The 2026 WordPress hardening checklist for UK businesses.
Ten practical steps to close the gaps attackers exploit most — without turning your website into a fragile collection of security plugins.
Most WordPress compromises do not begin with a sophisticated zero-day. They start with an overlooked update, an old administrator account, or a backup nobody has tried to restore. Hardening is the disciplined work of closing those ordinary gaps.
Your baseline should be boring — and complete.
The goal is not to install every security product you can find. It is to reduce the number of ways an attacker can get in, limit what they can do if they do, and make recovery predictable.
The five controls to put in place first
- Keep WordPress core, themes, and plugins patched on a defined schedule.
- Remove inactive plugins and themes instead of simply deactivating them.
- Require unique passwords and multi-factor authentication for every administrator.
- Keep an off-site backup that you can restore and test regularly.
- Review administrator accounts, file permissions, and hosting access at least quarterly.
Updates are a security control, not housekeeping.
Create a simple patching rhythm: review critical updates promptly, test material changes on a staging copy where possible, and document who owns the decision. Unused plugins deserve no place in production — deactivate and delete them.
Treat every administrator account as a key to your business.
Use named accounts, strong unique passwords, and multi-factor authentication. Remove access the moment a contractor or employee no longer needs it. Avoid shared logins: they make incident investigation almost impossible.
A backup is only real if it restores. Keep a separate, off-site copy and rehearse a restore before you need one. Ransomware and accidental deletion both become manageable when recovery is proven.
Give the site less to defend.
Review file permissions, disable features you do not use, and keep production separate from testing tools. Your host, CDN, forms, analytics scripts, and third-party integrations all belong on the same security inventory.
Monitoring catches the small changes.
File-integrity checks, malware monitoring, and a regular vulnerability scan are practical early-warning systems. Pair them with a clear incident contact and an escalation plan your team can actually follow.
What to do next
Start with the areas you can verify today: current updates, named administrator accounts, and a tested backup. Then ask for an independent view of the gaps your team may not be equipped to see.
Keep reading
Security should feel manageable.
Explore practical guidance for your team, or let us identify the gaps in a free 30-minute assessment.