WordPress powers over 43% of the internet, which makes it the single most-attacked CMS in the world. Automated scripts scan millions of sites daily for outdated plugins, weak passwords and misconfigured servers. A compromised WordPress site can be used to distribute malware, send spam, steal customer data or redirect visitors to phishing pages — damaging your reputation and potentially breaching UK GDPR. The good news: WordPress itself is well-maintained, and smartxhosting.uk's server-level defences plus sensible WordPress-level practices reduce risk dramatically. This guide covers every layer, from infrastructure to daily habits, with UK-specific notes on NCSC guidance, Cyber Essentials and ICO expectations.
Why WordPress security matters · smartxhosting.uk security layers · Keep everything updated · Strong passwords and usernames · Two-factor authentication · Limit login attempts · File permissions · Disable file editing · SSL and HTTPS · Security plugins · WordPress Toolkit security scanner · Backups as a safety net · Frequently asked questions
A compromised WordPress site can:
Prevention costs hours. Recovery from a serious breach can cost weeks, damage the brand permanently, and trigger regulatory reporting.
Security works best in layers.
Every smartxhosting.uk server runs Imunify360:
These defences operate before PHP executes — stopping attacks at the server level rather than inside WordPress.
Plesk WordPress Toolkit includes 18 built-in security hardening measures:
One click applies them all.
Strong passwords, 2FA, updates, reputable plugins, correct file permissions. The sections below cover each.
Outdated software is the single most common cause of WordPress security breaches. When a vulnerability is discovered, developers release a patch. If you do not apply it, the site remains exposed to a publicly documented attack vector.
Plesk WordPress Toolkit can auto-update core, plugins and themes. Smart Updates takes visual screenshots before and after each update and auto-rolls back if it detects breakage. Enable via Plesk > WordPress > site > Updates.
Deactivated plugins still contain PHP files on your server and can be exploited if a vulnerability emerges. Delete unused plugins via Plugins > Installed Plugins > Delete. Same for inactive themes — keep only your active theme plus one default theme as a fallback.
Brute-force attacks try thousands of combinations per minute. Defence:
The default admin is the first username brute-forcers try. If your installation uses it:
The Plesk WordPress Toolkit's security scanner flags this and can guide the rename.
Even strong passwords can be compromised via phishing, data breaches on other services, or keyloggers. 2FA adds a second verification step — typically a 6-digit code from an authenticator app.
Install from Plugins > Add New Plugin, activate, follow setup wizard.
Enforced 2FA for admins is a Cyber Essentials requirement and ICO best practice.
WordPress by default allows unlimited login attempts — vulnerable to brute force. Limiting attempts with auto-lockout is a simple and effective countermeasure.
Imunify360 detects and blocks brute-force login attempts before they reach WordPress. More efficient than a PHP-based solution because the attack is stopped before any WordPress code runs.
Limit Login Attempts Reloaded plugin provides granular WordPress-level control: max retries, lockout duration, notification settings. Useful defence in depth.
Plugins like WPS Hide Login move /wp-login.php to a custom URL. Brute-force scripts hitting /wp-login.php get 404s and move on. Not a substitute for strong passwords and 2FA, but removes much of the bot noise.
File permissions control who can read, write and execute files on the server. Incorrect permissions let attackers modify code or read sensitive data.
The Plesk WordPress Toolkit sets these correctly on install. Check via File Manager in Plesk if you suspect permissions have been changed.
777 permissions grant everyone full control. Occasionally tutorials suggest 777 "to fix upload issues" — this is terrible advice. The real fix is setting correct 755/644 permissions with the correct file ownership.
WordPress by default allows administrators to edit theme and plugin files from the dashboard (Appearance > Theme File Editor, Plugins > Plugin File Editor). Convenient, but a compromised admin account can directly inject malicious code through these editors.
Disable the editors:
define( 'DISALLOW_FILE_EDIT', true );
Add to wp-config.php above "That's all, stop editing!".
For complete file lockdown (prevent all file modifications from WordPress, including plugin/theme updates):
define( 'DISALLOW_FILE_MODS', true );
More restrictive — breaks plugin and theme updates from the dashboard. Use only on tightly-managed sites.
Plesk WordPress Toolkit's security scanner can apply DISALLOW_FILE_EDIT in one click.
Already covered in detail in the SSL guide. Summary:
define( 'FORCE_SSL_ADMIN', true ); to wp-config.php to force HTTPS for all dashboard traffic.On top of Imunify360 at the server level, a WordPress-level security plugin adds defence in depth. Choose one.
Most popular. Endpoint firewall, malware scanner, login security, 2FA, live traffic monitoring. Free tier covers essentials; Premium (GBP 99/year) adds real-time firewall rules.
Lighter weight, easier UI. Was iThemes Security previously.
Free, comprehensive, less resource-intensive than Wordfence.
Paid but cloud-based — scanning happens off-server, less load on your site.
Install, activate, run the initial scan, fix any flagged issues. Set up login alerts for admin account activity.
The Plesk WordPress Toolkit's security panel shows the current state of 18 hardening measures.
wp_ to random.Review the scanner regularly. Green ticks across the board indicate all hardening is active. Amber or red entries are one click away from being fixed.
Every security practice above reduces risk. Backups make you recoverable when something goes wrong anyway.
Every plan includes daily server backups retained for 30 days. Plesk makes restoration one click.
Follow the 3-2-1 rule: three copies, two different media types, one off-site. smartxhosting.uk server backup is copy 1 + 2; UpdraftPlus storing to Google Drive, Dropbox or S3 is copy 3 off-site.
Before major plugin updates, theme changes, WordPress core upgrades, migration — trigger an on-demand backup from the Plesk WordPress Toolkit. Takes a minute; saves hours if something breaks.
A backup you have never restored is not a backup — it is a hope. Every 6 months, restore a backup to a staging site and verify it works. Better to find out now than during an actual incident.
Identified compromise recovery process:
Is WordPress really insecure?
WordPress core is not inherently insecure — it is extensively audited and rapidly patched. The weak points are usually outdated plugins, weak passwords and misconfigured servers. Keep these in check and WordPress is as secure as any major CMS.
Do I need a security plugin if I have Imunify360 at the server level?
Imunify360 covers much of the attack surface. A WordPress-level security plugin (Wordfence, Solid Security) adds defence in depth — 2FA, login alerts, file integrity monitoring, WordPress-specific rule sets. Worth having even with server-level protection.
What should I do if I suspect my site is hacked?
Do not log in through the normal URL (the login page may be compromised). Log in via Plesk SSO instead. Take the site offline, run Imunify360 scan, restore from pre-compromise backup, then harden before re-launching.
How often should I check security?
Monthly: review the Plesk WordPress Toolkit security scanner, update plugins and themes. Quarterly: review users list, audit admin accounts, confirm 2FA is enforced. Annually: full security audit including restore test, password rotation, access review.
Is 2FA really necessary?
For any site processing personal data or taking payments, yes. Under UK GDPR and Cyber Essentials, multi-factor authentication for admin access is a baseline expectation. For a simple brochure site, strong passwords are sometimes sufficient, but 2FA is minimal extra effort and materially improves security.
Should I pay for Wordfence Premium?
Free tier covers most needs. Premium (GBP 99/year) adds real-time firewall rule updates (non-premium rules lag by 30 days). For sites handling sensitive data or under active attack, the premium value is real.
Is my WooCommerce shop more at risk?
Yes. E-commerce sites are specifically targeted because they process payment data. Extra measures: PCI-DSS compliance where applicable, more aggressive security plugin settings, careful payment gateway choice (delegate to Stripe/GoCardless rather than storing card data yourself), enhanced logging.
What is the biggest WordPress security risk?
Outdated plugins. Year after year, every major security report identifies this as the top vector. Keep plugins current or remove them.
Does SSL by itself make my site secure?
No. SSL secures data in transit between visitors and server. It does nothing about weak passwords, outdated plugins or malware on the server. SSL is necessary but not sufficient.
What about Cyber Essentials for my UK business?
Cyber Essentials is a UK government-backed certification covering basic security controls. WordPress-relevant requirements include: patch management, access control, secure configuration, firewalls. Compliance is achievable with the practices in this guide plus documented procedures. Certification helps win public-sector contracts.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →