WordPress Security Checklist: 25 Steps to Protect Your Business Website

WordPress powers over 40% of the web, which makes it the most targeted CMS by hackers and automated bots. But here is what most security articles will not tell you: WordPress core is not the problem. Over 90% of compromised WordPress sites were hacked through outdated plugins, weak passwords, or misconfigured hosting — all preventable issues.

Over 14 years of managing WordPress sites, I have helped dozens of businesses recover from security breaches and have hardened hundreds of sites to prevent them. This checklist distills that experience into 25 actionable steps organized by priority.

Foundation: Hosting and Server Security (Steps 1-5)

1. Use Quality Managed WordPress Hosting

Your host is your first line of defense. Managed WordPress hosts like Pressable, WP Engine, or Cloudways provide server-level firewalls, automatic PHP updates, isolated site environments, and DDoS protection. Budget shared hosting packs hundreds of sites on a single server — if one gets compromised, all are at risk.

2. Enforce HTTPS Everywhere

Install an SSL/TLS certificate and force all traffic through HTTPS. Most managed hosts include free Let’s Encrypt certificates. In WordPress, set both your WordPress Address and Site Address to https:// in Settings > General. Add HSTS headers to prevent protocol downgrade attacks.

3. Keep PHP Updated

Run the latest stable PHP version your plugins support (PHP 8.2+ as of this writing). Each PHP release includes security fixes. Older versions reach end-of-life and stop receiving patches, leaving known vulnerabilities permanently unaddressed.

4. Disable Directory Browsing

Add Options -Indexes to your .htaccess file to prevent visitors from listing directory contents. Without this, attackers can see your full plugin and upload directory structure.

5. Protect wp-config.php

This file contains your database credentials and security keys. Restrict access with .htaccess rules and consider moving it one directory above your web root (WordPress supports this natively).

Authentication Security (Steps 6-10)

6. Enforce Strong Passwords

Require passwords of at least 16 characters with mixed case, numbers, and symbols for all admin and editor accounts. Use a password manager to generate and store credentials. Never reuse passwords across sites.

7. Enable Two-Factor Authentication

2FA eliminates the vast majority of credential-based attacks. Even if a password is compromised, the attacker cannot access the account without the second factor. Use TOTP apps (Google Authenticator, Authy) rather than SMS, which is vulnerable to SIM-swapping.

8. Limit Login Attempts

Install a plugin to limit failed login attempts and temporarily lock out IP addresses after repeated failures. This stops brute-force attacks that try thousands of password combinations. Five attempts with a 15-minute lockout is a reasonable starting point.

9. Change the Default Admin Username

Never use “admin” as a username. Automated attacks target this username first. Create a new administrator account with a unique username, log in with it, and delete the original admin account (reassigning content to the new account).

10. Restrict Admin Access by IP

If your team accesses the admin panel from fixed IP addresses, restrict wp-admin and wp-login.php access to those IPs via .htaccess or your host’s firewall. This blocks all unauthorized login attempts regardless of credentials.

Software Management (Steps 11-15)

11. Keep WordPress Core Updated

Enable automatic minor updates (enabled by default) and apply major updates within one week of release after testing on staging. Core updates frequently include security patches for discovered vulnerabilities.

12. Update All Plugins Promptly

Outdated plugins are the number one attack vector for WordPress sites. Apply security updates within 24 hours and feature updates weekly after staging verification. Subscribe to plugin changelogs or use a monitoring service.

13. Update Your Theme

Themes can contain vulnerabilities just like plugins. If using a commercial theme, ensure your license is active for updates. If using a custom theme, schedule regular code reviews with your developer.

14. Remove Unused Plugins and Themes

Deactivated plugins and themes can still be exploited if they contain vulnerabilities. Delete anything you are not actively using. Keep only your active theme and the latest default WordPress theme as a fallback.

15. Audit Plugin Sources

Only install plugins from the official WordPress.org repository or reputable commercial developers. Never use nulled (pirated) premium plugins — they frequently contain backdoors. Check the plugin’s last update date, support activity, and active installation count before installing.

Application Hardening (Steps 16-20)

16. Install a Web Application Firewall

A WAF filters malicious traffic before it reaches your site. Cloudflare (free tier available) provides DNS-level protection. Wordfence and Sucuri offer application-level firewalls with WordPress-specific rule sets.

17. Disable File Editing in WordPress

WordPress includes a built-in code editor accessible from the admin panel. Add define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php to disable it. If an attacker gains admin access, this prevents them from injecting code through the editor.

18. Implement Security Headers

Configure HTTP security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. These headers instruct browsers to enforce security policies that prevent XSS, clickjacking, and data injection attacks.

19. Disable XML-RPC

XML-RPC is a legacy WordPress API that is frequently exploited for brute-force amplification attacks. Unless you specifically need it (Jetpack uses it, for example), disable it via .htaccess or a security plugin.

20. Restrict REST API Access

The WordPress REST API exposes user enumeration endpoints by default. Restrict unauthenticated access to sensitive endpoints, particularly /wp-json/wp/v2/users, which reveals all usernames on your site.

Monitoring and Recovery (Steps 21-25)

21. Configure Daily Malware Scanning

Automated scans check your files against known malware signatures and detect unauthorized changes. Wordfence, Sucuri, and MalCare all offer reliable scanning. Configure alerts to notify you immediately of any detection.

22. Enable File Integrity Monitoring

File integrity monitoring tracks changes to your WordPress core files, theme files, and plugin files. Any unexpected modification triggers an alert. This catches compromises that malware scanners might miss, particularly custom backdoors.

23. Maintain Tested Backups

Daily automated backups stored off-site (separate from your hosting account) are essential. Critically, test your backup restoration process quarterly. A backup you have never tested is a backup you cannot trust.

24. Monitor Uptime and Error Logs

Unexpected downtime or unusual error log entries can indicate a security incident in progress. Use uptime monitoring (UptimeRobot, Pingdom, or your host’s built-in monitoring) with instant alerts.

25. Conduct Annual Security Audits

A professional security audit reviews your complete security posture: server configuration, WordPress hardening, plugin vulnerabilities, user permissions, backup procedures, and incident response readiness. This annual review catches blind spots in your ongoing security practices.

Implementation Priority

If you cannot implement all 25 steps immediately, prioritize in this order: two-factor authentication (step 7), strong passwords (step 6), software updates (steps 11-13), quality hosting (step 1), and backups (step 23). These five steps alone address the vast majority of real-world attack vectors.

For comprehensive security management, our WordPress Care Plans include all 25 steps implemented, monitored, and maintained by our team. We handle the security so you can focus on your business.