Most small business owners only think about WordPress security after something breaks. By then you’re paying to clean up malware, explain a defaced homepage to customers, or wait for a host to restore a backup you hoped existed. This WordPress security checklist is the version of that conversation we’d rather have with you first, over coffee, before anything goes wrong. It’s written for Australian small business owners running WordPress, with no assumption you know what a firewall is. Work through it once and you’ll close the gaps that catch out most sites.
Why this matters more than you think
WordPress powers a huge share of the web, which makes it a constant target. Across 2025, researchers logged 11,334 new vulnerabilities in the WordPress ecosystem, up 42% on the year before, and an estimated 13,000 sites are hacked every single day. The uncomfortable part is how fast it happens: the median time from a flaw being made public to it being attacked at scale is about five hours.
The cost lands hardest on small businesses. The Australian Cyber Security Centre reports the average cost of cybercrime on a small business has climbed to roughly $56,600, and 43% of reported cybercrime targets small businesses. Recovering a hacked site often runs into the thousands once you add clean-up, lost sales and the time you don’t get back. Set against a few dollars a month for proper protection, prevention wins every time.
Your quick WordPress security checklist
Here’s the whole thing at a glance. The rest of the article explains how to action each one.
| # | Task | How often |
|---|---|---|
| 1 | Update core, themes and plugins | Weekly |
| 2 | Turn on two-factor authentication | Once, then enforce |
| 3 | Use strong passwords and limit login attempts | Once, then review |
| 4 | Install a security plugin with a firewall | Once, then monitor |
| 5 | Run automated daily backups, stored off-site | Daily, automated |
| 6 | Force HTTPS across the whole site | Once, then check |
| 7 | Audit users and remove old accounts | Quarterly |
| 8 | Choose a host that takes security seriously | At signup and renewal |
1. Keep everything updated
Almost every WordPress hack traces back to outdated software. Of those 11,334 vulnerabilities found in 2025, 91% were in plugins and themes, not WordPress itself. The core software is genuinely well-maintained, with only six flaws found in core all year. The risk lives in the extras you bolt on.
Why old plugins are the weak link
When a plugin maker patches a flaw, the fix is public, and so is the flaw. Attackers scan the web for sites still running the old version, often within hours. Every plugin you haven’t updated is a door someone already has the key to. The same goes for themes, including the ones you switched away from but never deleted.
How to stay on top of it
Log in weekly and clear every available update, or have a maintenance plan do it for you. Before updating a live site, take a backup so you can roll back if an update clashes with something. Delete any plugin or theme you’re not actively using, because dormant code still gets exploited. If you’d rather not babysit this, our website maintenance plans handle updates and testing for you on a schedule.
2. Lock down your logins
Your login page is the front door, and it’s where most automated attacks start. Bots hammer wp-login.php with thousands of username and password guesses, a tactic called a brute-force attack. Two changes shut this down.
First, turn on two-factor authentication for every account that can reach the dashboard. With two-factor authentication, a stolen password isn’t enough on its own, because logging in also needs a code from your phone. Most security plugins add this in a few clicks. Second, limit login attempts so an account locks after a handful of wrong guesses, which makes brute-forcing pointless.
While you’re there, get rid of the default “admin” username if your site still has one, since it’s the first guess every bot makes. Pair that with a long, unique password stored in a password manager, and the front door is suddenly very hard to force.
3. Install a security plugin and a firewall
A good security plugin is the difference between finding out about an attack and never knowing it happened. The two names most Australian small businesses land on are Wordfence and Sucuri, and either does the core job well.
What a firewall actually does
A web application firewall, or WAF, sits in front of your site and filters traffic before it reaches WordPress. It blocks known attack patterns, bad bots and suspicious requests automatically. Given that 43% of 2025’s vulnerabilities could be exploited without anyone even logging in, a firewall that stops the request at the door is doing real work. A network-level firewall like the one Cloudflare explains here adds another layer further out.
Scanning and monitoring
Beyond the firewall, your security plugin should scan files regularly for malware and changes, and alert you the moment something looks off. The faster you know, the smaller the clean-up. Set it to email you on anything serious, and don’t ignore those emails when they land.
4. Back up your site, automatically
Backups are the safety net that turns a disaster into an inconvenience. If your site is defaced or a plugin update breaks something, a recent backup lets you roll back to yesterday in minutes instead of rebuilding from nothing.
The rules are simple. Back up daily if your site changes often, and store those backups off the main server, so a hacked site doesn’t take your backups down with it. Cloud storage or a backup service handles this automatically. Most importantly, test a restore at least once. A backup you’ve never restored is a guess, not a safety net. Many quality hosts include automated off-site backups, which is one less thing for you to run.
5. Use HTTPS and a secure host
If your address still shows “http” rather than “https”, fix that today. An SSL certificate encrypts the connection between your visitor and your site, which protects any data they enter and is expected by both customers and Google. Most Australian hosts now include a free SSL certificate, so it’s usually a matter of switching it on and forcing every page to load over HTTPS.
Your host matters more than people realise. A host that runs current PHP, isolates accounts and offers server-level protection gives you a secure foundation to build on. A cheap, oversold server undermines everything else on this list. This is a big reason we steer clients toward managed WordPress hosting, where security patching and hardening are handled at the server level rather than left to you. A faster, well-tuned setup also helps your WordPress optimisation and your rankings as a bonus.
6. Manage users and permissions
Every person with a login is a potential way in, so keep the list short and the access appropriate. Give people the lowest role that lets them do their job: a blog writer needs Author, not Administrator. The fewer admin accounts you have, the smaller your exposure if one is compromised.
When a staff member, contractor or agency stops working with you, remove their account that day. Old, forgotten logins with admin rights are a quiet but common way sites get breached. Make a quarterly diary note to review who has access and prune anyone who shouldn’t. For the official guidance on roles, WordPress.org documents exactly what each user role can do.
A real-world example
A Gold Coast trades business came to us after their site started redirecting visitors to a dodgy overseas page. The cause was an abandoned booking plugin they’d stopped using a year earlier but never deleted. It had a known flaw, a patch had been out for months, and a bot found the unpatched version in minutes. Customers were calling to say the site looked hacked, which it was.
The clean-up took two days, a fresh restore from an off-site backup, and a frank chat about what had been missing. We deleted the dead plugins, set up two-factor authentication, added a firewall, and put them on a maintenance plan so updates actually happen. The fix cost a fraction of what the lost trust did. None of it was complicated, which is the frustrating part, because the whole episode was preventable with the checklist above.
The bottom line
WordPress security isn’t about one clever trick; it’s about closing the obvious gaps before someone walks through them. Keep everything updated, lock down your logins with two-factor authentication, run a firewall and automated backups, and don’t cut corners on hosting. Do those and you’ve handled the threats that account for the vast majority of small business hacks. If working through this list feels like one job too many alongside running your business, that’s exactly what our website security and maintenance team is here for. And if you’re rebuilding anyway, sort security and web design Gold Coast together so it’s built in from day one rather than bolted on later, the same way good SEO Gold Coast and Google Ads work best when they’re planned in from the start.
Frequently asked questions
How do I secure my WordPress website?
Secure a WordPress website by keeping core, themes and plugins updated, turning on two-factor authentication, and installing a security plugin with a firewall. Add automated daily backups stored off-site, force HTTPS across every page, and remove unused plugins and old user accounts. These steps block the outdated-software and weak-login attacks that cause most small business hacks.
Is WordPress safe for small business?
Yes, WordPress is safe for small business when it’s maintained properly. WordPress core is well secured, with only six vulnerabilities found in 2025. The real risk comes from outdated plugins and themes, which accounted for 91% of issues that year. Regular updates, strong logins and a firewall keep a WordPress site secure.
How often do WordPress sites get hacked?
An estimated 13,000 WordPress sites are hacked every day, roughly 4.7 million a year. Most breaches trace back to outdated plugins or weak passwords rather than flaws in WordPress itself. Because attackers exploit a published flaw within about five hours on average, fast updates and a firewall are the most effective defences.
Do I need a security plugin for WordPress?
Yes, a security plugin is strongly recommended for any business WordPress site. Tools like Wordfence or Sucuri add a firewall that blocks attacks before they reach your site, scan files for malware, and alert you to suspicious activity. For a small business without an in-house tech team, this automated monitoring is the easiest way to stay protected.
What is two-factor authentication and do I need it?
Two-factor authentication adds a second step to logging in, usually a code from your phone, on top of your password. You need it because a stolen or guessed password alone won’t get an attacker into your dashboard. It’s one of the single most effective protections against brute-force attacks and is free to enable in most WordPress security plugins.
How much does it cost to recover a hacked WordPress site?
Recovering a hacked WordPress site often costs anywhere from a few hundred to several thousand dollars, once clean-up, lost sales and downtime are counted. In Australia, the average cost of cybercrime on a small business sits around $56,600. Proactive protection, by contrast, costs only a few dollars a month, which makes prevention far cheaper than the cure.
