I've been doing this long enough to have gotten the dreaded "your site has been hacked" email. Not fun. Here's the thing though - most hacks aren't these sophisticated spy movie attacks. They're basic stuff that could have been prevented. This checklist covers the stuff that actually matters.
1. Update. Everything. Regularly.
Outdated plugins and themes cause the vast majority of WordPress hacks. I know, updates can be annoying - especially when something breaks afterwards. But an outdated site is an invitation. Turn on automatic updates for minor releases and use CrunchHub to manage updates across all your sites from one place.
2. Stop Using Weak Passwords
Please tell me you're not still using "admin123" or "password". Or worse - the same password for everything. Get a password manager. Turn on two-factor authentication. Guardian makes the 2FA part really simple. It takes an extra 10 seconds to log in and saves you days of cleanup if you get hacked.
3. Install a Firewall
Guardian's firewall blocks something like 99% of automated attacks before they even reach your site. SQL injection, XSS, brute force login attempts - it catches all of it. Think of it as a bouncer for your website. Nobody gets in without going through security first.
🔐 Real talk: Turn on Guardian's firewall before anything else. I've seen it block thousands of attack attempts in a single day on a relatively small site. It's worth it.
4. Change Your Login URL
Bots automatically target /wp-admin and /wp-login.php. Change your login URL and 90% of automated attacks stop immediately. Guardian has a one-click option for this. Easy win.
5. Limit Login Attempts
Brute force attacks try thousands of passwords per minute. Limit login attempts to 3-5 before a temporary lockout. The bot moves on to an easier target. Simple fix, huge impact.
6. Get SSL Set Up
If your site doesn't have SSL in 2026, we need to talk. SSL encrypts data between your server and visitors. Without it, passwords and form submissions are sent in plain text - anyone on the same network can read them. Most hosts include free SSL these days through Let's Encrypt.
7. Run Regular Malware Scans
Guardian can schedule automatic malware scans. If something shows up, quarantine it and figure out what happened. Better to catch it early than find out from Google when they flag your site as unsafe.
8. Disable File Editing
Add define('DISALLOW_FILE_EDIT', true); to your wp-config.php. If someone gets admin access, this stops them from editing theme and plugin files directly through the WordPress admin. Small change, big security win.
9. Backup Everything
Even with perfect security, stuff happens. Server crashes, botched updates, that one time you accidentally deleted the wrong table (we've all been there). SafeVault does automated daily backups with one-click restore. Store backups off-site so a server failure doesn't take your backups with it.
10. Review Who Has Access
Go through your user list right now. How many people have admin access? Do they all need it? Remove inactive accounts. Each extra admin is another potential entry point. I clean up user permissions every few months and I'm always surprised at who's still hanging around.
11. Hide Your WordPress Version
Attackers target specific version vulnerabilities. If they can't tell what version you're running, they can't target known exploits. It's not a complete solution, but it raises the bar.
12. Secure Your wp-config.php
This file has your database credentials. Keep it safe. Set proper file permissions (640 or 600). If you can, move it above the web root directory. And don't ever paste it into a forum asking for help - I've seen people do that.
13. Monitor Activity
Know what's happening on your site. Who logged in? What did they change? When? Guardian includes audit logging so you can spot suspicious activity early. That random login at 3 AM from a different country? Probably not your client in Australia checking their blog.
14. Keep Learning
Security threats evolve constantly. New vulnerabilities get discovered every week. Follow a few WordPress security blogs, subscribe to update notifications, and stay aware. The moment you stop paying attention is when something slips through.
Here's my honest advice - start with updates, strong passwords, and a firewall. That covers about 90% of common attacks. Add the rest over time. Security is a journey, not a destination. But the first steps are simple and they make a huge difference.