WordPress Security
Reference articles for the WordPress security work that actually matters: keeping the core, plugins, and themes patched, locking down the login paths bots target, making sure SSL is real and end-to-end, and recognising a compromised site before it starts redirecting visitors.
Each article starts from the attacker's angle so you understand what a given hardening step is actually protecting against, and ends with a verification step so you can tell whether it worked.
Articles
-
WordPress security hardening: the checklist that actually matters4444 words
An opinionated, vendor-neutral hardening checklist for self-hosted WordPress. It covers what actually reduces your risk in 2026, what is security theatre, and a concrete configuration reference you can apply in an afternoon.
-
WordPress SSL certificate: what it is and how to install one3286 words
An SSL certificate is how your WordPress site proves its identity and encrypts traffic between visitor and server. This article explains what the certificate actually does, which type you need, how Let's Encrypt and managed hosts issue and renew it, and how to verify yours is working.
-
WordPress file permissions explained (644, 755, and wp-config.php)2775 words
A plain-language explanation of WordPress file permissions, why the FTP credentials prompt appears when you try to install a plugin, and a reference table with the exact values for every path including wp-config.php.
-
Brute force protection in WordPress: block wp-login.php and xmlrpc.php attacks3612 words
A layered defence for the two URLs that take almost all the brute-force traffic on a WordPress site. Rate limit at the edge, harden authentication in WordPress, and keep Jetpack, mobile apps and Application Passwords working while you do it.
-
Two-factor authentication (2FA) for WordPress: the setup that actually holds3948 words
A practical guide to adding two-factor authentication to a WordPress site without locking out yourself or your team. Picking a method, picking a plugin, enforcing it by role, and recovering when a phone is lost or a backup code goes missing.
-
WordPress hacked: detecting and cleaning a malware redirect4618 words
Visitors get redirected to a spam page, but you see nothing when you check. This article explains how modern WordPress redirect malware hides from admins, where it actually lives, and how to clean a site so it stays clean.
-
Disallowed WordPress plugins on managed hosting2484 words
Managed WordPress hosts block specific plugins because they conflict with server-level infrastructure the host already provides. This reference covers which plugins are blocked on which hosts, why each category is restricted, and what to use instead.
-
WordPress REST API security: hiding endpoints and preventing user enumeration2338 words
A security scan flagged /wp-json/wp/v2/users as exposed. This article explains what the endpoint actually reveals to unauthenticated visitors, which data is the real risk (login slugs, not emails), and three ways to lock it down without breaking the block editor or Application Passwords.
-
WordPress comment spam: blocking it without Akismet3569 words
A layered, Akismet-free approach to WordPress comment spam. Tighten the built-in Discussion settings first, add a JavaScript honeypot, then a heuristic filter, and drop a developer hook on top only if you need one.
Want fewer security surprises?
Staying safe is routine work: patching, monitoring, backups and defense-in-depth—done consistently.