Homeโ€บBlogโ€บWordPress Security Guide
๐Ÿ›ก๏ธ Cybersecurityโฑ 8 min read

WordPress Security Guide for Australian Businesses

WordPress is the most popular CMS in Australia, but it accounts for 90% of all hacked CMS platforms. The vulnerabilities are almost always in plugins, themes, or misconfiguration โ€” not WordPress core itself. Here's how to secure yours.

WordPress powers 43% of all websites but accounts for 90% of all hacked CMS sites โ€” here's how to secure yours

WordPress is the most popular content management system in Australia, running everything from small business websites to government portals. But its popularity makes it the biggest target: according to Sucuri's annual report, WordPress accounted for 90% of all hacked CMS platforms in 2025. The vulnerabilities are almost always in plugins, themes, or misconfiguration โ€” not WordPress core itself.

The five most common WordPress attack vectors

1. Vulnerable plugins (52% of all WordPress vulnerabilities)

WordPress plugins are the primary attack surface. The plugin ecosystem contains over 60,000 plugins with varying levels of security review. A single vulnerable plugin can compromise your entire site โ€” and attackers scan for known vulnerable plugin versions automatically using tools like WPScan.

Action: Remove all unused plugins. Update remaining plugins within 48 hours of security releases. Only use plugins from verified developers with recent update history.

2. Brute force attacks on wp-login.php

Automated tools attempt thousands of username/password combinations against your WordPress login page. Default admin usernames ("admin", "administrator") make this trivially easy.

Action: Rename admin accounts. Implement login attempt limiting (3-5 attempts before lockout). Add MFA to all WordPress admin accounts. Consider changing the login URL from /wp-admin.

3. Outdated WordPress core

Running an outdated WordPress version exposes your site to every vulnerability patched in newer releases. WordPress publishes security advisories publicly โ€” attackers use these as a roadmap to exploit unpatched sites.

Action: Enable automatic minor updates (security releases). Apply major updates within one week. Test updates on a staging environment first if your site has custom functionality.

4. Insecure file permissions

Incorrect file permissions allow attackers who gain limited access to escalate to full control. The most dangerous misconfiguration is world-writable files (chmod 777).

Action: Set directories to 755, files to 644, wp-config.php to 400 or 440. Never use 777 permissions on any file or directory.

5. SQL injection through forms and parameters

Forms, search fields, and URL parameters that don't properly sanitise input can allow attackers to read, modify, or delete your entire database โ€” including customer data and admin credentials.

Action: Use parameterised queries in any custom code. Ensure all plugins use WordPress's built-in database abstraction layer ($wpdb->prepare). Implement a Web Application Firewall (WAF).

WordPress security hardening checklist

Authentication

  • ☐ Admin username changed from "admin"
  • ☐ Strong passwords enforced (minimum 12 characters)
  • ☐ MFA enabled on all admin and editor accounts
  • ☐ Login attempt limiting configured (max 5 attempts)
  • ☐ XML-RPC disabled (unless specifically needed)

Updates and plugins

  • ☐ WordPress core auto-updates enabled for minor releases
  • ☐ All plugins updated to latest versions
  • ☐ All themes updated to latest versions
  • ☐ Unused plugins deleted (not just deactivated)
  • ☐ Unused themes deleted (keep only active theme + one default theme)

Configuration

  • ☐ File editing disabled in wp-config.php (define('DISALLOW_FILE_EDIT', true);)
  • ☐ Debug mode disabled in production (define('WP_DEBUG', false);)
  • ☐ Database table prefix changed from default wp_
  • ☐ Directory browsing disabled
  • ☐ wp-config.php moved above web root or access restricted

Hosting and server

  • ☐ PHP version 8.1 or higher
  • ☐ Security headers configured (HSTS, CSP, X-Frame-Options)
  • ☐ SSL/TLS certificate installed and HTTPS enforced
  • ☐ Web Application Firewall (WAF) enabled
  • ☐ Regular automated backups with offsite storage

Recommended security plugins

If you must use a security plugin, choose one โ€” not three. Multiple security plugins conflict and create their own vulnerabilities:

  • Wordfence โ€” firewall, malware scanning, login security (most popular, free tier available)
  • Sucuri Security โ€” cloud-based WAF, malware scanning, DDoS protection
  • iThemes Security โ€” file change detection, login hardening, database backups

Use one security plugin maximum. The rest of your security should come from proper configuration, hosting environment, and regular updates โ€” not plugin stacking.

When to consider moving away from WordPress

WordPress is a powerful platform, but it's not the right choice for every situation. Consider alternatives if:

  • Your site is primarily a brochure/informational site with infrequent content changes โ€” a static site generator (Next.js, Hugo, Astro) eliminates the entire CMS attack surface
  • You have no technical staff to maintain updates โ€” a managed platform (Squarespace, Webflow) handles security automatically
  • Your site handles sensitive data (health, financial, legal) โ€” a custom application with purpose-built security controls may be more appropriate

Is your WordPress site secure?

RabbiiCo Studio's free Attack Surface Scan checks your WordPress site for vulnerable plugins, misconfigurations, and exposed files. We also offer full WordPress VAPT for businesses that need thorough testing.

Get your free security scan โ†’