If you run a small blog, personal site, or hobby project on WordPress, security can feel like a luxury you don’t have the budget for. I’ve been there — juggling posts, plugins, and the existential dread of “what if my site gets hacked?” — and the good news is you don’t need paid services to make your site a hard target. With predictable habits, a few free tools, and the right defaults, you can block most opportunistic attacks and sleep better at night. ⏱️ 10-min read
This guide walks you through practical, zero-cost steps: baseline hardening, locking down logins, plugin hygiene, reliable free backups, HTTPS and hosting basics, free monitoring and an incident plan, plus a simple maintenance rhythm you can actually keep. I’ll share what I do on my own small blog, examples you can copy, and quick commands and plugin names so you won’t be left Googling at 2 a.m.
Baseline hardening for a free WordPress setup
Think of your site as a house: the foundation matters. The first two things I do for every WordPress site are update and declutter. Keep WordPress core, themes, and plugins up to date — many security fixes land in updates, and automatic updates (if your host supports them) are like a self-cleaning oven for vulnerabilities. I use the WordPress.org security pages to stay current on major issues and timelines (wordpress.org/about/security).
Prune aggressively. Unused plugins and themes are like unlocked basement windows — easy to exploit and rarely useful. Deactivate, delete, and if you can’t remember why it’s there, toss it. Also, tidy file and folder permissions: set files to 644 and directories to 755. If you’re on shared hosting, check your control panel or ask support; overly permissive 777s are common and dangerous. Yes, 777 looks friendly but it’s really a “please break in” sign.
Lock down editing from the dashboard by adding this to wp-config.php: define('DISALLOW_FILE_EDIT', true); It prevents anyone who reaches the admin from editing theme or plugin files inside the dashboard — handy if a less-savvy admin accidentally runs with too many privileges. Also protect wp-config.php itself with a server rule. In Apache you can add:
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>
Simple measures like these reduce your attack surface dramatically, and they cost exactly $0 plus a little patience. If that feels like too much work, at least automate updates where possible — attackers already automate, so it’s only fair we do too.
Lock down login and access
Logins are the front door. If you don’t want a bot party in your living room, tighten it up. My go-to checklist for new sites includes two-factor authentication (2FA), a login limiter, and turning off old API entry points. For 2FA, free plugins like “Two Factor” or “Google Authenticator” force a second step — a code from an app (I use Bitwarden’s built-in authenticator) — and it makes credential stuffing feel a lot less effective. It’s the equivalent of adding a deadbolt to an old door.
Next, throttle failed attempts. Install Limit Login Attempts Reloaded or a similar free plugin that blocks repeated failures. Brute-force attackers are lazy: they try millions of combos and move on. A few lockouts and they’ll pass you by. You can also hide the default login URL with WPS Hide Login so bots searching for /wp-admin or /wp-login.php get nothing but tumbleweeds.
Disable XML-RPC if you don’t use remote publishing or Jetpack — it’s a common vector for brute-force and amplification attacks. You can disable it with a plugin or add add_filter('xmlrpc_enabled', '__return_false'); to your theme’s functions.php (or simply use a small “disable xmlrpc” plugin). If you need stricter access, consider restricting admin access by IP in htaccess — useful if you and a known set of collaborators are the only ones logging in.
Finally: enforce strong, unique passwords and sell your team on a password manager. People still reuse passwords like it’s 2005 and their cat’s name is the master key. Encourage Bitwarden or another free password manager: it’s easier than remembering 27 passwords and far less embarrassing than a hacked site explanation email.
Free plugin and theme hygiene
Plugins and themes are both magical and terrifying. They add features, but each one is a potential vulnerability if abandoned or poorly coded. I treat plugins like kitchen tools: only keep what you actually use, and wash them after every day of use. Audit everything before you install: check the plugin’s last update date, support threads, active installs, and reviews. WordPress.org listings give you those signals quickly.
Delete inactive plugins and themes. Leaving them on the server—even deactivated—gives attackers more code to poke at. I once found a forgotten theme on an old blog that hadn’t been updated in five years; it was a ticket to nowhere fun. Also avoid nulled or cracked themes: they often come prepacked with malware. If a plugin is free on a reputable marketplace (WordPress.org), that’s usually safer than a sketchy download site promising “premium” features for free.
Disable the built-in editor (see DISALLOW_FILE_EDIT above) so attackers who reach the dashboard can’t inject code directly. For quality control, keep a short list of “essential plugins” (security scanner, backup, caching, analytics) and try to consolidate features. For instance, use one well-reviewed security plugin rather than three half-baked ones fighting in the attic.
When you do add a plugin, sandbox it: test on a staging site if possible, or at least make a backup beforehand. And when you remove something, check for leftover cron jobs or custom tables. Sometimes plugins leave footprints; tidy them up so you’re not carrying ghost processes around your server like bad luggage.
Backups you can count on (free options)
Backups are insurance, not optional whimsy. I always tell new site owners: if you’re not backing up, you’re not maintaining — you’re gambling. Fortunately, reliable backups can be free and automatic. UpdraftPlus Free is my go-to because it’s straightforward to schedule and connects easily to Google Drive or Dropbox. BackWPup is another free option with similar capabilities. (UpdraftPlus: updraftplus.com.)
Set a sensible schedule: daily backups for high-traffic or frequently-updated sites, weekly for quieter hobby blogs. Make sure backups include both the database and files (wp-content, uploads, plugins, themes). Having files without the database or vice versa is like having a car’s body without an engine — looks nice but won’t get you home.
Store backups off-site. Don’t rely only on your host’s storage; if the server fails or your account is compromised, local backups can be erased. Connect UpdraftPlus to Google Drive or Dropbox (free tiers are usually enough for modest sites) or push to an FTP/SFTP location. Enable email or dashboard notifications for backup success and failures — you want to be told when your safety net didn’t deploy.
Most importantly: test restores. Schedule a quarterly restore to a staging area or local environment. I once discovered that an automated backup had corrupted files — better to find that out on a Tuesday than during a panic at midnight. Treat backup tests like fire drills: tedious now, heroic later.
HTTPS and hosting basics on a budget
Transport security is non-negotiable. Even small sites should use TLS so passwords and form submissions don’t ride the internet naked. Luckily, free certificates from Let’s Encrypt make this trivial on most hosts — many providers even offer one-click setup and auto-renewals. If your host supports Let’s Encrypt, enable automatic issuance and renewal (see letsencrypt.org).
After installing a certificate, force HTTPS across the site. Update WordPress Settings → General (Site Address and WordPress Address) to use https://, and set up a 301 redirect from http to https at the server level or via .htaccess. A canonical redirect prevents mixed-content warnings and keeps your SEO happier than a cat in a sunbeam.
Consider a free CDN/security layer like Cloudflare’s free plan. It offers an additional caching layer, DDoS protection, and a web application firewall with basic rules. When using Cloudflare, set SSL mode to “Full” or “Full (strict)” if you have a valid origin certificate. Be careful with HSTS — it strengthens security but can lock you out if misconfigured; only enable it once you’re confident HTTPS is stable site-wide.
Finally, check secure headers and mixed content. Tools like the browser console and online scanners can spot insecure assets. Replace hard-coded http:// links in themes or posts and use plugins or search-and-replace tools to fix URLs. If mixed content looks like a spider web of broken images, treat it like a messy garage: don’t ignore it, and don’t swallow the spider.
Ongoing monitoring and incident response (free tools)
Monitoring doesn’t need to be flashy; it needs to be consistent. Free security plugins such as Wordfence Free or Sucuri Security provide file integrity checks, basic malware scanning, and alerts when core files change. I keep one of these active for daily scans and immediate notification if something odd—like a new admin user—appears. Wordfence’s free scanner is a solid starting point for visibility.
Use a free uptime monitor like UptimeRobot to check your site every 5 minutes and alert you if it goes down. Quick alerts reduce downtime and panic — and they’re free, which is nice when you’re counting sheep instead of bills. Combine alerts from monitoring plugins and uptime tools into a single inbox or slack channel so you don’t miss anything.
Have a short incident response playbook. Mine is five steps: detect, contain, eradicate, recover, review. When an alert comes in, first contain by taking the site offline or enabling maintenance mode (or blocking traffic with Cloudflare). Next, restore from a verified backup and run a malware scan on the restored copy. Collect logs for evidence and change passwords for all admins. Finally, review what happened and patch the root cause — a neglected plugin, weak password, or expired certificate.
And know when to call your host. Shared hosts often can help with server-level cleanup or offer temporary isolation if a compromise looks severe. Keep your host’s support contact in your favorites; it’s surprisingly comforting to have someone you can ping at 2 a.m. when the worst happens.
Maintenance rhythm for beginners
Security is a habit, not a project. If you can’t do everything daily, make a predictable rhythm you can actually keep. Here’s a simple cadence I follow and recommend to new site owners:
- Weekly: Update core, themes, and plugins; run a quick malware/file-change scan; verify last backup completed successfully.
- Monthly: Audit users and roles (delete unused accounts), remove inactive plugins/themes, and check file permissions. Rotate passwords for privileged accounts every 60–90 days.
- Quarterly: Test a full restore from backup to a staging environment; review security logs and the incident playbook; rehearse the restore steps so they become muscle memory.
Keep a lightweight changelog in a Google Sheet or notes app: date, action, and outcome. It’s not a thesis — it’s a short receipt for your website’s health. If something goes sideways, that log is gold for diagnosing when a change introduced a problem.
Finally, stay curious. Subscribe to a couple of trustworthy feeds (WordPress.org announcements, Let’s Encrypt blog) and invest a little time each month to read security summaries — ten minutes can keep you ahead of most threats. Think of it as flossing for your site: awkward sometimes, very satisfying later.
Next step: pick one small action you can do in the next 15 minutes — enable automatic core updates, install UpdraftPlus and connect it to Google Drive, or set up 2FA — and do it. Small habits compound into a secure site without costing a penny.
References: WordPress.org Security (https://wordpress.org/about/security/), Let’s Encrypt (https://letsencrypt.org/), UpdraftPlus (https://updraftplus.com/).
