WordPress security in 2026 looks nothing like it did three years ago. Automated attack bots now generate convincing phishing emails in your customer’s tone of voice, scan every public WordPress install for known plugin CVEs within hours of disclosure, and increasingly target the supply chain — the plugins and themes you trust — rather than your site directly. Generic checklists from 2022 will not keep you out of the breach reports.
If you run a business website on WordPress, the question is no longer whether someone will probe your login page this week. They already are. The question is whether your site shrugs it off or hands them the keys. Here are the twelve practices that actually move the needle for WordPress security 2026 — grouped by where they live in your stack, and aimed squarely at South African SMBs that cannot afford a breach.
WordPress security in 2026: the non-negotiables
1. Keep core, plugins, and themes updated — weekly, not eventually
The single biggest cause of WordPress compromises is still an outdated plugin with a known vulnerability. Attackers do not need to find a zero-day when thousands of sites are running a version with a published exploit. Set a weekly window, log in, run updates, then visit a few key pages to confirm nothing broke. If you cannot commit to that, enable auto-updates for plugins and run a staging site so a bad release doesn’t take down production. (If a recurring weekly window isn’t realistic, that’s exactly what our WordPress maintenance & support service handles for you.)
2. Use strong, unique passwords — and a password manager
Reusing the same password across your hosting account, your WordPress admin, and your email is the fastest route from a third-party leak to a full takeover. Every login should have its own long, random password stored in a manager like 1Password or Bitwarden. Stop typing passwords. Stop trying to remember them. The manager is the boring fix that prevents most credential-stuffing attacks.
3. Run daily off-site backups
Backups are not a security feature until they are stored somewhere the attacker cannot also delete. A backup sitting on the same server as the site is no backup at all — ransomware loves those. Use UpdraftPlus, BlogVault, or a host-managed solution that ships your nightly backups to S3, Google Drive, or a separate provider. Test a restore at least once a quarter so you know it works before the day you need it. We cover off-site backups as part of our standard website care plans.
Lock down the front door
4. Enable two-factor authentication on every admin account
If 2FA is not on every account with publishing rights or higher, you are one phishing email away from a problem. Plugins like Wordfence Login Security or Two Factor make it a five-minute setup. Use an authenticator app rather than SMS — SIM-swap attacks are a real and rising threat in South Africa. For agency-managed sites, require 2FA on every staff account, no exceptions.
5. Move the login URL away from /wp-admin/
This is not deep security — it is friction. Bots scan /wp-login.php and /wp-admin/ on every WordPress install they find. Move the login URL to something only your team knows, using WPS Hide Login or similar, and the brute-force noise drops to near zero overnight. Combine it with rate limiting (next item) for a meaningful effect.
6. Limit login attempts and block repeat offenders
WordPress core does not limit how often someone can guess a password. Plugins like Limit Login Attempts Reloaded or Wordfence’s lockout feature add this in. Set a low threshold — five failed attempts in 15 minutes — and a long lockout. Better still, configure your firewall or WAF to block IPs that repeatedly hit the login endpoint, so the request never reaches PHP at all.
7. Disable XML-RPC unless something specifically uses it
XML-RPC is a legacy interface most modern sites do not need. Attackers love it because it lets them try thousands of password combinations in one HTTP request. If you do not use the WordPress mobile app, Jetpack’s connection, or another integration that explicitly requires it, disable XML-RPC at the server level or with a small mu-plugin. Check first — break it for the right reason.
Strengthen the perimeter
8. Force HTTPS everywhere, with HSTS
HTTPS is table stakes — but a surprising number of sites still serve mixed content or redirect inconsistently. Use a free Let’s Encrypt certificate via your host, force the redirect at the server level (not in PHP), and add an HSTS header so browsers refuse to connect over HTTP at all. For sites handling customer logins, submit your domain to the HSTS preload list once you are confident in the setup.
9. Put a WAF in front of WordPress
A Web Application Firewall sits between the visitor and your site, dropping malicious requests before they reach PHP. Cloudflare‘s free tier already gives you a baseline; the Pro plan adds the WAF rules that catch the bulk of automated WordPress attacks. Wordfence‘s premium firewall is an alternative that runs at the application layer. Pick one — running both is overkill and creates conflicts.
10. Scan for malware on a schedule
If something does slip through, you want to know about it before your customers do. Wordfence, MalCare, and Sucuri all do scheduled scans of your file system and database for known malware signatures and suspicious modifications. Run them weekly, route the alerts to an email you actually read, and treat any flagged file as urgent. A few hours of investigation now beats a Google blacklist warning later.
New realities for 2026
11. Audit your plugin supply chain before you install
The fastest-growing attack vector for WordPress security in 2026 is the supply chain itself: an attacker buys an abandoned but popular plugin, ships a malicious update, and reaches every site that has auto-updates on. Before you install anything, check three things: when was the last update, how many active installs, and whether the developer is responsive. If a plugin has not been updated in a year and has fewer than a thousand active installs, the convenience is not worth the risk.
12. Watch for AI-driven phishing aimed at your admins
The most convincing phishing emails in 2026 are written by language models trained on your public LinkedIn and your published blog posts. They reference real projects, mimic colleagues’ tone, and arrive at plausible times. The technical defences — 2FA, password manager, hardware key on the most privileged accounts — matter even more now, because human pattern matching is no longer enough. Train your team to verify any unexpected request through a second channel before they click a link or hand over a credential.
A note on POPIA
If your site collects any personal information from visitors — contact forms, accounts, e-commerce — POPIA expects reasonable security measures. The list above is what reasonable WordPress security 2026 looks like in practice. A breach that exposes customer data is not just a clean-up exercise; it is a notifiable incident under the Information Regulator’s guidance. The cheapest way to handle that conversation is to have done the work in advance.
Where to start if you have an hour
Pick three: enable 2FA on every admin account, install a backup plugin that ships off-site, and put Cloudflare in front of your site. Those three alone will keep you ahead of most automated attacks. Then schedule a recurring monthly hour to work down the rest of the list. WordPress security 2026 is not a project you finish — it is a habit you keep. For more deep dives like this, browse our blog or read about Tim’s Web Worx.
Want a second pair of eyes on your current setup? Tim’s Web Worx runs WordPress security audits for South African businesses — we will walk through your site, identify the gaps that matter, and give you a prioritised plan you can either action yourself or hand to us.
