Welcome to Protect My WP

I've been managing WordPress sites for a long time. Not as a hobbyist, but in the real world, where a misconfiguration at 11pm means you're still awake at 2am trying to work out what went wrong. Where a client calls you because their site has been defaced. Where a hosting bill doubles overnight because a bot found an open door you didn't know was there.

This book exists because I wanted something I could point people to. Something honest, practical, and written by someone who has actually dealt with this stuff, not just read about it.

There are no magic plugins here. No silver bullets. Just the things that work, explained clearly, so you can make informed decisions about how you run your WordPress sites.

TL;DR — The Quick Start

If you want the 80/20 version before diving into the full book, here it is. These are the highest-impact things to do on any WordPress site, in rough priority order.

Do these immediately on any new or existing site:

  1. Keep WordPress core, plugins, and themes up to date. Outdated plugins are the single most common cause of compromises.
  2. Install Wordfence (free). Firewall, malware scanning, login security, and 2FA in one plugin.
  3. Change the default /wp-login.php login URL using a plugin like WPS Hide Login.
  4. Limit login attempts and enforce 2FA on all admin accounts.
  5. Disable the built-in file editor in wp-config.php: define( 'DISALLOW_FILE_EDIT', true );
  6. Install an SSL certificate and force HTTPS. Let's Encrypt is free.
  7. Set up automated off-site backups. UpdraftPlus (free tier) to Google Drive or S3 covers the basics.
  8. Set up uptime monitoring. UptimeRobot (free tier) takes two minutes.
  9. Install WP Mail SMTP so your site sends email reliably via a proper mail provider.
  10. Remove any plugins and themes you're not actively using.

If you manage your own server, also do these:

  1. Disable root SSH login and enforce key-based authentication.
  2. Configure a firewall (UFW) and install Fail2Ban.
  3. Run a supported PHP version (8.3 or 8.4 as of 2026).
  4. Block PHP execution in the uploads directory.
  5. Set file permissions correctly: 755 directories, 644 files, 440 for wp-config.php.

That covers the majority of common attack vectors. The rest of the book explains the why, the how, and everything beyond this baseline.

How This Book Works

Protect My WP is a living reference guide. It's not meant to be read once and put away. It's meant to sit open in a tab while you're working, get updated as WordPress evolves, and grow over time as new threats and best practices emerge.

Each chapter covers a specific area of WordPress security and administration. They're modular, so you can jump to whatever's most relevant to you right now. If you're setting up a new site, working through them in order makes sense. If you're hardening an existing one, jump straight to the chapters that apply.

A Word on Commands and Code

Throughout this book you'll find terminal commands, PHP snippets, server configuration blocks, and code examples. They are there to help you, but they come with a responsibility attached.

Please do not blindly copy and paste anything you find here without first understanding what it does.

Every server setup is different. Every WordPress installation has its own combination of plugins, themes, hosting environment, and configuration. A command that works perfectly on my setup might behave differently on yours. Before running anything:

  • Read it. Understand what it does and what it changes.
  • Check it suits your specific setup, your operating system, your web server, your file paths.
  • Consider the intended outcome. What should happen? What could go wrong?
  • Test on a staging environment before applying anything to a live site.
  • Take a backup first. Always.

This applies to everything in this book, from a single chmod command to a block of Nginx configuration. The examples are starting points, not copy-paste solutions.

Disclaimer

I've written this book based on real-world experience and to the best of my knowledge at the time of writing. I update it regularly as things change, but the web moves fast and no book can keep up with everything.

By using this book, you accept that:

  • All information is provided for educational purposes only.
  • You are responsible for evaluating whether any advice, command, or configuration is appropriate for your specific situation.
  • I accept no responsibility for any loss of data, damage to your site or server, security incidents, downtime, or any other negative outcome that arises from following the guidance in this book.
  • Use of this book and its contents is entirely at your own risk.

That's not me covering my back for the sake of it. It's the reality of working with servers and live websites. Things can go wrong even when you do everything right. The best defence is understanding what you're doing before you do it, which is exactly what this book is here to help with.

If something doesn't look right, or you're not sure, don't run it. Ask someone who knows, test it somewhere safe first, or leave it alone.

About Me

I'm Stu, a WordPress administrator and hosting specialist with years of hands-on experience managing sites across a wide range of environments. That includes corporate-level WordPress installations, multisite setups built to meet enterprise and compliance requirements, and everything down to startup sites and personal projects. I've dealt with compromised sites, botched updates, performance problems, server fires, and security incidents at every scale.

This book is the distillation of what I've learned along the way.

I built Protect My WP because this knowledge shouldn't be locked away in Stack Overflow threads, outdated blog posts, or buried inside an AI chatbot where you don't even know where to start or what to ask. It should be accessible, up to date, and written by someone who actually does this work.

I hope you find it useful.

Feedback & Suggestions

This book is a living document and I'm always looking to improve it. If you think something is missing, something is wrong, or there's a topic you'd like to see covered, I'd genuinely like to hear from you.

Get in touch at [email protected] and I'll do my best to accommodate.

Let's get into it.