Most WordPress hacks are preventable. Use this checklist to reduce risk quickly.
Must-do checklist
- Enable automatic updates (or schedule weekly patching).
- Use strong admin passwords + MFA.
- Limit login attempts and add rate-limiting.
- Disable XML-RPC if not required.
- Lock file permissions (avoid 777).
- Take daily backups and test restore monthly.
Server-level improvements
- WAF (Cloudflare/ModSecurity)
- Malware scanning
- Least-privilege database user
Security is not one plugin. It’s a habit: updates, monitoring, and clean access control.