How to stop hackers from compromising your WordPress: 8 critical settings

WordPress powers 43% of all websites in the world. That makes it the favorite target of automated attackers. The good news is that most successful attacks take advantage of default settings that can be fixed in under an hour. Here are the 8 most important ones.

Important fact: 90% of compromised WordPress sites are due to outdated plugins or weak passwords, not vulnerabilities in the WordPress core. The configuration you are about to read mitigates exactly that.

Change the database table prefix

By default, WordPress uses the wp_ prefix for all its tables. Any automated SQL Injection attempt knows this and tests it directly. Changing this prefix during installation eliminates a trivial attack vector.

How to do it: During installation, change "wp_" to something like "nx7k_" or any random combination. If you already have the site installed, use the Brozzme DB Prefix & Tools Add-on plugin.

Delete the default "admin" user

The username "admin" is the first one brute-force attacks try. If you keep it, the attacker already has half the work done — they just need the password.

How to do it: Create a new admin user with a non-obvious name, transfer content to the new user, and delete the original "admin" user.

Use strong and unique passwords

A password like "company2026" can be cracked in seconds with dictionary attacks. WordPress generates secure passwords automatically — use them, or use a password manager.

How to do it: Minimum 16 characters, with uppercase, numbers, and symbols. Never reuse passwords across services. Enable 2FA for all administrators.

Enable Two-Factor Authentication (2FA)

Even if someone gets your password, 2FA prevents access without the second factor (your phone). It is the highest-impact, lowest-effort measure on any WordPress.

How to do it: Recommended plugins: WP 2FA or Google Authenticator. Enforce it for all users with editor role or higher.

Limit failed login attempts

By default, WordPress allows unlimited login attempts. A brute-force attack can test thousands of passwords per hour. Limiting attempts makes this unviable.

How to do it: Recommended plugin: Limit Login Attempts Reloaded. Configure it to block IPs after 5 failed attempts for 20 minutes.

Keep WordPress, themes, and plugins updated

60% of known vulnerabilities in WordPress have a patch available — the problem is nobody installs it. Every pending update is a vulnerability with a public exploit.

How to do it: Enable automatic updates for the WordPress core (at least security ones). Manually review plugins and themes at least once a month.

Disable file editing from the dashboard

The WordPress file editor allows modifying PHP directly from the browser. If someone compromises an admin account, they can inject malicious code without touching the server.

How to do it: Add this line to your wp-config.php: define('DISALLOW_FILE_EDIT', true);

Configure external daily automatic backups

A backup is worthless if it is on the same server as the compromised website. Backups must be automatic, daily, and stored on an external service.

How to do it: Recommended plugin: UpdraftPlus. Configure a daily database backup and weekly file backup, to an external destination. Verify that restoration works.

What if I already have the website published?

It's not too late. You can apply most of these changes on a live website without affecting its operation. The recommended order if you start from scratch:

Update WordPress, plugins, and themes to their latest versions.
Change passwords for all admin users.
Enable 2FA for administrators.
Install and configure Limit Login Attempts Reloaded.
Add DISALLOW_FILE_EDIT to wp-config.php.
Configure external automatic backups with UpdraftPlus.
Verify your HTTP security headers.
If you have doubts about existing vulnerabilities, hire an audit.

How to stop hackers fromcompromising your WordPress:8 critical settings