WordPress is an incredibly popular open-source CMS (content management system) platform used by over 43% of all websites on the internet. I outlined Top 15 WordPress Security Checklist for you to secure your WordPress websites. Let's Get Started...

1: Always Use the Latest WordPress

WordPress is constantly updating its software to fix bugs and vulnerabilities. Therefore, it’s important to keep your website updated with the latest version of WordPress. This will ensure that your website is protected from the latest security threats. Managed WordPress hosting providers automatically update your site to major WordPress versions. To manually update the WordPress version, All you need to do is visit the WordPress Dashboard » Updates page and install the latest version.

2: Use Strong Admin Passwords

Strong passwords are the first line of defense against hackers and unauthorized access to your WordPress website. According to a study, 81% of WordPress hacking-related breaches used either stolen or weak passwords.

Create your website admin login password with at least 12 characters long, combining upper and lower case letters, numbers, and special characters. And most importantly don’t use the same login passwords on multiple websites.

3: Enable Two-Factor Authentication

Nowadays, Using a strong password is not enough. You’ve to enable two-factor authentication on your WordPress website. It’s just an extra layer of WordPress admin login security, if somehow hackers get to know your password, still they can’t log in without OTP.

4: Change the Default Login URL

The Default WordPress login page can be reached by adding /login/, /admin/, or /wp-login.php at the end of your WordPress site’s URL. And, hackers can use your website’s default login URL to try to gain access to your website by guessing usernames and passwords. The easiest way to change the default WordPress login URL is very easy, all you have to do is install the “WPS Hide Login” plugin on your website.

5: Limit Login Attempts

What if hackers know your WordPress site login URL? They may use a brute force attack to try to guess your admin password. By default, WordPress allows users to enter different usernames, and passwords as many times as they want. Therefore, you can limit the number of login attempts made from a specific IP address in a set amount of time. Any user who crosses the login limit can be temporarily or permanently banned as a safety precaution.

6: Install a Security Plugin

Installing WordPress Security plugins can add an extra layer of security to your website. A good WordPress security plugin offers Malware scanning, DDoS attacks, Monitors uptime, Automatically bans bad IPs, Security hardening, Active security monitoring, Post-hack actions, Website Firewalls, Blocklist monitoring, etc. Some popular security plugins for WordPress include Wordfence, iThemes Security, and Sucuri Security.

7: Use SSL Certificates

SSL certificates are used to encrypt data that is transferred between the user’s web browser and the website. Using SSL certificates can help prevent hackers from intercepting and reading data that is transmitted between the user and the website. SSL certificates are also important for SEO, as Google has stated that SSL certificates are a ranking factor. Right now, most of the hosting providers offer free SSL certificates with all hosting plans.

8: Backup Your Website Regularly

Any website can fall prey to hackers, data loss, database errors, or server disasters. That’s why you need to back up your WordPress website regularly. And You should also save your website backup files to a remote location, and not your hosting account. There are many WordPress backup plugins available, Most of them are easy to use and will back up your site automatically on a remote cloud server.

9: Use Secure Hosting

A secure hosting provider will have strong security measures in place to prevent security breaches. Look for a hosting provider that offers automatic updates, a strong security track record, AWF, malware scanning, DDoS protection, free SSL, daily backup, etc. If you are unsure about hosting security, move your WordPress site to Kinsta, CloudWays, or WPX hosting. They provide the best secure WordPress hosting with free site migrations. So, you don’t have to worry about losing data during hosting migration.

10: Remove Unused Themes and Plugins

If you have installed tons of unused plugins & themes on your WordPress website. Then, make sure to remove them completely. Not only unused themes, and plugins, are Slowing website loading times down due to database bloat but they also Adding points of vulnerability to your website. Therefore, it’s important to remove any themes and plugins that you are not using. And one more thing, don’t download third-party nulled themes & plugins on your website.

11: Disable File Editing

By default, WordPress allows users to edit files directly from the WordPress dashboard. However, if somehow a hacker gains access to your WordPress dashboard, they can use this feature to upload malicious code to your website theme & plugin files. Disabling file editing is another way to improve the security of your WordPress site from potential danger. To disable file editing on your site, you can use the iThemes Security plugin or add code to your wp-config.php file.

12: Use a Content Delivery Network

CDN offers a Web Application Firewall (WAF), which can help hide your origin IP address, and protect your website from distributed denial of service (DDoS) attacks, where hackers try to overwhelm your web server with traffic. There are a lot of options when it comes to choosing a CDN, I recommend you use Cloudflare CDN. It’s free and over 7.59 million active websites use Cloudflare.

13: Disable Directory Browsing

By default most of the popular web servers like Apache, NGINX, and LiteSpeed have directory browsing enabled. Directory browsing allows users to view the contents of directories on your web server. If a hacker gains access to directory browsing, they can view the files on your server and exploit vulnerabilities in your site’s plugins, media files, themes, or even your hosting server. The easiest way to check whether directory browsing is enabled is by simply visiting the /wp-includes/ folder link like this: https://example.com/wp-includes/.

14: Disable XML-RPC API

XML-RPC is a remote procedure call (RPC) protocol API used by WordPress since 2012. WordPress’ XML-RPC feature allows third-party services to access and modify content on the site. Most of the time XML-RPC API is used by the Jetpack plugin and WordPress mobile app. If you are not using any of these services, I advise you to disable XML-RPC.

15: Implement Firewall Rules

Implementing specific firewall rules is another way to improve your overall WordPress security. Firewall rules can filter out unwanted traffic, block specific IP addresses or countries, allow only known good bots, and prevent attacks from reaching your web server. You can use Cloudflare CDN, to implement firewall rules on your website. If you’re using Cloudflare’s free plan, you can add 5 rules and the pro plan comes with 20 rules.

That's all. If you have any more questions regarding WordPress Security Vulnerabilities Checklists click on the link below for more informations