How to Secure Your WordPress Website: Complete Security Checklist
Protect your WordPress website from hackers with this complete security checklist. Covers 25 essential security measures from basic hardening to advanced protection.
How to Secure Your WordPress Website: Complete Security Checklist
WordPress powers 43% of the web, making it the #1 target for automated attacks. Every day, bots scan millions of WordPress sites looking for vulnerabilities. Without proper security, it's not a matter of if your site will be attacked — it's when.
This checklist covers 25 essential security measures organized by priority.
Priority 1: Critical (Do Immediately)
1. Update Everything
- [ ] WordPress core updated to latest version
- [ ] All plugins updated
- [ ] All themes updated
- [ ] PHP version 8.0+ running
2. Strong Authentication
- [ ] No "admin" username — create a new admin user, delete old one
- [ ] Strong password (16+ characters, mixed case, numbers, symbols)
- [ ] Two-factor authentication enabled (Wordfence, WP 2FA)
- [ ] Limit login attempts (5 max, then lockout)
3. SSL Certificate
- [ ] HTTPS enabled site-wide
- [ ] HTTP redirects to HTTPS via 301
- [ ] HSTS header set
- [ ] Mixed content resolved
4. Backups
- [ ] Automated daily database backups
- [ ] Weekly full-site backups
- [ ] Backups stored off-site (not on same server)
- [ ] Backup restoration tested
Quick security scan: WordPress Security Checker
Priority 2: Important (Do This Week)
5. File Protection
- [ ]
wp-config.phpblocked from web access - [ ] Directory listing disabled (
Options -Indexes) - [ ]
readme.htmlandlicense.txtdeleted - [ ] File editor disabled (
DISALLOW_FILE_EDIT, true) - [ ] PHP execution disabled in
/wp-content/uploads/
6. Security Headers
- [ ] X-Frame-Options: SAMEORIGIN
- [ ] X-Content-Type-Options: nosniff
- [ ] X-XSS-Protection: 1; mode=block
- [ ] Content-Security-Policy configured
- [ ] Referrer-Policy set
- [ ] Permissions-Policy set
7. Access Control
- [ ] XML-RPC disabled (unless needed)
- [ ] REST API restricted
- [ ] wp-login.php protected (rate limiting or IP restriction)
- [ ] Admin area accessible only via VPN or specific IPs (optional)
8. Security Plugin
- [ ] Install Wordfence, Sucuri, or iThemes Security
- [ ] Configure firewall rules
- [ ] Enable malware scanning
- [ ] Set up email alerts for suspicious activity
Priority 3: Recommended (Do This Month)
9. Database Security
- [ ] Change default
wp_table prefix - [ ] Use strong database password
- [ ] Restrict database user permissions
- [ ] Regular database optimization
10. Monitoring
- [ ] Uptime monitoring (UptimeRobot, Pingdom)
- [ ] File integrity monitoring
- [ ] Login attempt monitoring
- [ ] SEO spam monitoring (Google Search Console)
11. Performance Security
- [ ] Web Application Firewall (Cloudflare, Sucuri)
- [ ] DDoS protection
- [ ] Rate limiting on API endpoints
- [ ] Bot protection
12. Privacy & Compliance
- [ ] Cookie consent banner (GDPR/Consent Mode v2)
- [ ] Privacy policy page
- [ ] Terms of service page
- [ ] Data export/erasure functionality
Security Plugins Comparison
| Plugin | Free Tier | Firewall | Malware Scan | 2FA | |--------|-----------|----------|-------------|-----| | Wordfence | Yes | Yes | Yes | Yes | | Sucuri | Limited | Yes | Yes | No | | iThemes | Yes | Yes | No | Yes | | All In One Security | Yes | Limited | No | Yes | | Shield | Yes | Yes | No | Yes |
After a Hack: Emergency Response
If your site is compromised:
- Don't panic — take the site offline if necessary
- Change all passwords — WordPress admin, FTP, database, hosting
- Scan for malware — use Wordfence or Sucuri scan
- Remove malicious code — check theme files, plugins, uploads
- Update everything — core, plugins, themes
- Restore from backup — if clean backup available
- Submit Google review request — if blacklisted
- Document the incident — what happened, how, prevention
FAQ
How often should I run security scans?
Weekly at minimum, and immediately after:
- Installing new plugins/themes
- WordPress core updates
- Any suspicious activity
Are free security plugins enough?
For most small to medium sites, yes. Wordfence Free provides excellent protection. Upgrade to premium for real-time threat intelligence and faster updates.
What are the most common attack types?
- Brute force login — 90% of sites see attempts
- Plugin vulnerabilities — 60% of compromises
- Theme exploits — 25% of compromises
- File inclusion — moderate risk
- SQL injection — moderate risk
Scan Your WordPress Site Now
Run a free security audit and identify vulnerabilities.
Related Articles:
Secure your WordPress site with the free WordPress Security Checker by Jayax.dev.