Chapter 14: Security & Maintenance

Security & Maintenance — this is the “don’t skip this” chapter. In early 2026, WordPress powers ~43% of the web, which makes it a huge target for hackers, bots, and script kiddies. The good news? 99% of hacks are preventable with basic habits. Most breaches in India happen because of outdated plugins/themes, weak passwords, or no backups.

Think of security like locking your house in Hyderabad: strong doors (updates), alarm (firewall), CCTV (monitoring), and insurance (backups). Maintenance is regular servicing so everything runs smoothly.

We’ll cover everything in detail with practical steps and real examples for your site (webliance.in).

Basic WordPress Security Best Practices (2026 Edition)

Follow these core rules — they’re recommended by WordPress.org, Sucuri, Wordfence, and Indian hosting companies like Hostinger.

1. Use a reputable host with built-in security
   • Hostinger (your likely choice) already has Imunify360, malware scanner, free SSL, WAF (Web Application Firewall).
   • Enable auto-updates for minor WP core releases (Hostinger does this).
2. Limit login attempts & hide login page
   • Bots try thousands of passwords per day on wp-login.php.
   • Plugin solution: Use Solid Security (formerly iThemes) or Wordfence → Enable brute-force protection (limit to 5–10 failed logins → lockout).
3. Disable file editing from dashboard
   • Hackers love this if they get in.
   • Add to wp-config.php (via Hostinger File Manager): define(‘DISALLOW_FILE_EDIT’, true);
4. Change database prefix (if fresh install — too late now, but note for future)
   • Default wp_ → easy target. Custom like wbl_ harder.
5. Protect wp-config.php
   • Hostinger adds .htaccess rules automatically, but double-check permissions (File Manager → right-click → 600).
6. Scan regularly for malware
   • Use free Wordfence/Solid scanner weekly.
7. Use HTTPS only (force SSL)
   • Already done via host → Force in Solid/Wordfence settings.
8. Remove unused themes/plugins
   • Delete everything except active theme + child theme.

Keeping Core, Themes, and Plugins Updated

Outdated software = #1 hack reason (70–80% of cases per Sucuri 2025–2026 reports).

How updates work in 2026:

• WordPress auto-updates minor versions (6.9.1 → 6.9.2) safely.
• Major versions (6.9 → 7.0) need manual click.

Safe update routine:

1. Dashboard → Updates (red badge shows count)
2. Always backup first (next section).
3. Update in order:
   • WordPress core
   • Plugins (one by one if many)
   • Themes
4. Test site after each batch (open incognito, check key pages).
5. Enable auto-updates where safe:
   • Plugins → Installed → Click plugin → “Enable auto-updates”
   • Same for themes
   • Recommended: Auto-update all except page builders (Elementor) and critical plugins — manual for those.

Example: You see 5 plugin updates → Backup → Update all → Clear cache (LiteSpeed) → Check homepage, contact form, mobile view.

Pro tip: Use staging site (Hostinger has one-click staging) for big updates.

Backups (Manual & Automated)

Rule #1: If it’s not backed up in at least 2 places, it doesn’t exist.

Best plugin: UpdraftPlus (we installed in Chapter 10)

Full automated setup (takes 10 minutes):

1. UpdraftPlus → Settings
2. Backup schedule:
   • Files: Every 24 hours (keep 7 copies)
   • Database: Every 12–24 hours (keep 14 copies)
3. Remote storage (critical — local backup dies if server dies):
   • Connect Google Drive (free 15GB) or Dropbox
   • Click “Google Drive” → Authenticate → Save
   • Now backups go off-site automatically
4. Include in files backup: Check all (plugins, themes, uploads, others)
5. Run first manual backup now → “Backup Now” → Check Google Drive folder

Manual backup options:

• Hostinger → hPanel → Backups → Generate manual (daily snapshots)
• Export database: phpMyAdmin (in hPanel) → Export
• Files: File Manager → Zip public_html

Restore example:

• Site hacked? → UpdraftPlus → Existing Backups → Restore (choose date before issue)
• Or Hostinger restore point

Golden rule: Test restore quarterly — many discover broken backups only when needed!

Using Strong Passwords & 2FA

Weak passwords = open door.

Strong passwords:

• Minimum 16 characters
• Mix uppercase, lowercase, numbers, symbols
• Unique per site
• Use password manager (Bitwarden free, LastPass, 1Password)
• Example bad: “webliance123”
• Example good: “Hyderabad-WebDesign-2026!Secure@Portfolio”

Change your admin password now:

1. Users → Your Profile → Scroll to Account Management → Generate Password → Strong one → Update Profile

Enable Two-Factor Authentication (2FA) — makes brute-force useless

Best free options 2026:

• Wordfence Login Security (free)
• Solid Security (free 2FA)
• Two-Factor plugin
• Google Authenticator app (free on phone)

Setup example with Wordfence (if using):

1. Wordfence → Login Security → Enable 2FA
2. Scan QR code with Google Authenticator app
3. Save recovery codes (print/store safely)
4. Next login: Enter code from app after password

Alternative: Hostinger has 2FA for hPanel login too.

Your immediate security checklist (do today):

1. Backup with UpdraftPlus + Google Drive
2. Update everything (Dashboard → Updates)
3. Change admin password to strong one
4. Enable 2FA (Wordfence or Solid)
5. Delete any unused themes/plugins
6. Run malware scan (Wordfence/Solid)
7. Set UpdraftPlus schedule

Do these 7 things → your site is safer than 95% of WordPress sites out there.

Maintenance routine (weekly/monthly):

• Weekly: Check Updates + Backup check
• Monthly: Full scan + test restore one file
• Quarterly: Password audit + cleanup