The WordPress Security Checklist Every Small Business Needs

WordPress powers most of the internet, which makes it the favourite target of every bored attacker. The good news: 90% of attacks are stopped by a handful of basics.

1. Keep WordPress core updated. Every major release ships security patches. Turn on auto-updates and forget about it.

2. Keep plugins to a minimum. Fewer plugins, fewer doors. Delete the ones you don't use — don't just deactivate them.

3. Use a strong admin password. No 'admin123'. Use a password manager — Bitwarden is free and excellent.

4. Turn on two-factor authentication. A two-minute setup with Wordfence or Google Authenticator.

5. Kill the default 'admin' username. Create a new admin user, then delete the original.

6. Automate your backups. UpdraftPlus is free. Send daily backups off-site to Google Drive or Dropbox.

7. Install an SSL certificate. It's free now (Let's Encrypt). Without HTTPS, Google quietly demotes you.

8. Rate-limit login attempts. Brute-force bots get blocked after a few failures.

9. Check file permissions. 644 for files, 755 for folders — your hosting panel makes this one click.

10. Scan regularly. Our free scan is enough — run it once a month and sleep easier.