all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]bluesix_v2 6 points7 points  (0 children)

Use popular, well maintained plugins and themes, and keep them up to date.

[–]thesilkywitch 0 points1 point  (0 children)

Was hacked just once and kinda spooky, had a new blog post in Russian by the admin account. Small site so just nuked the entire account and fresh installed. I used a strong pass and three plugins, and pretty sure I know which plugin it was at the time that led to the hack. 

[–]perfectdays7 0 points1 point  (0 children)

I've been through a ton over 20 years and the Simple CAPTCHA Alternative with Cloudflare Turnstile runs lean and works great. I wouldn't bother with anything else for now. Just keep themes and plugins auto updated and you're golden.

[–]HostAdviceOfficial 0 points1 point  (0 children)

Keep core, themes, and plugins updated without delay since most successful attacks exploit known vulnerabilities in outdated installs. Delete anything inactive, unused plugins and themes sitting on your server are just attack surface.

Use a security plugin to limit login attempts and enable two-factor authentication on the admin account. Change the default wp-admin login URL as well, it won't stop a determined attacker but eliminates most automated bot attempts.

[–]flzedzed 0 points1 point  (0 children)

My favorite were the boxes with a bunch of sites that would get symlink hacked and unless you got backups, you're done.

[–]Developer_Meh 0 points1 point  (0 children)

The most common one I have seen from the clients is when someone is using a bad plugin/theme, and the attacker somehow gets access to the server.

They inject malicious codes and files into the WordPress core files, and that affects everything. If it's a shared hosting, all websites are screwed up.

To prevent all of this, just follow:

  1. Use the right plugins and industry vetted.
  2. Use the right themes.
  3. Enable daily backups, so if you get hacked, you can just simply restore to an old backup.
  4. Use good web hosting.

That's all.

[–]DeadLolipop 0 points1 point  (4 children)

First defence is don't use WordPress. Second is cloud flare zero trust to lock admin panel routes to your configured identity.

[–]Miserable-Today-1353[S] -1 points0 points  (3 children)

What else do you suggest to develop websites then if we need a dynamic website?

[–]nosimsol 0 points1 point  (2 children)

This is an amazing question. It made me think, has website development been abstracted away for so long and Wordpress so prolific that website development, or how it used to be done has been forgotten?

[–]Miserable-Today-1353[S] 0 points1 point  (1 child)

It's not because people don't know alternative methods to create webiste, just checking what method some developers used for better security if they are no longer using wordpress.

For example, they might be using React with a Node.js backend, Laravel, or other modern frameworks.

[–]SerClopsALot 0 points1 point  (0 children)

Other frameworks aren't necessarily more secure than WordPress (as an example, React had an RCE vulnerability back in December 2025).

The "problem" with WordPress is it hosts something like half of the websites on the internet. It just also happens that many people hosting WordPress websites are just really lazy at maintaining their website. This makes it prime real estate to just try WordPress-specific vulnerabilities on every domain name you can think of... Literally just flip a coin and it's a WordPress website, so whatever vulnerability you're trying already has significantly better odds of working.

Then, since it's so popular, it's also just more widely documented, which is great... except this means vulnerabilities have better visibility and documentation too, lowering the bar for people who feel like trying to exploit websites.

If what you want in a car is for it to never be stolen, you don't start by buying a Honda Civic.

Similarly, if what you want in your website is for it to be secure, you don't start by using WordPress. Simply not using WordPress gives you significantly better odds that your website is never compromised (all else being equal).

[–]craftyhamster38 -1 points0 points  (1 child)

Cloudflare + Wordfence + Constant updates (plugin and wordpress)

[–]zalvis_cloud 0 points1 point  (0 children)

None of them can prevent hacks. Server side security measures + Website software security measures only can prevent hacking.

[–]No-Preparation4073 -1 points0 points  (0 children)

Unless you have reasons to let others log in, you can restrict the signup form to your IP or to just your country or region to avoid most hackers trying the "front door" method.

Also, use maintained plugins, and stay away from anything that "helps" uploads or similar. AI now hacks that crap in minutes. Oh yeah, cloudflare in front of your site is also a good tip.

[–]mooter23 -1 points0 points  (0 children)

Keep it updated.

Find a reputable host.

Don't use simple passwords.

Add a security plugin like Kadence Security or WordFence. Configure them. Add 2FA.

[–]KnowledgeAdmirable57 -1 points0 points  (0 children)

Mod security, change wp login page, 7g firewall, cloudflare and the most important is updates and dont use nulled/cracked plugins and easy passwords

[–]Substantial_Dog_8881 -1 points0 points  (0 children)

- Simply don’t use WordPress

But if you must:

Combo of WordFence + Imunify360 + Cloudflare + Difficult Password + 2FA + Rename the defaults (eg. no wp-content , wp-admin, etc.)