.

Scan for backdoors in uploads, mu-plugins, and outside the WordPress install.

Request reconsideration in Google Search Console if the site was flagged.