WordPress security checklist: 25 points to check

WordPress powers over 43% of all websites worldwide. This popularity also makes it the primary target for cybercriminals. According to Sucuri's 2025 report, over 60% of hacked WordPress sites were running an outdated version of the CMS, a plugin, or a theme. The good news? The majority of security vulnerabilities can be addressed with diligent maintenance.

This 25-point checklist will help you evaluate your WordPress site's security posture and identify priority corrective actions. Whether you manage your site yourself or work with a provider like WpDefender, these checks are essential.

1. WordPress Core Updates

WordPress security patches are released as soon as a vulnerability is discovered. Not applying them within 48 hours leaves your site wide open to attackers. Check out our 10 essential security measures for a solid security foundation.

Enable automatic minor updates in wp-config.php:

define('WP_AUTO_UPDATE_CORE', 'minor');

For major updates, schedule them manually after testing on a staging environment. A provider like WpDefender can manage this process with a pre-production environment to avoid any downtime.

2. Plugin Updates

Plugins are the number one attack vector for WordPress sites. According to WPScan, 94% of exploited vulnerabilities come from outdated plugins.

Best practices:

• Remove unused plugins — every installed plugin is a potential attack surface
• Favor regularly maintained plugins with a track record of swift security patches
• Use a dashboard like MainWP or ManageWP to supervise updates across sites
• At minimum, apply security updates within 24 hours

3. Theme Updates

Like plugins, abandoned or poorly maintained themes expose your site to risk. A theme that hasn't received an update in over 6 months should be replaced.

Regularly check:

• Last update date of the active theme
• Compatibility with the current WordPress version
• Security advisories published by theme developers

4. Strong Passwords

A weak WordPress password can be cracked in seconds using tools like John the Ripper. Use passwords of at least 16 characters, combining letters, numbers, and special characters. Our article on secure WordPress passwords covers the best practices in detail.

Best practices:

• Use a password manager (1Password, Bitwarden, KeePass)
• Never reuse a password across multiple accounts
• Change administrator passwords every 90 days
• Prohibit simple passwords like "admin" or "password"

5. Two-Factor Authentication (2FA)

2FA adds a critical security layer. Even if an attacker obtains your password, they cannot log in without the second factor.

Recommended 2FA plugins:

• Wordfence — built-in solutions with mobile authenticator
• WP 2FA — compatible with Google Authenticator and Authy
• Two Factor Authentication — lightweight and easy to configure

Enable 2FA at minimum for all administrator accounts. Ideally, extend it to editors and authors as well.

6. Automated Backups

A backup without a restore test is not a backup. Industry statistics show that 30% of businesses that suffer a major data loss do not survive within 6 months.

Recommended strategy:

• Daily automated backups (UpdraftPlus, BlogVault, or similar)
• Off-site storage (Amazon S3, Google Drive, Dropbox)
• Monthly restore tests on a staging environment
• Retain at least 30 days of backups
• Separate backups: files and database

WpDefender's emergency service includes backup restoration in under 30 minutes after a hack.

7. Login Attempt Limitation

Brute force attacks try thousands of password combinations per minute. Without protection, a server can be overwhelmed or a password cracked within hours.

Solutions:

• Limit Login Attempts Reloaded plugin — blocks after 5 failed attempts
• Progressive IP banning (5 min → 30 min → 24h)
• Email notification after 3 suspicious attempts
• Geographic blocking if your audience is concentrated in specific regions

8. Custom Login URL

The /wp-admin/ and /wp-login.php pages are favorite bot targets. Changing the login URL eliminates 90% of automated attempts.

Plugins to customize the login URL:

• WPS Hide Login — the most popular, simple and effective
• Permalink Manager Pro — also provides permalink control

Choose an unpredictable URL (avoid /admin, /login, /backdoor).

9. SSL Certificate / HTTPS

Google has ranked HTTPS sites above HTTP sites since 2014. In 2026, a site without HTTPS is flagged as "Not Secure" by all major browsers, destroying visitor trust. A good secure WordPress hosting provider typically includes a free SSL certificate.

Actions:

• Obtain a free SSL certificate via Let's Encrypt or your hosting provider
• Force HTTP to HTTPS redirect with an .htaccess rule
• Update all internal links to avoid mixed content
• Check the certificate monthly — Let's Encrypt certificates expire every 90 days

10. HTTP Security Headers

HTTP security headers reinforce your site's protection at the browser level. They prevent clickjacking, XSS, and other common attacks.

Essential headers to configure:

• X-Content-Type-Options: nosniff — prevents MIME sniffing
• X-Frame-Options: DENY — blocks iframe embedding
• X-XSS-Protection: 1; mode=block — enables browser XSS filter
• Strict-Transport-Security — forces HTTPS (HSTS)
• Content-Security-Policy — controls loaded resources
• Referrer-Policy: strict-origin-when-cross-origin — limits referrer data sharing

These headers can be added via the .htaccess file, a security plugin, or directly by your hosting provider.

11. Web Application Firewall (WAF)

A WAF (Web Application Firewall) filters malicious traffic before it reaches your server. It's the first line of defense against zero-day attacks.

Recommended solutions:

• Wordfence — real-time WAF + malware scanner
• Sucuri — cloud protection, ideal for high-traffic sites
• Cloudflare — free firewall for basic attacks, premium for advanced protection

A WAF blocks an average of 4.5 billion attacks per day globally (Cloudflare figure, 2025).

12. Malware Scanner

A malware scanner detects modified files, backdoors, and injected malicious code. Early detection is critical: malware stays in a system for an average of 287 days before detection (IBM Security, 2025).

Recommendations:

• Complete weekly scan (automated if possible)
• Verify modified files against the official WordPress repository
• Monitor modifications in /uploads/ and /wp-content/ directories
• Use the built-in Wordfence scanner or the free Sucuri SiteCheck

13. File Permissions

Misconfigured permissions can allow an attacker to inject malicious code into your files.

Standard recommendations:

• Directories: 755 (owner: read/write/execute; others: read/execute)
• Files: 644 (owner: read/write; others: read)
• wp-config.php: 600 or 640 (readable only by owner)
• .htaccess: 644

Use a plugin like WP File Manager or run SSH commands to verify and fix permissions regularly.

14. Database Security

The database contains all your site's content and data. Its compromise is catastrophic.

Essential measures:

• Custom table prefix (avoid the default wp_ prefix)
• Database user with minimal privileges (not root)
• Strong database password (20+ characters)
• Database access restricted to the web server IP only
• Daily database backups
• Regular cleanup of revision tables and orphaned metadata

15. User Role Management

Every user account is a potential entry point. 67% of attacks involve a compromised user account (Verizon DBIR, 2025).

Best practices:

• Apply the principle of least privilege — each user gets only the rights they need
• Remove accounts inactive for more than 90 days
• Limit the number of administrators (2 maximum recommended)
• Audit roles quarterly
• Never grant the "Administrator" role to a temporary contractor

16. Disable Online Editing

WordPress's online editing feature (Theme Editor and Plugin Editor) allows modifying PHP files directly from the admin interface. If an admin account is compromised, this feature lets the attacker modify the source code.

Add this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This is one of the simplest and most effective security measures. There is no reason not to enable it.

17. Protect wp-config.php

The wp-config.php file contains database connection credentials. Protecting it is critical.

Measures:

• Move it one level above the WordPress root directory (some configurations allow this)
• Protect it with 600 permissions
• Block access via .htaccess:

<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>

Never store plain-text passwords in wp-config.php outside of the WordPress constants designed for this purpose.

18. Disable PHP Execution

By default, WordPress allows PHP execution in the /uploads/ folder. This is a major vulnerability used to inject webshells.

To block PHP execution in /uploads/, add to .htaccess:

<Files "*.php">
deny from all
</Files>

Or, with Apache 2.4+:

<FilesMatch "\.php$">
Require all denied
</FilesMatch>

This measure prevents execution of any PHP file uploaded by a user or injected by an attacker into the media folder.

19. Dashboard Cleanup

The WordPress dashboard displays by default information that can help an attacker map your installation.

Elements to hide:

• WordPress version (visible in page source)
• PHP version
• Installed plugin and theme names
• RSS feeds
• The REST API exposes user accounts — restrict access if necessary

Use the Disable WP version plugin or add these functions to functions.php to hide this information.

20. Logging and Monitoring

Without logging, you cannot detect an intrusion or understand what was compromised.

Recommended configuration:

• Login activity logging plugin (WP Activity Log)
• File modification monitoring
• Email alerts for logins from new IP addresses
• Server-side PHP error logging
• Log retention for at least 90 days

WP Activity Log is the industry standard — it records over 200 different events on your WordPress site.

21. Anti-Spam Protection

Comment spam is not just an aesthetic problem — it can contain malicious links and harm your SEO.

Solutions:

• Antispam Bee — free and privacy-respecting plugin
• Akismet — effective cloud-based solution for comment spam
• Disable comments on posts older than 30 days
• Use a honeypot field to trap bots

22. Disable XML-RPC API

WordPress's XML-RPC API is a major security concern. It's exploited for:

• Brute force attacks (a single request can test 1,000 passwords)
• Amplified DDoS attacks
• Remote code execution

If you don't use WordPress mobile apps or Pingbacks, disable XML-RPC completely:

// In functions.php
add_filter('xmlrpc_enabled', '__return_false');

Or block it via .htaccess:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

23. Secure Uploads Directory

The /uploads/ directory is WordPress's most vulnerable directory because it accepts user-uploaded files.

Protect it:

• Block PHP execution (see point 18)
• Validate accepted file types
• Limit upload size (set upload_max_filesize in php.ini)
• Scan uploaded files with an antivirus
• Use external storage (Amazon S3) for media files

24. PHP Updates

PHP 7.x reached end of life in December 2022. Sites running PHP 7.x no longer receive security patches. In 2026, you must use PHP 8.2 or higher.

Why this is critical:

• PHP 7.x vulnerabilities will never be fixed
• PHP 8.x delivers 15-25% better performance
• Some plugins now require PHP 8.x minimum
• Google favors sites using recent PHP versions

Check your PHP version in Dashboard → Tools → Site Health or ask your hosting provider.

25. Incident Response Plan

Even with every precaution, no protection is 100%. Having an action plan for a breach is as important as prevention.

Plan elements:

1. Detection: how do you identify a compromise? (monitoring, alerts, reports)
2. Containment: maintenance mode, site deactivation, access blocking
3. Eradication: malware removal, file restoration
4. Recovery: backup restoration, integrity verification
5. Notification: inform users and authorities if necessary (GDPR)
6. Lessons learned: post-incident analysis to strengthen defenses

WpDefender's emergency service handles this entire process with a 30-minute response time, 7 days a week.

Conclusion

This 25-point checklist covers the fundamentals of WordPress security. Implementing these measures progressively reduces compromise risk by 95% (estimate based on Sucuri and Wordfence data).

Security is not a state — it's a continuous process. Test your site against these 25 points and create a priority action plan.

Need a complete security audit? Contact WpDefender — we analyze your site and provide a detailed report with priority corrective actions. Guaranteed 30-minute response, 7 days a week.

Related Articles

• Preparing your WordPress site before Black Friday
• WordPress and GDPR: legal obligations
• Best secure WordPress themes in 2026