Last updated: 21 December 2025
To protect our network and our customers, all WordPress websites hosted with UK Cheapest must meet the minimum security requirements outlined below.
Websites that do not meet these requirements are at a significantly higher risk of being hacked and may be temporarily restricted if they pose a security or abuse risk.
Why this is required
WordPress is a popular platform and is frequently targeted by automated attacks.
Most compromises occur due to:
- outdated WordPress core
- vulnerable or abandoned plugins
- weak passwords
- lack of basic security protection
Once a site is compromised, it can be used to send spam, perform attacks, or host malicious content. These activities can result in service disruption or action by upstream providers.
Minimum security requirements (mandatory)
All WordPress installations must meet all of the following requirements.
1. Keep WordPress fully up to date
- WordPress core must be kept on the latest stable version
- All themes and plugins must be kept up to date
- Any themes or plugins that are not actively used must be deleted, not just disabled
2. Use strong login credentials
- Strong, unique passwords must be used for all WordPress admin accounts
- Do not reuse passwords from other websites or services
- Remove any unused admin or user accounts
3. Install a security plugin
A reputable WordPress security plugin must be installed and active.
Examples include (but are not limited to):
- Wordfence
- iThemes Security / Solid Security
- All In One WP Security
The security plugin should provide basic protection such as login rate limiting and malware scanning.
4. Protect the login page
At least one of the following must be enabled:
- login rate limiting
- CAPTCHA
- two-factor authentication (recommended)
This significantly reduces brute-force and credential-stuffing attacks.
5. XML-RPC protection
- XML-RPC must be disabled if it is not required, or
- protected via a security plugin
Unprotected XML-RPC is a common attack vector.
6. File and plugin hygiene
- No executable files or custom binaries should exist in the website document root
- Plugins and themes must only be installed from trusted sources
- Pirated, nulled, or unverified plugins/themes are not permitted
If your site is compromised
If a WordPress site is found to be compromised or generating malicious activity:
- the site may be temporarily restricted to prevent further abuse
- cleanup or rebuilding will be required before the site can be re-enabled
UK Cheapest offers a WordPress Rescue Service for customers who would like us to professionally clean and secure their site.
Important note
Meeting these minimum requirements significantly reduces risk, but no website can be guaranteed to be completely immune from attack. Ongoing maintenance and updates are essential for long-term security.
Need help?
If you would like assistance securing your WordPress site, or if you are unsure whether your site meets these requirements, please open a support ticket and our team will be happy to advise.