Welcome to Protect My WP

I look after WordPress sites for a living, and have done for a long time. Everything in this book comes from that.

This book exists because I wanted something to point people to. Something written from the work itself rather than from other people's blog posts.

There are no magic plugins in here, and no tool that makes all the work go away. What you will find is the things that actually work, explained well enough that you can make sensible decisions for your own sites.

The quick start

If you want the 80/20 version before getting into the full book, this is it. The most useful things to do on any WordPress site, in rough priority order.

Do these immediately on any new or existing site:

  1. Keep WordPress core, plugins, and themes updated. Out of date plugins cause more WordPress compromises than everything else put together.
  2. Install Wordfence (free). Firewall, malware scanning, login security, and 2FA in one plugin.
  3. Change the default /wp-login.php login URL using a plugin like WPS Hide Login.
  4. Limit login attempts and enforce 2FA on all admin accounts.
  5. Disable the built in file editor in wp-config.php: define( 'DISALLOW_FILE_EDIT', true );
  6. Install an SSL certificate and force HTTPS. Let's Encrypt is free.
  7. Set up automated off site backups. UpdraftPlus (free tier) to Google Drive or S3 covers the basics.
  8. Set up uptime monitoring. UptimeRobot (free tier) takes two minutes.
  9. Install WP Mail SMTP so your site sends email reliably via a proper mail provider.
  10. Remove any plugins and themes you're not actively using.

If you manage your own server, also do these:

  1. Disable root SSH login and enforce SSH key authentication.
  2. Configure a firewall (UFW) and install Fail2Ban.
  3. Run a supported PHP version (8.3 or 8.4 as of 2026).
  4. Block PHP execution in the uploads directory.
  5. Set file permissions correctly: 755 directories, 644 files, 440 for wp-config.php.

That covers the majority of common attack vectors on a WordPress site. The rest of the book gets into why each one matters, how to do it properly, and what to do once the basics are in place.

How this book works

Protect My WP is a living reference. It is designed to sit open in a browser tab while you work, get updated as WordPress changes, and expand as new threats and fixes become relevant.

Each chapter covers a specific area of WordPress security and administration. They're modular, so you can jump to whichever is most relevant right now. If you're setting up a new site, working through in order makes sense. If you're hardening an existing one, start with the chapters that apply to whatever is bothering you most.

A word on commands and code

Throughout this book you'll find terminal commands, PHP snippets, server configuration blocks, and code examples. They are there to help you. They also come with a responsibility attached.

Please do not blindly copy and paste anything you find here without first understanding what it does.

Every server setup is different. Every WordPress install has its own mix of plugins, themes, hosting environment, and configuration. A command that works perfectly on my setup can misbehave on yours. Before running anything:

  • Read it. Understand what it does and what it changes.
  • Check it fits what you're actually working with. Your OS, your web server, your file paths.
  • Consider the intended outcome. What should happen? What could go wrong?
  • Test on a staging environment before applying anything to a live site.
  • Take a backup first. Always.

This applies to everything in this book, from a single chmod command to a full block of Nginx configuration. The examples are starting points. Adapt them to your setup before you run them.

Disclaimer

I've written this book based on real world experience and what I know at the time of writing. I update it as things change, but the web moves fast and no book can keep up with everything.

By using this book, you accept that:

  • All information is provided for educational purposes only.
  • You are responsible for evaluating whether any advice, command, or configuration is appropriate for your specific situation.
  • I accept no responsibility for any loss of data, damage to your site or server, security incidents, downtime, or any other negative outcome that arises from following the guidance in this book.
  • Use of this book and its contents is entirely at your own risk.

That is not legal boilerplate for its own sake. Servers and live sites genuinely can go wrong even when you do everything right, and the person running a command is the one responsible for what happens when it runs. Understanding the commands before you run them is the point of this book.

If something does not look right, or you are not sure, don't run it. Ask someone who knows, test it somewhere safe first, or leave it alone.

About me

I'm Stu. I work as a WordPress administrator and hosting specialist. Over the years I've looked after everything from personal blogs and startup projects up to multisite setups for larger organisations with compliance requirements to meet. I've worked through compromised sites, botched updates, performance problems, server fires at 3am, and every flavour of security incident you can reasonably have on a WordPress site.

This book is what I have learned along the way, written down.

I built Protect My WP because this kind of knowledge deserves better than scattered Stack Overflow threads, blog posts from 2019, or an AI chatbot that only helps if you already know what to ask. It belongs in one place, kept up to date, and written by somebody who actually does the work.

I hope you find it useful.

Feedback & suggestions

This book is a living document and I want to keep improving it. If there is something missing, something you think is wrong, or a topic you'd like to see covered, please say so.

Email me at [email protected] and I'll do my best to work it in.

Let's get into it.