Top 15 WordPress Security Checklist to Secure Your Site

 WordPress Security Checklist to Secure Your Site

WordPress is one of the most popular content management systems (CMS) on the internet. As of 2023, WordPress powers more than 43% of the total websites on the internet. 

Due to its robust features and easy-to-use interface, many of the top brands use WordPress to power their websites. However, because of its popularity, WordPress is a prime target for hackers, malicious code distributors, and data thieves. Therefore, it’s important to take the necessary steps to ensure your WordPress site is secure. 

In this blog post, we share a complete WordPress security checklist that can help you protect your website from potential security threats. So, let’s get started.

1: Always Use the Latest WordPress 

WordPress is constantly updating its software to fix bugs and vulnerabilities. Therefore, it’s important to keep your website updated with the latest version of WordPress. This will ensure that your website is protected from the latest security threats.

Each new WordPress version prompts developers to rectify glitches, introduce new functionalities, boost performance, and enhance existing features to align with the latest industry benchmarks.

WordPress updates

Managed WordPress hosting providers automatically update your site to major WordPress versions. To manually update the WordPress version, All you need to do is visit the WordPress Dashboard » Updates page and install the latest version. If you are looking for managed WordPress hosting, you can check, Kinsta, WPX, or CloudWays.

2: Use Strong Passwords

Strong passwords are the first line of defense against hackers and unauthorized access to your WordPress website. According to a study, 81% of WordPress hacking-related breaches used either stolen or weak passwords. 

That’s why avoid using simple passwords on your website, such as “12345” or “password”. Use a strong password that combines unique characters like letters, numbers, and symbols that are difficult to guess. 

To change your WordPress admin password, log in to your website and go to Users » Your Profile from your WordPress menu. 

WordPress admin password

Go ahead and click on the “Generate Password” option and WordPress will automatically create a strong password for you. After that, click the “Update Profile” button to save your new password.

If you have difficulty remembering a strong password, use a password manager to create and store strong passwords for your WordPress site. I use 1Password to create a strong password for my websites.

 3: Change the Default WordPress Login URL

The Default WordPress login page can be reached by adding /login/, /admin/, or /wp-login.php at the end of your WordPress site’s URL. And, hackers can use your website’s default login URL to try to gain access to your website by guessing usernames and passwords. 

Even if you are using a strong password, changing the login URL can really play in your favor in preventing unauthorized access to your site. The easiest way to change the default WordPress login URL is very easy, all you have to do is install the “WPS Hide Login” plugin on your website.

WPS hide login

Then open WPS Hide login plugin settings, here you can set a new Login URL path in the Login URL field. Then click on the “save changes” button. Please copy your new login URL and make a bookmark, because your old login URL will no longer work. 

4: Limit Login Attempts

What if hackers know your WordPress site login URL? They may use a brute force attack to try to guess your admin password. By default, WordPress allows users to enter different usernames, and passwords as many times as they want. That’s why hackers use automated software to keep guessing your login information. 

Therefore, you can limit the number of login attempts made from a specific IP address in a set amount of time. Any user who crosses the login limit can be temporarily or permanently banned as a safety precaution.

Limit Login Attempts

You can install the “Limit Login Attempts Reloaded” WordPress plugin to set maximum login attempts on your site.  This plugin allows you to set the number of login attempts, and how long an IP address will be locked out. Even if someone exceeds the limit, you’ll get notified by email, etc. 

5: Enable Two-Factor Authentication

Two-factor authentication (2FA) is an additional layer of security that requires users to provide two forms of authentication to access your WordPress site. WordPress Two-factor authentication is the easiest way to prevent unauthorized access.

If someone stole your site admin passwords, they can’t log in without entering a security code. Enabling 2FA on your WordPress site can be a very easy task, all you have to do is install the “Wordfence Login Security” plugin. 

Enable Two-Factor Authentication

This plugin allows you to use email, an authenticator app, and backup Security key methods as a two-factor login option. I recommend you use the authenticator app method. All you have to do is install Google Authenticator, 1Password, or any other 2FA app on your phone.

Each time you log in to your WordPress website, you’ve to enter the authentication code generated by the app on your phone. One more thing, download two-factor login backup keys. If somehow you lost your phone, you can still log in using backup keys.

6: Install Security Plugins

Installing WordPress Security plugins can add an extra layer of security to your website. A good WordPress security plugin offers

  • Malware scanning
  • DDoS attacks
  • Monitors uptime
  • Automatically bans bad IPs
  • Security hardening
  • Active security monitoring
  • Post-hack actions
  • Website Firewalls
  • Blocklist monitoring, etc.

Some popular security plugins for WordPress include Wordfence, iThemes Security, and Sucuri Security. I recommend you use the iThemes Security plugin, it offers 30+ full security measures to protect your website from potential threats.

7: Use SSL Certificates

SSL certificates are used to encrypt data that is transferred between the user’s web browser and the website. Using SSL certificates can help prevent hackers from intercepting and reading data that is transmitted between the user and the website. 

Really Simple SSL dashboard

SSL certificates are also important for SEO, as Google has stated that SSL certificates are a ranking factor. Right now, most of the hosting providers offer free SSL certificates with all hosting plans. If you have a problem configuring SSL on your WordPress site, you can use the “Really Simple SSL” plugin to manage all SSL-related issues. 

8: Backup Your Website Regularly

Any website can fall prey to hackers, data loss, database errors, or server disasters. That’s why you need to back up your WordPress website regularly. And You should also save your website backup files to a remote location, and not your hosting account. 

If somehow hackers get access to your website and inject malware. Regular website backups can help you recover your website in case of a security breach or other disaster. 

UpdraftPlus Backup and restore

There are many WordPress backup plugins available, Most of them are easy to use and will back up your site automatically on a remote cloud server. I use the most popular UpdraftPlus plugin, which helps me to backup my complete website automatically every day and save it on my cloud storage. 

Instead of using the UpdraftPlus plugin, you can also consider using BlogVault, and Jetpack Backups plugins to create an automatic backup of your website. 

9: Use Secure Hosting

A secure hosting provider will have strong security measures in place to prevent security breaches. Look for a hosting provider that offers automatic updates, a strong security track record, AWF, malware scanning, DDoS protection, free SSL, daily backup, etc.

Take your time to research your hosting options and choose a reputable provider that can not only protect your site from potential security threats but also improve performance.

Kinsta Dashboard

If you are unsure about hosting security, move your WordPress site to Kinsta, CloudWays, or WPX hosting. They provide the best secure WordPress hosting with free site migrations. So, you don’t have to worry about losing data during hosting migration.

10: Remove Unused Themes and Plugins

If you have installed tons of unused plugins & themes on your WordPress website. Then, make sure to remove them completely. Not only unused themes, and plugins, are Slowing website loading times down due to database bloat but they also Adding points of vulnerability to your website.

Outdated WordPress Plugin

Therefore, it’s important to remove any themes and plugins that you are not using. And one more thing, don’t download third-party nulled themes & plugins on your website. Most of the nulled themes & plugins contain malware that can ruin your years of hard work. 

11: Disable File Editing

By default, WordPress allows users to edit files directly from the WordPress dashboard. However, if somehow a hacker gains access to your WordPress dashboard, they can use this feature to upload malicious code to your website theme & plugin files. 

Disable File Editing WordPress

Disabling file editing is another way to improve the security of your WordPress site from potential danger. To disable file editing on your site, you can use the iThemes Security plugin or you can add the following code to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

12: Use a Content Delivery Network (CDN)

Using a CDN can help you improve your site’s overall performance and increase the overall security of your WordPress site. A CDN works by caching your website’s content on servers around the world. This can improve the speed of your website and reduce the load on your web server. 

Additionally, a CDN offers a Web Application Firewall (WAF), which can help hide your origin IP address, and protect your website from distributed denial of service (DDoS) attacks, which are a type of attack where hackers try to overwhelm your web server with traffic.

CloudFlare CDN dashboard

There are a lot of options when it comes to choosing a CDN, I recommend you use Cloudflare CDN. It’s free and over 7.59 million active websites use Cloudflare. If you are looking for a premium CDN service, then BunnyCDN is the best option for your WordPress site.

13: Disable Directory Browsing

By default most of the popular web servers like Apache, NGINX, and LiteSpeed have directory browsing enabled. Directory browsing allows users to view the contents of directories on your web server. 

If a hacker gains access to directory browsing, they can view the files on your server and exploit vulnerabilities in your site’s plugins, media files, themes, or even your hosting server.

This is why you need to disable directory browsing in WordPress. The easiest way to check whether directory browsing is enabled is by simply visiting the /wp-includes/ folder link like this:

403 Forbidden message

If you get a 403 Forbidden message, then directory browsing is already disabled. However, if you see a list of files and folders instead of a 403 Forbidden message, then this means that directory browsing is enabled. 

To disable directory browsing, you can install the iThemes Security plugin, and with a single click, you can disable it instantly. Otherwise, you can add the following code to your .htaccess file:

Options -Indexe

14: Disable XML-RPC API

XML-RPC is a remote procedure call (RPC) protocol API used by WordPress since 2012. WordPress’ XML-RPC feature allows third-party services to access and modify content on the site. Most of the time XML-RPC API is used by the Jetpack plugin and WordPress mobile app. If you are not using any of these services, I advise you to disable XML-RPC.

Disable XML-RPC

To disable XML-RPC API, you can use the iThemes Security plugin or you can add the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all

15: Implement Firewall Rules

Implementing specific firewall rules is another way to improve your overall WordPress security. Firewall rules can filter out unwanted traffic, block specific IP addresses or countries, allow only known good bots, and prevent attacks from reaching your web server. 

CloudFlare Firewall Rules

You can use Cloudflare CDN, to implement firewall rules on your website. If you’re using Cloudflare’s free plan, you can add 5 rules and the pro plan comes with 20 rules.

Note: It’s important to review your website’s traffic and adjust your CloudFlare firewall rules accordingly. Cloudflare maintains a list of known bad IP addresses that can be used to block requests from malicious sources. So, make sure you enable the “Known Bad IPs” firewall rule.

Final Thoughts on WordPress Security Checklist

In conclusion, WordPress is a powerful CMS platform for building websites, that’s why it’s also a target for hackers and malware. Here are quick facts you need to know about WordPress Security:

  • The WordPress vulnerabilities report shows that 52% are attributed to outdated plugins, 37% to WP core files, and 11% to themes.
  • Due to popularity, WordPress sites face more than 90,000+ attacks every minute.
  • Sucuri’s report of 2021 shows over 95.6% of infections detected by Sucuri were on websites running WordPress. 

As you can see, your website is probably targeted by hackers. That’s why you need to install an all-in-one Security plugin like iThemes Security, WordFence, or Sucuri to protect your site as securely as possible. You can also follow our WordPress security checklist outlined in this blog post. So, you can be aware of potential security threats. 

If you have any other questions related to WordPress security, let me know in the comment section. 

Read more about:

Thank you. Have a nice day.

Sayan Samanta

Hello there! My name is Sayan Samanta, and I'm an experienced blogger and affiliate marketer. I've spent years perfecting the art of building WordPress blogs that generate revenue. I specialize in creating easy-to-follow DIY guides on WordPress, hosting, site optimization, and more. If you'd like to connect with me, you can find me on X. And if you feel like supporting my work, you can always buy me a coffee.

Disclosure: We support our content through reader contributions. This includes some affiliate links, which means I may earn a commission without any extra cost to you. This helps us offer this guide to you for free. Please note that I only endorse products and services that I have personally used.

Leave a Comment