RevealTheme logo

Guide · Updated 2026

WordPress Security Checklist — 30 Steps That Actually Matter

Most WordPress security advice is generic, alarmist, and missing the things that actually matter. This checklist ranks security measures by real-world impact — based on the actual attack patterns used against WordPress sites (brute force, vulnerable plugins, weak credentials, outdated cores).

The 5 essentials — do these first

  1. Keep WordPress core, themes, and plugins updated. Vulnerable plugins are the #1 attack vector. Enable automatic updates for minor versions (WordPress 5.6+ does this by default). For major versions, update within 7 days of release. For plugins, enable auto-updates for trusted ones; manually review release notes for critical plugins.
  2. Use strong, unique passwords for every WordPress account. Especially admin accounts. Use a password manager (1Password, Bitwarden). Disable the 'admin' username — create a new admin and delete the old one.
  3. Enable two-factor authentication. Use Wordfence Login Security (free) or our 2FA QR Generator with any TOTP app. 2FA defeats over 99% of credential-stuffing attacks.
  4. Install one reputable security plugin. Wordfence (free is sufficient for most sites) or Solid Security. Don't stack multiple — they conflict. The plugin handles login attempt limiting, file integrity monitoring, and malware scanning.
  5. Daily off-site backups. UpdraftPlus → Dropbox/Google Drive. Backup before you need it. Test the restore process at least once.

Next 10 — high-impact additional measures

  1. Force HTTPS. Let's Encrypt is free on every modern host. Redirect HTTP to HTTPS at the server level.
  2. Change the database table prefix. WordPress defaults to wp_; change to something custom during install. Doesn't prevent attacks, but makes some attack patterns harder.
  3. Disable XML-RPC if you don't use it. XML-RPC is a common brute-force amplification vector. If you don't use Jetpack mobile app or remote publishing, disable it via .htaccess or a plugin.
  4. Limit login attempts. Wordfence does this automatically. Prevents brute-force credential stuffing.
  5. Rotate WordPress auth keys/salts. Use our WordPress Salt Generator. Rotate after any suspected compromise, after removing a compromised admin, every 6-12 months as routine.
  6. Use SSH or SFTP for file transfers — never plain FTP. FTP transmits credentials in plaintext.
  7. Restrict wp-admin access by IP if possible. If your team uses fixed IPs (office, VPN), block wp-admin to those IPs only. .htaccess or Nginx config.
  8. Disable file editing in wp-config.php. Add: define('DISALLOW_FILE_EDIT', true); Prevents attackers from editing themes/plugins via the admin if they compromise an account.
  9. Hide WordPress version number. Remove the meta generator tag. Doesn't prevent attacks but reduces fingerprinting.
  10. Lock down file permissions. Files 644, directories 755, wp-config.php 600. Most managed hosts do this automatically; on VPS, set explicitly.

Polish — good but not critical

  1. Custom login URL (e.g., WPS Hide Login). Mostly reduces noise from bot traffic; not real security.
  2. CAPTCHA on login forms. Mild friction for automated attacks.
  3. Disable PHP execution in /uploads/. Prevents uploaded PHP shells from running.
  4. Use Cloudflare WAF (free tier). Filters malicious traffic before it reaches your server.
  5. Set up an admin email alert for plugin/core updates.
  6. Use HSTS preload to force HTTPS at the browser level.
  7. Disable user enumeration via the REST API (Solid Security or Wordfence handles this).
  8. Use Content Security Policy (CSP) headers.
  9. Disable directory browsing (most hosts do by default).
  10. Monitor uptime + integrity with an external service (UptimeRobot free tier + Sucuri SiteCheck weekly).
  11. Limit user roles to least privilege. Most contributors don't need editor-level access.
  12. Database backup encryption (UpdraftPlus Premium offers this).
  13. Off-domain image hosting via CDN (reduces attack surface).
  14. Regular security audit log review.
  15. Penetration test annually if the site does meaningful revenue.

WordPress security myths — skip these

Several widely-recommended 'security' measures provide minimal real protection: (1) 'Hide WordPress version' — knowing your version helps targeted attacks slightly, but the actual fix is updating, not hiding. (2) 'Move wp-config.php above public_html' — provides essentially zero security benefit; the file is already protected by .htaccess. (3) 'Disable REST API' — breaks many plugins, blocks little. Limit specific endpoints instead. (4) 'Stack multiple security plugins' — they conflict and overlap. One reputable plugin (Wordfence or Solid Security) covers what three would. (5) 'Renaming wp-login.php' — security through obscurity; attackers find the new URL easily via redirects.

If you've been hacked — recovery checklist

  1. Don't panic; don't immediately delete things. Take a snapshot of the current state first for forensics.
  2. Take the site offline (maintenance mode plugin or .htaccess redirect to a static page).
  3. Change all admin passwords and rotate WordPress salts.
  4. Audit user accounts — delete unrecognized admin accounts immediately.
  5. Scan for malware with Wordfence Premium or Sucuri.
  6. Compare current files against a fresh WordPress download — diff reveals modified core files.
  7. Check the database wp_options table for unexpected entries (often contains injected JS).
  8. Restore from the most recent clean backup (this is why daily backups matter).
  9. Once restored, audit every plugin: remove unused, update all, replace any with public CVEs.
  10. Update WordPress core to the latest version.
  11. Re-enable the site and monitor for re-infection over 30 days.
Generate fresh WordPress salts now

Frequently asked questions

Is WordPress less secure than other CMSes?
Not inherently. WordPress's reputation as a security risk comes from two factors: it powers 43% of the web, so attackers target it; and casual users install vulnerable plugins without auditing them. A maintained WordPress site with vetted plugins is as secure as Drupal or Joomla. An abandoned WordPress site with 30 outdated plugins is a sitting duck.
Do I need a paid security plugin?
Most sites don't. Wordfence Free covers what 90% of WordPress sites need: firewall, malware scan, login security, file integrity. Premium adds real-time threat updates (vs 30-day delay), country blocking, and priority support — worthwhile for sites doing real revenue, optional otherwise.
How often should I update WordPress?
Minor versions (5.6.1 → 5.6.2): automatically, immediately. Major versions (5.x → 6.x): within 7 days of release. Plugin updates: weekly review cadence — auto-update if you have backups; manual review for critical plugins (security, ecommerce, custom-coded).
What's the most common way WordPress sites get hacked?
Vulnerable plugins — accounting for ~55% of successful WordPress attacks per Wordfence's annual reports. The plugin code itself has a vulnerability that the attacker exploits. Mitigation: keep plugins updated, remove unused plugins, only install plugins from reputable developers.
Should I use a host with built-in WordPress security?
Managed WordPress hosts (Kinsta, WP Engine, Pressable) include WAF, malware scanning, and automatic core updates — meaningful additions. Whether they justify the premium price depends on your traffic and threat profile. For a small business site, a free Wordfence install on shared hosting covers most threats.

Related reading

Subscribe for updates

We do not sell your email. We do not spam.

© 2026 RevealTheme. All rights reserved.