In Brief
Strong passwords combined with two-factor authentication prevent most unauthorised access
A security plugin provides firewall protection and malware scanning with minimal setup
Login lockdown features block hackers trying to guess your password automatically
All three methods are free and take around 30 minutes total to implement
These basics stop most WordPress attacks before they succeed
Your WordPress website is under constant attack, and that’s not an exaggeration.
Security researchers report that the average WordPress site faces around 43 login attempts from hackers every single day. Most of these come from automated bots trying to guess passwords using lists of common credentials.
Fortunately you don’t need to be a security expert to protect yourself.
Most successful WordPress hacks happen because of weak passwords or unprotected login pages. These are problems you can fix today, without spending any money or learning to code.
This guide covers three straightforward security measures that will dramatically reduce your risk.
Each one takes about 10 minutes to set up, and they all use free plugins from the WordPress repository. By the time you finish reading, you’ll know exactly how to protect your site.
Table of Contents
Why Your WordPress Site Needs Protection
You might think your small business website isn’t worth hacking. After all, you’re not a bank or a government department.
Hackers don’t manually pick targets.
They use automated tools that scan thousands of WordPress sites looking for easy entry points. Your site is just as likely to be targeted as any other.
Once inside, attackers can steal customer data, install malware, send spam emails from your server, or redirect your visitors to dangerous websites.
For UK businesses, there’s also the GDPR to consider.
If customer data is compromised because you didn’t take reasonable security steps, you could face significant fines. The Information Commissioner’s Office takes data protection seriously.
The consequences of a hack include lost revenue, damaged reputation, and the cost of cleaning up the mess. Prevention is far easier than recovery.
Use Strong Passwords and Enable Two-Factor Authentication
Your password is the first barrier between hackers and your WordPress admin area.
Unfortunately, it’s often the weakest link. Research suggests that compromised passwords play a role in around 80% of data breaches.
A strong password should be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and symbols. Avoid anything obvious like your business name, “password123”, or keyboard patterns like “qwerty”.
You should also change your username if it’s still set to “admin”, as this is the first thing attackers try.
The easiest way to manage strong passwords is with a password manager. Tools like Bitwarden (free) or 1Password create and store complex passwords so you don’t have to remember them. You only need one master password to unlock all your stored credentials.
A strong password helps, but it’s not enough on its own. If someone does manage to steal or guess your password, you need a second layer of protection.
How to Set Up Two-Factor Authentication
Two-factor authentication (2FA) adds an extra verification step when you log in.
After entering your password, you also need to provide a unique code from your phone. Even if a hacker has your password, they can’t access your account without that code.
Setting up 2FA takes about five minutes:
- Install a 2FA plugin from your WordPress dashboard. Wordfence Login Security is a popular free option.
- Download an authenticator app on your phone. Google Authenticator and Authy are both free and work well.
- Open the plugin settings and scan the QR code with your authenticator app.
- Enter the code shown in your app to confirm everything is working.
- Save your backup codes somewhere safe. These let you log in if you lose your phone.
From now on, logging into your WordPress admin will require both your password and a code from your phone.
This single change blocks nearly all unauthorised login access attempts.
Install a Security Plugin
A security plugin protects your entire WordPress installation, watching for threats and blocking suspicious activity across your whole site.
Think of it as a security system for your website.
A good security plugin offers several layers of protection. The firewall blocks malicious traffic before it reaches your site. Malware scanning checks your files for anything suspicious. Real-time monitoring alerts you to potential problems before they cause damage.
Which Security Plugin Should You Choose?
Wordfence Security is the most widely used WordPress security plugin, protecting over 5 million sites. The free version includes a web application firewall, malware scanner, login security features, and real-time threat defence. It’s regularly updated as new threats emerge.
To set up Wordfence:
- Install and activate the plugin from your WordPress dashboard.
- Complete the initial setup wizard.
- Let the plugin run its first scan of your site.
- Review any issues it finds and follow the recommended fixes.
Sucuri Security is a good alternative if you prefer a different approach. The free version offers security activity auditing, file integrity monitoring, and remote malware scanning.
Choose one or the other, not both.
Most small business sites only need one security plugin. Running multiple security plugins can cause conflicts and slow down your site. Pick one, set it up properly, and stick with it.
Add Login Lockdown Protection
Hackers often use “brute force” attacks against WordPress sites. This means automated software tries thousands of username and password combinations until it finds one that works.
Without protection, your WordPress login page allows unlimited attempts, giving attackers as many guesses as they need.
Login lockdown protection changes this.
After a set number of failed login attempts, it temporarily blocks that IP address from trying again. This makes brute force attacks practically useless because attackers get locked out long before they can guess correctly.
Using Your Security Plugin’s Built-in Protection
If you installed Wordfence in Method 2, you already have login lockdown protection. Wordfence includes brute force protection as standard, and it’s enabled by default.
You can adjust the settings by going to Wordfence > All Options > Brute Force Protection in your WordPress dashboard.
Check that these settings are active:
- Enable brute force protection (should be on by default)
- Lock out after a set number of failed login attempts
- Lock out after a set number of forgotten password attempts
If you’re using a different security plugin, check its settings for similar login protection features.
Most security plugins include this functionality.
Installing a Dedicated Login Lockdown Plugin
If your security plugin doesn’t include login protection, or if you want a standalone solution, you can install a dedicated plugin instead.
Limit Login Attempts Reloaded is the most popular option, with over 2.5 million active users. The free version tracks failed login attempts, blocks IP addresses after too many failures, and sends you email notifications when lockouts occur.
Login LockDown is another solid choice with over 100,000 users. It records failed attempts and blocks repeat offenders. The default settings lock out an IP address for one hour after three failed attempts within five minutes.
To set up either plugin:
- Go to Plugins > Add New in your WordPress dashboard.
- Search for your chosen plugin and click Install, then Activate.
- Go to Settings and find the plugin’s options page.
- Review the default settings. For most sites, the defaults work well.
- Make sure email notifications are enabled so you know about blocked attempts.
You’ll likely start receiving notifications about blocked login attempts almost immediately. This shows the protection is working.
Don’t Be Alarmed by the Numbers
Once your security measures are in place, you’ll probably notice a steady stream of blocked login attempts. Some site owners see dozens or even hundreds of failed attempts per week. This can feel unsettling at first.
Try not to worry. These attacks aren’t personal.
Automated bots scan the entire internet looking for vulnerable WordPress sites, and they’ll try yours whether you’re a local florist or a multinational company. The bots don’t know or care what your site is about. They’re just looking for easy targets.
The fact that you’re seeing blocked attempts is actually good news. It means your security is working. Those bots are hitting a wall instead of getting through. Before you installed these protections, the same attempts were happening, you just couldn’t see them.
Putting It All Together
You now have three practical methods to protect your WordPress website:
- Strong passwords plus two-factor authentication
- A security plugin for site-wide protection
- Login lockdown to block brute force attacks
Implement them in this order.
Strong passwords and 2FA come first because they protect your most vulnerable point. The security plugin adds broad protection including firewall and malware scanning. Login lockdown may already be covered by your security plugin, but check the settings to make sure it’s active.
One more thing: always keep your WordPress core, themes, and plugins updated.
Updates often include security patches that fix known vulnerabilities. You can enable automatic updates for minor WordPress releases in your dashboard settings.
These measures won’t make your site completely unhackable. Nothing will. But they stop most automated attacks and opportunistic hackers.
For small business websites, this level of protection is exactly right.
If you handle sensitive customer data, process payments, or want extra peace of mind, consider working with a WordPress professional to implement additional security measures. But these three basics give you a solid foundation that many sites lack entirely.
Frequently Asked Questions
Two-factor authentication (2FA) requires something you know (your password) and something you have (your phone) to log in. This means even if someone steals your password, they still cannot access your account without physical access to your phone. It’s one of the most effective ways to prevent unauthorised access.
Good security plugins like Wordfence and Limit Login Attempts Reloaded are designed to have minimal impact on site speed. They run efficiently in the background. If you notice any slowdown, check your plugin settings or contact your hosting provider. Avoid running multiple security plugins at once, as this can cause conflicts.
Yes, for most small business websites, free security plugins provide excellent protection. Wordfence Free includes a firewall, malware scanner, and login security features. Paid versions add extras like real-time threat updates, but free versions cover the essentials that stop most attacks.
If a login lockdown feature blocks you after too many failed attempts, wait for the lockout period to end (usually one hour). If you need immediate access, you can disable the plugin temporarily by renaming its folder via FTP or your hosting file manager. Once logged in, add your IP address to the plugin’s safelist to prevent future lockouts.
Change your password immediately if you suspect it has been compromised. Otherwise, focus on using a strong, unique password rather than changing it frequently. Security experts now recommend keeping a strong password long-term rather than regularly changing weak ones. A password manager makes this much easier.
A brute force attack uses automated software to try thousands of password combinations against your login page. Without protection, attackers can keep trying indefinitely. Login lockdown blocks IP addresses after several failed attempts, so attackers get locked out long before they can guess correctly.
No. Wordfence includes brute force protection as part of its free version. Check your Wordfence settings under Brute Force Protection to make sure it’s enabled and configured. You only need a separate login lockdown plugin if your security plugin doesn’t include this feature.
Your hosting provider’s security protects the server, but not your WordPress installation specifically. A WordPress security plugin adds protection designed specifically for WordPress, including firewall rules that understand WordPress vulnerabilities, malware scanning of your themes and plugins, and login protection. Both work together for better security.