WordPress Security Guide for UK-Based SMBs

WordPress Security Guide for UK-Based SMBs

17 Proven Practices from an MSSP

As a UK-based security provider, we see a recurring pattern across small and medium-sized businesses (SMBs): their websites, often running on WordPress, are both business-critical and alarmingly vulnerable. Unfortunately, threat actors know this. WordPress is the world’s most widely used CMS, powering over 40% of all websites, and it remains a top target for automated exploit kits, bots, and opportunistic attackers.

For regulated UK SMBs (those operating in financial services, healthcare, legal, and education sectors), the stakes are even higher. A compromised WordPress site could mean data loss, ICO investigations, GDPR fines, reputational damage, and business interruption.

Below are 17 actionable steps anyone can take to dramatically improve the security of their WordPress website.

---

1. Choose Secure Hosting First

Why it matters: No plugin can protect your site if the underlying infrastructure is insecure. Hosting is your first, and most foundational, line of defence.

Action steps:

• Choose UK-based or GDPR-compliant hosting providers that understand the needs of regulated sectors.
• Avoid budget shared hosting for any site handling personal data, payments, or regulated content.
• Require:
  • Daily encrypted off-site backups.
  • Managed WordPress patching (core, plugins, and themes) <- Enable automatic scheduled updates if you need to manage this yourself.
  • Malware scanning and automatic quarantining.
  • Basic DDoS resilience and filtering of other bad traffic (consider using a CDN for greater resilience and user experience)
  • Full WAF (if available)
• Review your hosting provider’s disaster recovery procedures, incident response SLAs, and access logging mechanisms. (also that of your CDN provider if using one).

---

2. Apply SSL/TLS Site-Wide

Why it matters: Browsers flag non-HTTPS sites as insecure, and plaintext transport violates data protection principles.

Action steps:

• Use Let’s Encrypt (free) or purchase an EV/OV certificate from a reputable CA.
• Enforce HTTPS redirects via .htaccess or NGINX config.
• Set HSTS headers via security plugin or server config.

---

3. Stay Updated: Core, Plugins, Themes

Why it matters: 52% of WordPress hacks happen due to outdated components.

Action steps:

• Enable auto-updates for minor WordPress core changes.
• Manually review major releases in staging before pushing live.
• Use WP-CLI (wp plugin update –all) for scheduled CLI updates.
• Delete unused themes/plugins as they expand the attack surface.

---

4. Deploy a Web Application Firewall (WAF)

Why it matters: A WAF blocks SQLi, XSS, and brute-force attempts.

Example options:

• Cloudflare: Good DNS-level protection, rate-limiting.
• Sucuri: Strong WordPress-specific rule sets and malware cleanup.

Action steps:

• Enable “I’m under attack” mode in Cloudflare during brute-force attempts.
• Whitelist admin IPs where possible.

---

5. Backup Frequently and Store Offsite

Why it matters: If you get hacked or ransomed, backups may be your only recourse.

Action steps:

• Consider tools such as UpdraftPlus, BlogVault, or Jetpack Backup.
• Store encrypted copies in AWS S3 (with versioning) or some other third party storage provider (do not store directly in your web hosting).
• Set schedules: daily for content sites, real-time (or as near as) for e-commerce.
• Test restores every quarter. (actually restore something.)

---

6. Restrict Admin Access: Least Privilege & MFA

Why it matters: Admin accounts are high-value targets. Least privilege reduces blast radius.

Action steps:

• Enable 2FA for all admin/editor roles.
• Avoid using the “admin” username.
• Never share logins. Instead, create separate accounts with proper roles.

---

7. Limit Login Attempts & Block Brute Force

Why it matters: WordPress by default allows unlimited login attempts. This makes brute-force attacks trivial. But that’s just the start. Hardening account controls is about defending against credential stuffing, insider threats, and account misuse.

Action steps:

• Install Limit Login Attempts Reloaded or use fail2ban for server-level lockouts.
• Configure it to lock out users after 3-5 failed attempts.
• Block IPs temporarily and permanently based on lockout count.
• Enable reCAPTCHA v3 on login, registration, and comment forms to block automated bots.

Advanced account controls:

• Enforce 2FA across all admin and editor accounts.
• Enforce strong password policies using Password Policy Manager or similar.
• Monitor and restrict concurrent login sessions.
• Prevent re-use of previous passwords (stored securely as salted hashes).

Key events to monitor and investigate:

• Multiple failed login attempts from the same IP: May indicate brute-force attempt.
• Sudden login success after multiple failures: Could suggest a compromised account.
• New admin user creation without prior change request: High likelihood of compromise.
• Plugin/theme installation or file uploads without a recent authorized change window: Potential web shell upload.
• Login outside typical user geo/IP ranges or time windows: May indicate credential theft.

Use audit logging plugins like WP Activity Log to create rules and alerts around these events. Configure SIEM integrations or email notifications for critical triggers.

---

8. Hide Your Login Page (wp-login.php)

Why it matters: Hiding the login page reduces exposure to automated login attempts.

Action steps:

• Use WPS Hide Login to rename /wp-login.php to something unique.
• Add IP-based allowlisting for wp-admin if possible.

---

9. Harden the wp-config.php File

Why it matters: This file contains DB credentials and salts.

Action steps:

• Move wp-config.php one directory above web root (if your host supports it).
• Set file permissions to 400 or 440.
• Define salts via https://api.wordpress.org/secret-key/1.1/salt/

---

10. Disable File Editing and PHP Execution

Why it matters: WordPress allows in-browser editing of theme and plugin files by default.

Action steps:

• Add this to wp-config.php:

define(‘DISALLOW_FILE_EDIT’, true);

• Prevent PHP execution in /wp-content/uploads:
  • Add .htaccess:
  • <Files *.php>
  • deny from all

</Files>

---

11. Change the Database Table Prefix

Why it matters: Default wp_ table prefixes make SQL injection attacks easier.

Action steps:

• Use a prefix like x7sd_ during installation.
• Use the Brozzme DB Prefix plugin to safely rename existing tables.

Caution: Always backup your DB before making this change.

---

12. Disable XML-RPC (Unless You Need It)

Why it matters: XML-RPC enables attackers to send multiple login attempts via one request.

Action steps:

• Use a plugin like Disable XML-RPC.
• Or block it via .htaccess:
• <Files xmlrpc.php>
• deny from all

</Files>

• If using Jetpack or external apps, whitelist specific endpoints.

---

13. Implement Security Headers

Why it matters: These prevent content injection, framing, and XSS.

Action steps: Add the following via your .htaccess or NGINX config:

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Referrer-Policy: no-referrer-when-downgrade

Content-Security-Policy: default-src ‘self’

Use Security Headers website to test your implementation.

---

14. Regularly Scan for Malware and Vulnerabilities

Why it matters: Early detection prevents widespread compromise.

Action steps:

• Consider using tools such as Sucuri, Wordfence, or WPScan.
• Schedule weekly scans.
• Watch for hidden admin accounts, altered .htaccess files, and injected iframes.

---

15. Log and Monitor Everything

Why it matters: Security is about detection as much as prevention.

Action steps:

• Install Activity Log or WP Security Audit Log.
• Enable log retention and backup logs offsite.
• Monitor key events: plugin updates, failed logins, file changes, new users.

16. Prevent Directory Traversal & Input Sanitisation

Why it matters: Poorly sanitized inputs and insecure file access logic allow attackers to traverse directories and execute remote code.

Action steps:

• Disable directory browsing by adding this to .htaccess:

Options -Indexes

• Sanitize and validate all user inputs. For custom dev, use sanitize_text_field(), esc_url(), esc_html() in WordPress.
• Never pass raw user input directly into file system functions (e.g., include, require, file_get_contents).
• Prevent directory traversal:
  • Strip ../ from user input.
  • Use PHP’s realpath() to ensure user access stays within allowed paths.

---

17. Restrict File Types and Sandboxing Uploads

Why it matters: File uploads are a prime vector for malware, backdoors, and privilege escalation.

Action steps:

• Whitelist only necessary MIME types for uploads (e.g., JPG, PNG, PDF).
• Block executable types (e.g., .php, .js, .exe, .bat, .sh).
• Use a plugin like File Upload Types to safely define allowed formats.
• Store uploads outside the web root or in a bucket with private access (e.g., AWS S3 with signed URLs).
• Rename files upon upload to randomised names.
• Validate uploaded file content via magic bytes, not just file extensions.
• Integrate sandbox or antivirus scanning:
  • Use ClamAV or commercial AV scanner on server.
  • Cloud-based scan options include VirusTotal API, Metadefender, or Sucuri’s platform.
• For critical services, delay file publication until post-scan validation.

---

Final Advice on our WordPress security guide for UK-Based SMBs: Security Is Not a Set-and-Forget Task

Once you complete the steps above, your WordPress site will be far better defended than the vast majority of SMBs. But new vulnerabilities, plugins, and threats emerge weekly.

Ongoing threat intelligence and horizon scanning are essential. Here’s how to keep up:

Subscribe to actionable feeds:

• WPScan Vulnerability Database: Get plugin/theme CVEs and exploit timelines.
• NCSC Early Warning: Monitors attack patterns targeting UK IP ranges.
• CISA Known Exploited Vulnerabilities Catalog: Especially for plugin vulns reused across supply chains.
• Monitor Twitter/X accounts of ethical hackers and plugin developers for zero-day announcements.
• Subscribe to RSS or mailing lists from platforms like Wordfence, Patchstack, and Sucuri Labs.

How to action threat intel against your WordPress site:

• If a plugin you use shows up on WPScan with a vulnerability:
  • Patch immediately or temporarily disable/remove the plugin.
  • Apply compensating controls (e.g., additional WAF rule).
• New XSS filter bypass technique shared by researchers?
  • Review and strengthen sanitisation on contact forms and comment sections.
  • Test payloads against your forms using tools like OWASP ZAP.
• A CVE impacts PHP or Apache version used by your host?
  • Request version confirmation from your provider.
  • Consider moving to a host with faster patching SLAs.
• Zero-day exploitation of file upload logic discovered?
  • Disable non-essential upload capabilities until patched.
  • Temporarily increase logging and WAF rules.

Tools to automate protection adjustments:

• Use Cloudflare Rulesets or Sucuri Firewall to create dynamic WAF rules for new payload patterns.
• Integrate your firewall with threat feeds like AbuseIPDB or Emerging Threats.
• Set a monthly horizon scanning process: review the past month’s threat bulletins and map any exposure.

Schedule regular checks:

• Re-run full plugin/theme audits every quarter.
• Conduct an annual penetration test (use CREST-accredited testers).
• Schedule monthly admin log reviews and plugin update reviews.

If your business is regulated or holds sensitive data, if uptime is mission critical for your operations, or if you simply still don’t know where to start after reading our WordPress Security Guide for UK-Based SMBs, consider engaging a vCISO or MSSP to maintain security posture, conduct tabletop exercises, and handle incident response.

Find more of our useful SMB security resources here.