WordPress security isn’t optional—it’s essential. With over 40% of the web running on WordPress, it’s a prime target for hackers, bots, and malicious actors. A single security vulnerability can lead to data breaches, SEO penalties, blacklisting, and complete site compromise.
This comprehensive checklist provides 50 actionable steps to harden your WordPress website against common threats. Whether you’re securing a personal blog or an enterprise site, these measures will significantly reduce your attack surface.
Core WordPress Security (Steps 1-10)
1. Keep WordPress Core Updated
Always update to the latest WordPress version. Updates include security patches for known vulnerabilities.
// Enable automatic updates for minor releases in wp-config.php
define( 'WP_AUTO_UPDATE_CORE', 'minor' );2. Update All Plugins Regularly
Outdated plugins are the #1 entry point for hackers. Enable auto-updates for trusted plugins.
3. Update All Themes
Even inactive themes can be exploited. Update or delete them.
4. Remove Unused Plugins and Themes
Delete (don’t just deactivate) any plugins and themes you’re not using.
5. Delete Default WordPress Themes
Unless needed for testing, remove default themes like Twenty Twenty-Three.
6. Use Strong Admin Passwords
Require 20+ character passwords with uppercase, lowercase, numbers, and symbols.
7. Change Default “admin” Username
The username “admin” is the first thing hackers try. Create a unique username.
-- Change username via database (backup first!)
UPDATE wp_users SET user_login = 'newusername' WHERE user_login = 'admin';8. Implement Two-Factor Authentication (2FA)
Add an extra security layer beyond passwords. Use plugins like Wordfence Login Security or Two-Factor.
9. Limit Login Attempts
Prevent brute force attacks by limiting failed login attempts.
// Using Limit Login Attempts Reloaded plugin settings:
// - 4 attempts before lockout
// - 20-minute lockout duration10. Install a Security Plugin
Choose Wordfence, Sucuri, or iThemes Security for comprehensive protection.
Configuration Security (Steps 11-20)
11. Generate Fresh Security Keys
Replace WordPress security keys in wp-config.php using the WordPress.org generator.
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');12. Change Database Table Prefix
Change from default wp_ to something unique like wp_7j2k_.
// In wp-config.php
$table_prefix = 'wp_7j2k_';13. Disable File Editing in Admin
Prevent hackers from modifying theme/plugin files via admin.
// Add to wp-config.php
define( 'DISALLOW_FILE_EDIT', true );14. Disable File Installation via Admin
For maximum security, prevent all file installations.
define( 'DISALLOW_FILE_MODS', true );15. Protect wp-config.php
Move wp-config.php one directory above web root, or add .htaccess protection.
# In .htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>16. Secure .htaccess File
Protect your .htaccess from unauthorized access.
<files .htaccess>
order allow,deny
deny from all
</files>17. Disable XML-RPC
Unless needed for mobile apps or external posting, disable XML-RPC.
# In .htaccess
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>18. Disable REST API for Unauthenticated Users
Prevent data harvesting via REST API.
// In functions.php
add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! is_user_logged_in() ) {
return new WP_Error(
'rest_not_logged_in',
'You must be logged in to access the REST API.',
array( 'status' => 401 )
);
}
return $result;
});19. Hide WordPress Version
Remove version info from source code.
// In functions.php
remove_action('wp_head', 'wp_generator');
// Remove from RSS feeds
add_filter('the_generator', '__return_empty_string');20. Remove readme.html and license.txt
Delete these files that reveal WordPress installation.
File System Security (Steps 21-30)
21. Set Proper File Permissions
Directories: 755, Files: 644, wp-config.php: 440
# Via SSH
find /path/to/wordpress/ -type d -exec chmod 755 {} \;
find /path/to/wordpress/ -type f -exec chmod 644 {} \;
chmod 440 wp-config.php22. Disable Directory Browsing
Prevent listing of directory contents.
# In .htaccess
Options -Indexes23. Protect wp-includes
Prevent direct access to wp-includes files.
# In .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>24. Protect wp-content
Block PHP execution in uploads directory.
# In wp-content/uploads/.htaccess
<Files *.php>
deny from all
</Files>25. Enable File Integrity Monitoring
Use security plugins to monitor file changes.
26. Regular File Scans
Schedule daily malware scans with Wordfence or Sucuri.
27. Validate File Ownership
Ensure files are owned by your user account, not the web server.
28. Remove Default Files
Delete wp-config-sample.php, readme.html, and license.txt.
29. Backup Before Updates
Always backup before major updates.
30. Test Restores Monthly
Verify backups work by testing restoration procedures.
Access Control (Steps 31-40)
31. Use HTTPS Site-Wide
Install SSL certificate and force HTTPS.
// In wp-config.php
define( 'FORCE_SSL_ADMIN', true );32. IP Whitelist wp-admin
Restrict admin access to specific IPs.
# In wp-admin/.htaccess
order deny,allow
deny from all
allow from 123.456.789.033. Add reCAPTCHA to Login
Prevent bot attacks on wp-login.php.
34. Change Login URL
Use WPS Hide Login to obscure wp-login.php.
35. Disable User Registration
Unless needed, turn off user registration in Settings > General.
36. Implement Role-Based Access Control
Give users minimal permissions needed.
37. Remove Unused User Accounts
Delete inactive or suspicious accounts.
38. Audit User Permissions Regularly
Review who has admin access quarterly.
39. Use Security Questions
Add secondary authentication questions.
40. Enable Activity Logging
Monitor all user actions with Simple History plugin.
Server & Hosting Security (Steps 41-50)
41. Choose Secure Hosting
Use hosts with server-level security (managed WordPress hosting recommended).
42. Enable Web Application Firewall (WAF)
Cloudflare or Sucuri firewall protection.
43. Add Security Headers
# In .htaccess
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>44. Disable PHP Error Reporting
Hide errors in production.
// In wp-config.php
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true );45. Implement Content Security Policy
Add CSP headers to prevent XSS.
46. Enable HSTS
Force HTTPS at browser level.
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"47. Configure Fail2Ban
Block IPs with repeated failed attempts (VPS/dedicated servers).
48. DDoS Protection
Use Cloudflare or similar CDN with DDoS mitigation.
49. Regular Security Audits
Quarterly professional security audits.
50. Stay Informed
Subscribe to WordPress security bulletins and CVE databases.
Implementation Priority
High Priority (Do Immediately): Steps 1-10, 13, 15, 21, 31
Medium Priority (This Week): Steps 11-12, 14, 16-20, 22-30, 32-40
Low Priority (This Month): Steps 41-50
Security is an ongoing process, not a one-time task. Implement these steps systematically, test thoroughly, and maintain vigilance through regular monitoring and updates.
External Links
- WordPress Security Documentation
- Wordfence Security Plugin
- Sucuri Security
- OWASP Top 10
- WPScan Vulnerability Database
Call to Action
Secure your site with bulletproof backups! Backup Copilot Pro offers automated security audits, malware scanning before backups, and instant recovery—try it free!
