Why WordPress is targeted so frequently

WordPress is not inherently insecure — it is widely used and actively maintained. The reason it is such a common attack target is scale. When a security vulnerability is found in a popular WordPress plugin, there are potentially millions of sites worldwide running that same vulnerable version. Automated scanning tools can find and exploit them within hours of a vulnerability being made public.

The typical Canadian small business WordPress site is not being individually targeted by an attacker. It is being swept up in automated mass scanning operations looking for any site running vulnerable software. This means the defences that work are mostly the same ones regardless of what your business does or how prominent you are: keep things updated, secure your login, and have backups.

Keeping WordPress updated

The single most impactful security measure for a WordPress site is keeping the WordPress core, themes, and plugins updated. The majority of successful WordPress hacks exploit known vulnerabilities for which a patch already exists — meaning the attack would have been prevented by an update that was available but never applied.

WordPress core updates

WordPress automatically installs minor security and maintenance releases (e.g. from 6.5.1 to 6.5.2) by default. Major version updates (e.g. from 6.5 to 6.6) require either manual approval or explicit configuration to run automatically. Log into your WordPress dashboard and check Dashboard → Updates regularly. If you see a major version available and your site has been running without issues, updating is usually safe — but having a backup first is good practice.

Plugin and theme updates

Plugins are the most common attack vector. The same Dashboard → Updates screen shows pending plugin and theme updates. Make a habit of checking this at least monthly and applying available updates. If you have a plugin you installed for a specific project but no longer need, delete it rather than leaving it inactive — inactive plugins still present a vulnerability if they are outdated.

Be cautious about where plugins come from. Only install plugins from the official WordPress plugin repository or from reputable commercial developers with active support. Free plugins from random third-party sites may contain malicious code.

Passwords and login security

The WordPress login page at yourdomain.com/wp-admin is attacked constantly by automated bots running through lists of common passwords. This is called a brute force attack, and it succeeds when passwords are weak, short, or reused from other accounts.

What a strong password looks like

A strong WordPress admin password is long (16 characters or more), random, and unique to this account. WordPress generates a strong password automatically when you create a user — use it and store it in a password manager. Do not reuse a password from your email, banking, or any other service.

Change the default admin username

If your WordPress admin username is “admin,” change it. Brute force bots try “admin” first because it was the default for years. Create a new user with administrator privileges and a different username, log in as that user, and delete the original “admin” account.

Limit login attempts

By default, WordPress allows unlimited login attempts. A plugin like Limit Login Attempts Reloaded (free, in the WordPress plugin repository) temporarily blocks an IP address after a set number of failed attempts. This does not stop sophisticated distributed attacks but eliminates the most common bot behaviour.

Two-factor authentication

Two-factor authentication (2FA) means that logging into your WordPress admin requires both your password and a second factor — typically a time-based code from an app on your phone. Even if an attacker obtains your password, they cannot log in without the second factor.

For a WordPress site, 2FA is one of the highest-value security measures you can add. Plugins like WP 2FA or Two Factor (both free) add this capability. The setup takes about ten minutes and requires installing an authenticator app (Google Authenticator or Authy work well) on your phone.

Enable 2FA for all administrator accounts on the site, not just your own. If another user with admin access has a weak password, that is still an entry point.

Managing plugins safely

A lean plugin installation is a more secure one. Every plugin is potential attack surface — code running on your server, potentially connecting to external services, with its own update cadence and security history.

  • Audit your plugins periodically. Go to Plugins → Installed Plugins and look at every plugin listed. If you do not recognise it, research what it does. If you no longer need it, deactivate and delete it.
  • Check when a plugin was last updated. On the plugin’s page in the WordPress repository, you can see when it was last updated and whether it has been tested with the current WordPress version. A plugin that has not been updated in two or more years is a risk — it may contain vulnerabilities that will never be patched.
  • Read security disclosures before updating. Sites like WPScan and Patchstack publish WordPress vulnerability disclosures. If a security issue has been found in a plugin you use, update immediately rather than waiting for your monthly review.

How your hosting choice affects security

Your hosting environment is the foundation everything else sits on. Shared hosting — where many sites share the same server — introduces risks that more isolated hosting does not. If another site on the same server is compromised and the host’s account isolation is inadequate, that can affect your site.

Managed WordPress hosting providers typically offer stronger security defaults: automatic WordPress core updates, server-level malware scanning, web application firewalls, and stricter account isolation. These do not eliminate every risk but remove the most common attack vectors before you have to think about them. The managed vs shared hosting article covers this trade-off in more detail.

Regardless of your hosting type, make sure your hosting control panel uses a strong unique password and has two-factor authentication enabled where your host supports it. Hosting account access is as valuable to an attacker as WordPress admin access.

Monitoring and detection

The goal of monitoring is catching problems before they escalate into visible harm. A few basic measures:

  • Set up Google Search Console. Google will notify you if it detects security issues on your site. This is free and takes about fifteen minutes to set up. If you have not done this, it is one of the most useful things you can do for your site regardless of security concerns.
  • Install a security plugin. Wordfence (free tier) provides a firewall, malware scanner, and login security in one plugin. It also emails you about security events. It is not a substitute for the basics above but adds a useful layer of detection and protection.
  • Check your site regularly from incognito mode. Visit your own site from a private browser window occasionally. This bypasses caching and shows you what visitors actually see — including any injected content or redirects that your logged-in view might hide.