WordPress Website Security Checklist: 20 Steps to Lock Down Your Site

WordPress powers over 40% of all websites on the internet, making it the world’s most popular content management system. Unfortunately, that popularity also makes it the most targeted platform for hackers. According to Sucuri’s annual threat report, WordPress accounts for over 90% of all hacked CMS platforms.

The good news? The vast majority of WordPress security breaches are preventable. At WPRobo, our 14+ years of experience managing WordPress security have shown us that sites following a systematic security checklist are rarely compromised. Here are 20 steps to lock down your WordPress site.

Foundation Security (Steps 1-5)

Step 1: Keep WordPress Core Updated

WordPress regularly releases security patches and feature updates. Running outdated WordPress core is the digital equivalent of leaving your front door unlocked. Enable automatic minor updates (which include security patches) and apply major updates within a week of release after testing on a staging site.

Step 2: Update All Plugins and Themes

Vulnerable plugins are the number one attack vector for WordPress sites. The WordPress.org plugin repository regularly publishes security advisories. Update plugins promptly, and remove any plugins you are not actively using. A deactivated plugin with a known vulnerability is still a security risk because its files remain accessible on the server.

Step 3: Use Strong, Unique Passwords

Every WordPress user account should have a unique password that is at least 16 characters long, combining uppercase and lowercase letters, numbers, and symbols. Use a password manager like 1Password, Bitwarden, or LastPass. Never reuse passwords across sites. If a database from another service is breached, shared passwords give attackers immediate access to your WordPress site.

Step 4: Enable Two-Factor Authentication (2FA)

Two-factor authentication adds a second layer of verification beyond passwords. Even if an attacker obtains a valid password, they cannot log in without the second factor. We recommend time-based one-time passwords (TOTP) using apps like Google Authenticator or Authy over SMS-based 2FA, which is vulnerable to SIM-swapping attacks.

Step 5: Limit Login Attempts

Brute force attacks try thousands of password combinations per minute. By limiting login attempts to 3 to 5 per IP address, you effectively shut down brute force attacks. After the limit is reached, block the IP address for a minimum of 15 minutes, with escalating block durations for repeat offenders.

Server and Hosting Security (Steps 6-10)

Step 6: Choose Secure Managed WordPress Hosting

Your hosting environment is the foundation of your site security. Managed WordPress hosts like Pressable, WP Engine, and Kinsta provide server-level firewalls, automatic backups, malware scanning, and isolated environments that prevent cross-site contamination. The modest premium over shared hosting pays for itself the first time it prevents an attack.

Step 7: Enforce SSL/HTTPS Everywhere

An SSL certificate encrypts data transmitted between your visitors and your server. In 2026, there is no excuse for running a site without HTTPS. Google treats HTTPS as a ranking signal, and browsers display security warnings on HTTP sites. Ensure your SSL certificate is valid and that all pages, including admin pages, load over HTTPS.

Step 8: Disable File Editing in the Dashboard

WordPress includes a built-in code editor that allows admins to modify theme and plugin files directly from the dashboard. If an attacker gains admin access, this editor gives them the ability to inject malicious code immediately. Disable it by adding define( 'DISALLOW_FILE_EDIT', true ); to your wp-config.php file.

Step 9: Protect wp-config.php

The wp-config.php file contains your database credentials and authentication keys. Protect it by moving it one directory above your web root (WordPress supports this natively) and by adding server-level rules to deny direct access. Set file permissions to 400 or 440 so only the server can read it.

Step 10: Disable Directory Browsing

Without proper configuration, visitors can browse your server directories and see your file structure. This gives attackers valuable reconnaissance information. Add Options -Indexes to your .htaccess file, or configure your Nginx server to deny directory listings.

Application Security (Steps 11-15)

Step 11: Install a Web Application Firewall (WAF)

A WAF filters malicious traffic before it reaches your WordPress installation. Cloud-based WAFs like Cloudflare or Sucuri block common attack patterns including SQL injection, cross-site scripting (XSS), and file inclusion attacks. They also provide DDoS protection and bot filtering.

Step 12: Change the Default Login URL

The default WordPress login page at /wp-admin/ and /wp-login.php is the target of virtually every automated attack. Changing the login URL to something unique dramatically reduces automated login attempts. Security plugins like iThemes Security or WPS Hide Login make this change simple.

Step 13: Disable XML-RPC

XML-RPC is a legacy protocol that allows remote connections to your WordPress site. It was essential years ago for mobile apps and external editors, but modern WordPress uses the REST API instead. XML-RPC is frequently exploited for brute force amplification attacks and DDoS. Disable it unless you have a specific need for it.

Step 14: Set Proper File Permissions

Incorrect file permissions allow attackers to modify your site files. The recommended permissions are:

• Directories: 755 (owner can read/write/execute; others can read/execute).
• Files: 644 (owner can read/write; others can read only).
• wp-config.php: 400 or 440 (read-only).

Never set any file or directory to 777 (full access to everyone). This is one of the most common security misconfigurations we encounter during site audits.

Step 15: Use Security Headers

HTTP security headers tell browsers how to handle your site content and provide protection against several attack types:

• Content-Security-Policy: Prevents cross-site scripting and data injection attacks.
• X-Frame-Options: Prevents your site from being embedded in iframes (clickjacking protection).
• X-Content-Type-Options: Prevents MIME-type sniffing attacks.
• Strict-Transport-Security: Forces HTTPS connections.
• Referrer-Policy: Controls how much referrer information is shared with other sites.

Monitoring and Recovery (Steps 16-20)

Step 16: Implement Automated Backups

Backups are your insurance policy. If everything else fails, a recent backup allows you to restore your site quickly. Follow the 3-2-1 backup rule: 3 copies of your data, on 2 different media types, with 1 copy stored off-site. Automate daily backups and verify them monthly by performing a test restoration.

Step 17: Monitor File Changes

File integrity monitoring detects unauthorized modifications to your WordPress files. If an attacker injects malicious code, file monitoring alerts you immediately rather than letting the compromise go undetected for weeks or months. Security plugins like Wordfence and Sucuri include file integrity monitoring.

Step 18: Review User Accounts Regularly

Audit your WordPress user accounts monthly. Remove accounts that are no longer needed, downgrade permissions for users who do not need admin access, and enforce password changes every 90 days for admin accounts. The principle of least privilege should govern all user access.

Step 19: Monitor Security Logs

Enable activity logging to track login attempts, content changes, plugin installations, and settings modifications. This audit trail is invaluable for detecting suspicious activity and conducting forensic analysis after a security incident. Review logs weekly for unusual patterns.

Step 20: Create an Incident Response Plan

Despite your best efforts, no site is 100% immune to attack. Having a documented incident response plan means you can react quickly and effectively. Your plan should cover:

• Who to contact and their roles during an incident.
• Steps to isolate and contain the compromise.
• Backup restoration procedures.
• Communication templates for customers and stakeholders.
• Post-incident review and improvement process.

Frequently Asked Questions

Is WordPress inherently insecure?

No. WordPress core is developed by a dedicated security team and undergoes regular audits. Most security breaches result from outdated plugins, weak passwords, or poor hosting, not from WordPress core vulnerabilities. A properly maintained WordPress site is as secure as any platform.

Do I need a security plugin if I use managed hosting?

Managed hosting provides server-level security, but a security plugin adds application-level protection (login hardening, file monitoring, firewall rules). They complement each other. We recommend using both for comprehensive coverage.

How often should I run security scans?

Automated malware scans should run daily. Manual security audits (reviewing user accounts, checking file permissions, testing backup restoration) should happen monthly. A comprehensive professional security audit is recommended annually.

What should I do if my site gets hacked?

Immediately change all passwords, restore from a known clean backup, update all software, scan for remaining malware, and conduct a forensic review to determine how the breach occurred. If you are on one of our WordPress Care Plans, our team handles the entire incident response process.

Are free security plugins effective?

Free versions of Wordfence and Sucuri provide solid basic protection. However, premium versions add real-time firewall rules, priority malware signatures, and faster support response times. For business-critical sites, the premium investment is justified.