Sign In Sign Up

Security · · 4 min read

WordPress Security: The Minimum Baseline for 2026

A large orange shield outline with a white check mark inside, on a dark background, representing WordPress security baseline

WordPress runs about 43% of all websites. That makes it the most attacked CMS by a wide margin. Most of those attacks succeed not because the platform is fundamentally insecure, but because the default install gets forgotten and the security basics are skipped.

If you do nothing else to protect your WordPress site in 2026, do these five things. They take less than a day to set up and they stop the vast majority of automated attacks at the door.

1. Keep core, themes, and plugins up to date — automatically

The single biggest vector for WordPress compromise is the unpatched plugin. A vulnerability is reported, a fix is shipped, and you have a window — sometimes hours, often days — before automated scanners start hammering every site running the old version.

WordPress 7 makes this much easier than older versions. Enable automatic updates for core, themes, and trusted plugins. Set up a notification email so you know when updates fail. If a plugin has been abandoned (no update in 18+ months), find a replacement or remove it.

2. Strong admin username and 2FA

"admin" is the first username every bot tries. Never use it. Use a non-obvious username (not your business name, not your full real name) and pair it with a password manager-generated password (20+ characters, fully random).

Then enable two-factor authentication. Any modern security plugin (Wordfence, iThemes Security, Solid Security) ships with TOTP-based 2FA. Set it up once, scan a QR code with Google Authenticator or Authy, done. Even if your password leaks, the attacker cannot log in without your phone.

3. Limit login attempts and hide the login URL

By default, WordPress allows unlimited login attempts at /wp-login.php and /wp-admin. Brute-force bots know this. They try thousands of password combinations per hour against every WordPress site they can find.

Install a plugin that:

  • Limits login attempts (lock the IP after 5 failed tries for an hour).
  • Optionally renames the login URL to something only you know.
  • Sends you an email when failed-login thresholds are hit.

Most security plugins do all three. Pick one, configure it, never look at it again.

4. Real backups, off-site, automatic

If everything goes wrong tomorrow — ransomware, hacked plugin, a junior employee deleting the database — your backup is the only thing between you and starting your business website from scratch.

Requirements for a real backup:

  • Off-site. Not on the same server as your site. If the server is compromised, the on-server backup goes with it.
  • Automatic. Daily for database, weekly for files at minimum. Manual backups get forgotten.
  • Tested. Once a quarter, restore your backup to a staging environment and verify the site loads. Untested backups are not backups.
  • Multiple retention windows. 7 daily + 4 weekly + 12 monthly is a standard mix. Sometimes you only notice a compromise weeks later.

kapaweb's shared hosting includes weekly off-site backups by default. For higher frequency or longer retention, premium plans cover it.

5. Secure host, HTTPS-only

Partly out of your hands — the host has to do its part. But:

  • HTTPS only. Force-redirect HTTP to HTTPS at the server level. Free Let's Encrypt certificates are included with kapaweb hosting and auto-renew. There is no excuse for HTTP-only in 2026.
  • HSTS header. Tell browsers to refuse any HTTP connection to your site for the next year. Set it once in your .htaccess or server config.
  • Server-level firewalls. Your host should run mod_security, fail2ban, or equivalent. Ask. If they do not, switch.
  • PHP version. Run a supported PHP version (8.3 or higher in 2026). WordPress 7 requires PHP 8.3+ anyway. kapaweb's control panel lets you pick the version per site.

What is not on this list — and why

You may have read about other recommendations. Here is why they are not in the top 5:

  • Changing the WordPress database table prefix. Marginal benefit. Skip on a new site, do not bother retroactively.
  • Disabling XML-RPC. Useful if you do not use it, but rarely the deciding factor.
  • Web Application Firewall (Cloudflare-style). Useful at scale; overkill for most small business sites with the basics in place.
  • Security plugins that scan for malware. Defence in depth, yes. But if you have done items 1–5, you are already 95% there.

The honest reality

Most compromised WordPress sites were not hit by sophisticated attackers. They were hit by automated scripts looking for sites that skipped one of the items above. If you do all five, your site is in the small minority that simply is not worth attacking — the bot moves on to easier targets.

If you are not sure whether your current setup covers these, kapaweb's IT support team can audit your site in an hour and tell you exactly what is exposed and what to fix first.

← Back to the blog

Related articles

Security ·

How to create strong passwords

Combine unrelated words to make stronger passwords Certain words should be avoided in all passwords Use different passwords for every account Use a password manager to remember all your passwords…

Read article

Security ·

How to Protect Your Privacy on iPhone

You might also be interested in our privacy tips for Android. Follow these easy steps to protect the personal data on your iPhone or iPad. 1. Lock your device with a passcode longer than 4 digits.…

Read article

Ready to take off?

Pick a domain, choose a hosting plan or just say hello — we are here to help you build it right.

View hosting plans Talk to us